diff --git a/SOURCES/HOWTO.md b/SOURCES/HOWTO.md new file mode 100644 index 0000000..28b710d --- /dev/null +++ b/SOURCES/HOWTO.md @@ -0,0 +1,110 @@ +# What has changed +The previous Tigervnc versions had a wrapper script called `vncserver` which +could be run as a user manually to start *Xvnc* process. The usage was quite +simple as you just run +``` +$ vncserver :x [vncserver options] [Xvnc options] +``` +and that was it. While this was working just fine, there were issues when users +wanted to start a Tigervnc server using *systemd*. For these reasons things were +completely changed and there is now a new way how this all is supposed to work. + + # How to start Tigervnc server +  +## Add a user mapping +With this you can map a user to a particular port. The mapping should be done in +`/etc/tigervnc/vncserver.users` configuration file. It should be pretty +straightforward once you open the file as there are some examples, but basically +the mapping is in form +``` +:x=user +``` +For example you can have +``` +:1=test +:2=vncuser +``` + +## Configure Xvnc options +To configure Xvnc parameters, you need to go to the same directory where you did +the user mapping and open `vncserver-config-defaults` configuration file. This +file is for the default Xvnc configuration and will be applied to every user +unless any of the following applies: +* The user has its own configuration in `$HOME/.vnc/config` +* The same option with different value is configured in +  `vncserver-config-mandatory` configuration file, which replaces the default +  configuration and has even a higher priority than the per-user configuration. +  This option is for system administrators when they want to force particular +  *Xvnc* options. + +Format of the configuration file is also quite simple as the configuration is +in form of +``` +option=value +option +``` +for example +``` +session=gnome +securitytypes=vncauth,tlsvnc +desktop=sandbox +geometry=2000x1200 +localhost +alwaysshared +``` +### Note: +There is one important option you need to set and that option is the session you +want to start. E.g when you want to start GNOME desktop, then you have to use +``` +session=gnome +``` +which should match the name of a session desktop file from `/usr/share/xsessions` +directory. + +## Set VNC password +You need to set a password for each user in order to be able to start the +Tigervnc server. In order to create a password, you just run +``` +$ vncpasswd +``` +as the user you will be starting the server for. +### Note: +If you were using Tigervnc before for your user and you already created a +password, then you will have to make sure the `$HOME/.vnc` folder created by +`vncpasswd` will have the correct *SELinux* context. You either can delete this +folder and recreate it again by creating the password one more time, or +alternatively you can run +``` +$ restorecon -RFv /home//.vnc +``` + +## Start the Tigervnc server +Finally you can start the server using systemd service. To do so just run +``` +$ systemctl start vncserver@:x +``` +as root or +``` +$ sudo systemctl start vncserver@:x +``` +as a regular user in case it has permissions to run `sudo`. Don't forget to +replace the `:x` by the actual number you configured in the user mapping file. +Following our example by running +``` +$ systemctl start vncserver@:1 +``` +you will start a Tigervnc server for user `test` with a GNOME session. + +### Note: +If you were previously using Tigervnc and you were used to start it using +*systemd* then you will need to remove previous *systemd* configuration files, +those you most likely copied to `/etc/systemd/system/vncserver@.service`, +otherwise this service file will be preferred over the new one installed with +latest Tigervnc. + +# Limitations +You will not be able to start a Tigervnc server for a user who is already +logged into a graphical session. Avoid running the server as the `root` user as +it's not a safe thing to do. While running the server as the `root` should work +in general, it's not recommended to do so and there might be some things which +are not working properly. diff --git a/SOURCES/tigervnc-remove-trailing-spaces-in-user-name.patch b/SOURCES/tigervnc-remove-trailing-spaces-in-user-name.patch new file mode 100644 index 0000000..da47b03 --- /dev/null +++ b/SOURCES/tigervnc-remove-trailing-spaces-in-user-name.patch @@ -0,0 +1,26 @@ +From 989491eb4b325f980e94d27e0ad1a7bee63b6ebd Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Fri, 3 Jul 2020 13:56:35 +0200 +Subject: [PATCH] Remove trailing spaces in user name + +It's quite easy to make a mistake and add an additional space when configuring +users in the vncserver.users config file. You will then get an error that the +user doesn't exist and it's hard to spot the mistake. Same applies for a space +before the display number. +--- + unix/vncserver/vncsession-start.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/unix/vncserver/vncsession-start.in b/unix/vncserver/vncsession-start.in +index b20fcdd97..65ee0a81c 100644 +--- a/unix/vncserver/vncsession-start.in ++++ b/unix/vncserver/vncsession-start.in +@@ -33,7 +33,7 @@ fi + + DISPLAY="$1" + +-USER=`grep "^${DISPLAY}=" "${USERSFILE}" 2>/dev/null | head -1 | cut -d = -f 2-` ++USER=`grep "^ *${DISPLAY}=" "${USERSFILE}" 2>/dev/null | head -1 | cut -d = -f 2- | sed 's/ *$//g'` + + if [ -z "${USER}" ]; then + echo "No user configured for display ${DISPLAY}" >&2 diff --git a/SOURCES/tigervnc-systemd-support.patch b/SOURCES/tigervnc-systemd-support.patch index 5db9320..3b56cd8 100644 --- a/SOURCES/tigervnc-systemd-support.patch +++ b/SOURCES/tigervnc-systemd-support.patch @@ -599,7 +599,7 @@ index 0000000..904a2d5 + install vncsession.pp $(DESTDIR)$(DATADIR)/selinux/packages/vncsession.pp diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc new file mode 100644 -index 0000000..cd8b411 +index 0000000..121cdd2 --- /dev/null +++ b/unix/vncserver/selinux/vncsession.fc @@ -0,0 +1,26 @@ @@ -622,8 +622,8 @@ index 0000000..cd8b411 +# USA. +# + -+HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:vnc_session_home_t,s0) -+HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:vnc_session_home_t,s0) ++HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) ++HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) + +/usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0) +/usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0) @@ -638,10 +638,10 @@ index 0000000..3eb6a30 +## diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te new file mode 100644 -index 0000000..af57994 +index 0000000..941f28d --- /dev/null +++ b/unix/vncserver/selinux/vncsession.te -@@ -0,0 +1,72 @@ +@@ -0,0 +1,67 @@ +# +# Copyright 2018-2020 Pierre Ossman for Cendio AB +# @@ -660,60 +660,55 @@ index 0000000..af57994 +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. +# -+ ++ +policy_module(vncsession, 1.0.0); -+ ++ +gen_require(` + type unconfined_t; ++ type xdm_home_t; +') -+ ++ +type vnc_session_exec_t; +corecmd_executable_file(vnc_session_exec_t) +type vnc_session_t; +init_daemon_domain(vnc_session_t, vnc_session_exec_t) +auth_login_pgm_domain(vnc_session_t) -+ -+type vnc_session_home_t; -+userdom_user_home_content(vnc_session_home_t) -+ ++ +type vnc_session_var_run_t; +files_pid_file(vnc_session_var_run_t) +allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; +files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) -+ ++ +auth_write_login_records(vnc_session_t) -+ ++ +can_exec(vnc_session_t, vnc_session_exec_t) -+ ++ +userdom_spec_domtrans_all_users(vnc_session_t) +userdom_signal_all_users(vnc_session_t) -+ ++ +allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource }; +allow vnc_session_t self:process { getcap setsched setexec setrlimit }; +allow vnc_session_t self:fifo_file rw_fifo_file_perms; -+ -+manage_files_pattern(vnc_session_t, vnc_session_home_t, vnc_session_home_t) -+manage_fifo_files_pattern(vnc_session_t, vnc_session_home_t, vnc_session_home_t) -+manage_sock_files_pattern(vnc_session_t, vnc_session_home_t, vnc_session_home_t) -+manage_lnk_files_pattern(vnc_session_t, vnc_session_home_t, vnc_session_home_t) -+userdom_user_home_dir_filetrans(vnc_session_t, vnc_session_home_t, {file dir}) -+userdom_user_home_content_filetrans(vnc_session_t, vnc_session_home_t, {file dir}) -+userdom_admin_home_dir_filetrans(vnc_session_t, vnc_session_home_t, dir, ".vnc") -+userdom_admin_home_dir_filetrans(unconfined_t, vnc_session_home_t, dir, ".vnc") -+ ++ ++manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) ++manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) ++manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) ++manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) ++ ++userdom_user_home_dir_filetrans(unconfined_t, xdm_home_t, dir, ".vnc") ++userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") ++ ++userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") ++userdom_admin_home_dir_filetrans(unconfined_t, xdm_home_t, dir, ".vnc") ++ +miscfiles_read_localization(vnc_session_t) -+ ++ +kernel_read_kernel_sysctls(vnc_session_t) -+ ++ +logging_append_all_logs(vnc_session_t) -+ ++ +mcs_process_set_categories(vnc_session_t) +mcs_killall(vnc_session_t) -+ -+# To create the log file in the user home directory -+allow vnc_session_t file_type:dir search_dir_perms; -+#userdom_manage_user_home_content_dirs(vnc_session_t) -+#userdom_manage_user_home_content_files(vnc_session_t) diff --git a/unix/vncserver/tigervnc.pam b/unix/vncserver/tigervnc.pam new file mode 100644 index 0000000..0f4cb3a diff --git a/SPECS/tigervnc.spec b/SPECS/tigervnc.spec index eb8761f..a096dbe 100644 --- a/SPECS/tigervnc.spec +++ b/SPECS/tigervnc.spec @@ -1,6 +1,6 @@ Name: tigervnc Version: 1.10.1 -Release: 2%{?dist} +Release: 6%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -12,6 +12,7 @@ Source0: %{name}-%{version}.tar.gz Source1: xvnc.service Source2: xvnc.socket Source3: 10-libvnc.conf +Source4: HOWTO.md Patch2: tigervnc-getmaster.patch Patch5: tigervnc-cursor.patch @@ -25,6 +26,7 @@ Patch14: tigervnc-provide-correct-dimensions-for-xshm-setup.patch # Upstream patches Patch50: tigervnc-systemd-support.patch +Patch51: tigervnc-remove-trailing-spaces-in-user-name.patch # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg Patch100: tigervnc-xserver120.patch @@ -185,6 +187,7 @@ mkdir vncserver popd %patch50 -p1 -b .tigervnc-systemd-support +%patch51 -p1 -b .remove-trailing-spaces-in-user-name %build %ifarch sparcv9 sparc64 s390 s390x @@ -232,7 +235,6 @@ popd %install %make_install -rm -f %{buildroot}%{_docdir}/%{name}-%{version}/{README.rst,LICENCE.TXT} pushd unix/xserver/hw/vnc make install DESTDIR=%{buildroot} @@ -256,6 +258,14 @@ install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps done popd +# Install a replacement for /usr/bin/vncserver which will tell the user to read the +# HOWTO.md file +cat < %{buildroot}/%{_bindir}/vncserver +#!/bin/bash +echo "vncserver has been replaced by a systemd unit." +echo "Please read /usr/share/doc/tigervnc/HOWTO.md for more information." +EOF +chmod +x %{buildroot}/%{_bindir}/vncserver %find_lang %{name} %{name}.lang @@ -269,6 +279,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/ install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf %endif +install -m 644 %{SOURCE4} %{buildroot}/%{_docdir}/tigervnc/HOWTO.md + %post server %systemd_post xvnc.service %systemd_post xvnc.socket @@ -313,12 +325,14 @@ fi %{_unitdir}/xvnc@.service %{_unitdir}/xvnc.socket %{_bindir}/x0vncserver +%{_bindir}/vncserver %{_sbindir}/vncsession %{_libexecdir}/vncserver %{_libexecdir}/vncsession-start %{_mandir}/man1/x0vncserver.1* %{_mandir}/man8/vncserver.8* %{_mandir}/man8/vncsession.8* +%{_docdir}/tigervnc/HOWTO.md %files server-minimal %{_bindir}/vncconfig @@ -345,6 +359,23 @@ fi %changelog +* Fri Jul 03 2020 Jan Grulich - 1.10.1-6 +- Remove trailing spaces in user name + Resolves: bz#1852432 + +* Thu Jun 25 2020 Jan Grulich - 1.10.1-5 +- Install the HOWTO file to correct location +- Add /usr/bin/vncserver file informing users to read the HOWTO.md file + Resolves: bz#1790443 + +* Mon Jun 15 2020 Jan Grulich - 1.10.1-4 +- Improve SELinux policy + Resolves: bz#1790443 + +* Mon Jun 15 2020 Jan Grulich - 1.10.1-3 +- Add a HOWTO.md file with instructions how to start VNC server + Resolves: bz#1790443 + * Tue May 26 2020 Jan Grulich - 1.10.1-2 - Make the systemd service run also for root user Resolves: bz#1790443