Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 161288 - init.d VNC startup Security Enhancement - Control over X11/6000-9 vnc-java/5800-9 network bindings
Summary: init.d VNC startup Security Enhancement - Control over X11/6000-9 vnc-java/58...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: vnc
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks: FC5Target
TreeView+ depends on / blocked
 
Reported: 2005-06-22 02:31 UTC by System V. Unix
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 4.1.1-16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-08-11 11:30:50 UTC


Attachments (Terms of Use)
TGZ Patch file (diff -u) for altering VNC scripts. Complete fix for the RFE (deleted)
2005-06-22 02:31 UTC, System V. Unix
no flags Details | Diff

Description System V. Unix 2005-06-22 02:31:35 UTC
Description of problem:
-----------------------
It is desired to be able to control the VNC services in such a way to only 
have the native VNC server exposed. Options are incorporated into the standard 
startup scripts to allow control over the X11 and java-vnc HTTP services 
getting exposed to the external interface (The X11 service will always be 
exposed to at least the loopback interface).

Version-Release number of selected component (if applicable):
RHAS

How reproducible:
Apply attached patch, and decided what externally-facing daemons you want 
running for VNC services.

Steps to Reproduce:
N/A - normal operation of software
  
Actual results:
---------------
Specifying VNC arguments in /etc/sysconfig/vncservers one can decide to 

Case I: Supresses invokation of http vnc-java/5800-9 daemons/service
VNCSERVERARGS[1]="-nohttpd" ()

Case II: Supress invocation of X11/6000-9 listeners and vnc-java/5800-9
VNCSERVERARGS[1]="-nohttpd -nolisten tcp"

Expected results:
-----------------
Once can confirm the server hardening is stricter when these options are used 
by searching for running VNC services on the first 10 screens via

'nmap -sT -p 5800-9,5900-9,6000-9'


Additional info:
Basically this patch does nothing but allow the user more flexibility to 
control the startup options to Xvnc in a better fasion that is currently done. 
The fix is for RHAS4/Fedora scripts. 

Patch:
---------CUT------------
--- etc/sysconfig/vncservers.orig	2005-03-28 02:15:49.000000000 -0800
+++ etc/sysconfig/vncservers	2005-06-21 10:55:41.148852591 -0700
@@ -11,3 +11,23 @@
 
 # VNCSERVERS="1:myusername"
 # VNCSERVERARGS[1]="-geometry 800x600"
+
+# Supress invokation of the X11 listener in Xvnc
+# via '-nolisten tcp'. This enforces no remote X connections attach
+# to the Xvnc display window. (pass through arg to Xvnc)
+# 
+# Supress invokation of the additional '-httpd' in Xvnc
+# This prevents the use of web-based clients,
+# but still allows use of native VNC clients.(arg to vncservers)
+#
+# VNCSERVERARGS[1]="-nohttpd -nolisten tcp"
+
+# Setup to allow receipt of screens, but drop vnc-http/5800-9
+
+# VNCSERVERS="1:user1 2:user2 3:user3 4:user4 5:user5"
+# VNCSERVERARGS[1]="-nohttpd"
+# VNCSERVERARGS[2]="-nohttpd"
+# VNCSERVERARGS[3]="-nohttpd"
+# VNCSERVERARGS[4]="-nohttpd"
+# VNCSERVERARGS[5]="-nohttpd"
+
--- usr/bin/vncserver.orig	2005-06-21 18:24:53.317270919 -0700
+++ usr/bin/vncserver	2005-06-21 18:24:50.155746724 -0700
@@ -58,6 +58,7 @@
 # Check command line options
 
 &ParseOptions("-geometry",1,"-depth",1,"-pixelformat",1,"-name",1,"-kill",1,
+              "-nohttpd",0,
 	      "-help",0,"-h",0,"--help",0);
 
 &Usage() if ($opt{'-help'} || $opt{'-h'} || $opt{'--help'});
@@ -78,6 +79,12 @@
 if ($opt{'-pixelformat'}) {
     $pixelformat = $opt{'-pixelformat'};
 }
+if ($opt{'-nohttpd'}) {
+    $nohttpd = 1;
+  }
+else {
+    $nohttpd = 0;
+}
 
 &CheckGeometryAndDepth();
 
@@ -135,7 +142,7 @@
 
 $cmd = "Xvnc :$displayNumber";
 $cmd .= " -desktop " . &quotedString($desktopName);
-$cmd .= " -httpd $vncJavaFiles" if ($vncJavaFiles);
+$cmd .= " -httpd $vncJavaFiles" if ($vncJavaFiles && ! $nohttpd);
 $cmd .= " -auth $xauthorityFile";
 $cmd .= " -geometry $geometry" if ($geometry);
 $cmd .= " -depth $depth" if ($depth);
@@ -411,7 +418,7 @@
 
 sub Usage
 {
-    die("\nusage: $prog [:<number>] [-name <desktop-name>] [-depth <depth>]
\n".
+    die("\nusage: $prog [:<number>] [-nohttpd] [-name <desktop-name>] [-depth 
<depth>]\n".
 	"                 [-geometry <width>x<height>]\n".
 	"                 [-pixelformat rgbNNN|bgrNNN]\n".
 	"                 <Xvnc-options>...\n\n".
-----------------CUT-------------------

Comment 1 System V. Unix 2005-06-22 02:31:36 UTC
Created attachment 115791 [details]
TGZ Patch file (diff -u) for altering VNC scripts. Complete fix for the RFE


Note You need to log in before you can comment on or make changes to this bug.