Problem
We have an environment where users are automatically logged in to KDE at boot time. The screen locks immediately.
This is done so that users can connect to their desktops via VNC, a facility provided by running x11vnc in inetd.conf.
We changed from having the home directories locally to home directories automounted on NFS from a central file server. Now x11vnc fails to work; VNC connections fail immediately.
Turning on logging in x11vnc yields the following error:
22/05/2009 10:59:56 x11vnc version: 0.8.2 lastmod: 2006-07-12
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified
22/05/2009 10:59:56 ***************************************
22/05/2009 10:59:56 *** XOpenDisplay failed (:0)*** x11vnc was unable to open the X DISPLAY: ":0", it cannot continue.
*** There may be "Xlib:" error messages above with details about the failure.
What's going on
x11vnc is invoked by inetd as root because it needs root privileges to connect to the X display. The problem is, when kdm starts the autologin, it has the X display write the Xauthority to the user's home directory (~/.Xauthority) with permissions 600. And since the home directory is now on NFS, and we don't permit arbitrary root access to the NFS file systems… x11vnc can no longer read the .Xauthority file.
Solution
In /etc/inetd.conf:
5900 stream tcp nowait root /usr/sbin/tcpd /usr/local/bin/run-x11vnc /etc/x11vnc.remote.user.conf
/usr/local/sbin/run-x11vnc:
#!/bin/bash
su - USER -c "chmod 604 /home/USER/.Xauthority"
/usr/bin/x11vnc -rc $1
Discussion
Yes, this is horribly insecure.
You can't do a one-time chmod because the file is re-created and/or permissions re-applied when kdm logs the user in the next time the system is booted.