From 172310c1f306f0998e7858d0f7eed33238f4149ba6070b5acae2e06df0804154 Mon Sep 17 00:00:00 2001 From: Michal Srb Date: Thu, 16 Jun 2016 13:28:37 +0000 Subject: [PATCH] - Generate VNC key and certificate on first use, not during installation. (bnc#982349) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=90 --- tigervnc.changes | 7 +++++++ tigervnc.spec | 25 ++++++++++--------------- vnc.xinetd | 24 ++++++++++++------------ with-vnc-key.sh | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 64 insertions(+), 27 deletions(-) create mode 100644 with-vnc-key.sh diff --git a/tigervnc.changes b/tigervnc.changes index 96c5540..c0a3657 100644 --- a/tigervnc.changes +++ b/tigervnc.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jun 16 13:17:15 UTC 2016 - msrb@suse.com + +- Generate VNC key and certificate on first use, not during + installation. (bnc#982349) + ------------------------------------------------------------------- Mon Jun 13 15:21:19 UTC 2016 - msrb@suse.com @@ -5,6 +11,7 @@ Mon Jun 13 15:21:19 UTC 2016 - msrb@suse.com * Fix zlib stream reset in tight encoding. (bnc#963417) ------------------------------------------------------------------- +>>>>>>> ./tigervnc.changes.rb2c0921742fcc34e855cefa0bc741324 Tue May 24 12:46:07 UTC 2016 - msrb@suse.com - Add /etc/pam.d/vnc configuration and add vnc user to shadow diff --git a/tigervnc.spec b/tigervnc.spec index 80fbac6..dce26e6 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -108,6 +108,7 @@ Source7: vnc_inetd_httpd Source8: vnc.reg Source9: vncpasswd.arg Source10: vnc.pam +Source11: with-vnc-key.sh Patch1: tigervnc-newfbsize.patch Patch2: tigervnc-clean-pressed-key-on-exit.patch Patch3: u_tigervnc-ignore-epipe-on-write.patch @@ -130,10 +131,10 @@ it attempts to maintain a common look and feel and re-use components, where poss TigerVNC also provides extensions for advanced authentication methods and TLS encryption. %package -n xorg-x11-Xvnc -# Needed to generate certificates -Requires(post): openssl Requires(post): /usr/sbin/useradd Requires(post): /usr/sbin/groupadd +# Needed to generate certificates +Requires: openssl # Needed to serve java applet Requires: icewm Requires: python @@ -144,6 +145,7 @@ Requires: xinit Requires: xkbcomp Requires: xkeyboard-config Requires: xorg-x11-fonts-core +Provides: xorg-x11-Xvnc:/usr/lib/vnc/with-vnc-key.sh Summary: TigerVNC implementation of Xvnc Group: System/X11/Servers/XF86_4 @@ -257,6 +259,9 @@ ln -s -f %{_sysconfdir}/alternatives/vncviewer.1.gz $RPM_BUILD_ROOT%{_mandir}/ma mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/vnc +mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/vnc +install -D -m 755 %{SOURCE11} $RPM_BUILD_ROOT%{_libexecdir}/vnc + rm -rf $RPM_BUILD_ROOT/usr/share/doc/tigervnc-* %find_lang '%{name}' @@ -266,18 +271,6 @@ getent group %{vncgroup} > /dev/null || groupadd -r %{vncgroup} || : getent passwd %{vncuser} > /dev/null || useradd -r -g %{vncgroup} -d /var/lib/empty -s /sbin/nologin -c "user for VNC" %{vncuser} || : usermod -G shadow -a %{vncuser} || : -%post -n xorg-x11-Xvnc -if ! test -e %{tlskey} ; then - (umask 077 && openssl genrsa -out %{tlskey} 2048) - chown %{vncuser}:%{vncgroup} %{tlskey} -fi -if ! test -e %{tlscert} ; then - cn="Automatically generated certificate for the VNC service" - openssl req -new -x509 -extensions usr_cert \ - -key %{tlskey} -out %{tlscert} -days 7305 -subj "/CN=$cn/" - chown %{vncuser}:%{vncgroup} %{tlscert} -fi - %post %if 0%{?suse_version} >= 1315 %_sbindir/update-alternatives \ @@ -360,10 +353,12 @@ fi %doc java/com/tigervnc/vncviewer/README %{_datadir}/vnc -%dir %{_sysconfdir}/vnc +%dir %attr(0755,%{vncuser},%{vncuser}) %{_sysconfdir}/vnc %ghost %attr(0600,%{vncuser},%{vncuser}) %config(noreplace) %{tlskey} %ghost %attr(0644,%{vncuser},%{vncuser}) %config(noreplace) %{tlscert} +%{_libexecdir}/vnc + %files -n libXvnc1 %defattr(-,root,root) %{_libdir}/libXvnc.so.1* diff --git a/vnc.xinetd b/vnc.xinetd index d683da5..a42b1fd 100644 --- a/vnc.xinetd +++ b/vnc.xinetd @@ -9,8 +9,8 @@ service vnc1 protocol = tcp wait = no user = vnc - server = /usr/bin/Xvnc - server_args = -noreset -inetd -once -query localhost -geometry 1024x768 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 + server = /usr/lib/vnc/with-vnc-key.sh + server_args = /usr/bin/Xvnc -noreset -inetd -once -query localhost -geometry 1024x768 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 disable = yes } # default: off @@ -24,8 +24,8 @@ service vnc2 protocol = tcp wait = no user = vnc - server = /usr/bin/Xvnc - server_args = -noreset -inetd -once -query localhost -geometry 1280x1024 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 + server = /usr/lib/vnc/with-vnc-key.sh + server_args = /usr/bin/Xvnc -noreset -inetd -once -query localhost -geometry 1280x1024 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 disable = yes } # default: off @@ -39,8 +39,8 @@ service vnc3 protocol = tcp wait = no user = vnc - server = /usr/bin/Xvnc - server_args = -noreset -inetd -once -query localhost -geometry 1600x1200 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 + server = /usr/lib/vnc/with-vnc-key.sh + server_args = /usr/bin/Xvnc -noreset -inetd -once -query localhost -geometry 1600x1200 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 disable = yes } # default: off @@ -54,8 +54,8 @@ service vnchttpd1 protocol = tcp wait = no user = vnc - server = /usr/bin/vnc_inetd_httpd - server_args = 1024 768 5901 + server = /usr/lib/vnc/with-vnc-key.sh + server_args = /usr/bin/vnc_inetd_httpd 1024 768 5901 disable = yes } # default: off @@ -69,8 +69,8 @@ service vnchttpd2 protocol = tcp wait = no user = vnc - server = /usr/bin/vnc_inetd_httpd - server_args = 1280 1024 5902 + server = /usr/lib/vnc/with-vnc-key.sh + server_args = /usr/bin/vnc_inetd_httpd 1280 1024 5902 disable = yes } # default: off @@ -84,7 +84,7 @@ service vnchttpd3 protocol = tcp wait = no user = vnc - server = /usr/bin/vnc_inetd_httpd - server_args = 1600 1200 5903 + server = /usr/lib/vnc/with-vnc-key.sh + server_args = /usr/bin/vnc_inetd_httpd 1600 1200 5903 disable = yes } diff --git a/with-vnc-key.sh b/with-vnc-key.sh new file mode 100644 index 0000000..14a43f6 --- /dev/null +++ b/with-vnc-key.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +# Wrapper that makes sure /etc/vnc/tls.{key,cert} exist before executing given command. + + +TLSKEY=/etc/vnc/tls.key +TLSCERT=/etc/vnc/tls.cert + + +if test -s $TLSKEY -a -s $TLSCERT; then + # Execute the command we were given. + exec "$@" +fi + +( + # Wait for lock on the key file. We must not proceed while someone else is creating it. + flock 200 + + # If the key file doesn't exist or has zero size (because it doubles as lock), generate it. + if ! test -s $TLSKEY ; then + (umask 077 && openssl genrsa -out $TLSKEY 2048) >&200 + chown vnc:vnc $TLSKEY + fi + + # If the cert file doesn't exist, generate it. + if ! test -e $TLSCERT ; then + CN="Automatically generated certificate for the VNC service" + openssl req -new -x509 -extensions usr_cert -key $TLSKEY -out $TLSCERT -days 7305 -subj "/CN=$CN/" + chown vnc:vnc $TLSCERT + fi + +) 200>>$TLSKEY 2>/dev/null + +# Execute the command we were given. +exec "$@"