For When You Can't Have The Real Thing
[ start | index | login ]
start > Linux > x11vnc access

x11vnc access

Created by dave. Last edited by dave, 14 years and 313 days ago. Viewed 7,282 times. #1
[edit] [rdf]
labels
attachments

Problem

We have an environment where users are automatically logged in to KDE at boot time. The screen locks immediately.

This is done so that users can connect to their desktops via VNC, a facility provided by running x11vnc in inetd.conf.

We changed from having the home directories locally to home directories automounted on NFS from a central file server. Now x11vnc fails to work; VNC connections fail immediately.

Turning on logging in x11vnc yields the following error:

22/05/2009 10:59:56 x11vnc version: 0.8.2 lastmod: 2006-07-12
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified

22/05/2009 10:59:56 *************************************** 22/05/2009 10:59:56 *** XOpenDisplay failed (:0)

*** x11vnc was unable to open the X DISPLAY: ":0", it cannot continue. *** There may be "Xlib:" error messages above with details about the failure.

What's going on

x11vnc is invoked by inetd as root because it needs root privileges to connect to the X display. The problem is, when kdm starts the autologin, it has the X display write the Xauthority to the user's home directory (~/.Xauthority) with permissions 600. And since the home directory is now on NFS, and we don't permit arbitrary root access to the NFS file systems… x11vnc can no longer read the .Xauthority file.

Solution

In /etc/inetd.conf:

5900 stream  tcp  nowait  root  /usr/sbin/tcpd /usr/local/bin/run-x11vnc /etc/x11vnc.remote.user.conf

/usr/local/sbin/run-x11vnc:

#!/bin/bash
su - USER -c "chmod 604 /home/USER/.Xauthority"
/usr/bin/x11vnc -rc $1

Discussion

Yes, this is horribly insecure.

You can't do a one-time chmod because the file is re-created and/or permissions re-applied when kdm logs the user in the next time the system is booted.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt