diff options
Diffstat (limited to 'x11vnc/misc/desktop.cgi')
| -rwxr-xr-x | x11vnc/misc/desktop.cgi | 1550 |
1 files changed, 0 insertions, 1550 deletions
diff --git a/x11vnc/misc/desktop.cgi b/x11vnc/misc/desktop.cgi deleted file mode 100755 index d99a39c..0000000 --- a/x11vnc/misc/desktop.cgi +++ /dev/null @@ -1,1550 +0,0 @@ -#!/usr/bin/perl -# -########################################################################## -# desktop.cgi: -# -# This is an example CGI script to provide multi-user web access to -# x11vnc desktops. The user desktop sessions run in 'Xvfb' displays -# that are created automatically. -# -# This script should/must be served by an HTTPS (i.e. SSL) webserver, -# otherwise the unix and vnc passwords would be sent over the network -# unencrypted (see below to disable if you really want to.) -# -# The Java VNC Viewer applet connections are encrypted by SSL as well. -# -# You can use this script to provide unix users desktops available on -# demand via any Java enabled web browser. One could also use this for -# a special-purpose 'single application' service running in a minimal -# window manager. -# -# One example of a special-purpose application would be a scientific -# data visualization tool running on a server where the data is housed. -# To do this set $x11vnc_extra_opts = '-env FD_PROG=/path/to/app/launcher' -# where the program launches your special purpose application. A very -# simple example: '-env FD_PROG=/usr/bin/xclock' -# -# -# Depending on where you place this script, the user accesses the service -# with the URL: -# -# https://your.webserver.net/cgi-bin/desktop.cgi -# -# Then they login with their unix username and password to get their -# own desktop session. -# -# If the user has an existing desktop it is connected to directly, -# otherwise a new session is created inside an Xvfb display and then -# connected to by VNC. -# -# It is possible to do port redirection to other machines running SSL -# enabled VNC servers (see below.) This script does not start the VNC -# servers on the other machines, although with some extra rigging you -# should be able to do that as well. -# -# You can customize the login procedure to whatever you want by modifying -# this script, or by using ideas in this script write your own PHP, -# (for example), script. -# -########################################################################## -# Overriding default settings: -# -# If you want to override any settings in this script and do not -# want to edit this script create the assignments in a file named -# 'desktop.cgi.conf' in the same directory as desktop.cgi. It will be -# sourced after the defaults are set. The format of desktop.cgi.conf -# is simply perl statements that make the assignments. -# -# For example, if you put something like this in desktop.cgi.conf: -# -# $x11vnc = '/usr/local/bin/x11vnc'; -# -# that will set the path to the x11vnc binary to that location. Look at -# the settings below for the other variables that you can modify, for -# example one could set $allowed_users_file. -# -########################################################################## -# x11vnc: -# -# You need to install x11vnc or otherwise have it available. It is -# REQUIRED that you use x11vnc 0.9.10 or later. It won't work with -# earlier versions. See below the $x11vnc parameter that you can set -# to the full path to x11vnc. -# -########################################################################## -# Xvfb: -# -# Note that the x11vnc -create virtual desktop service used below requires -# that you install the 'Xvfb' program. On debian this is currently done -# via 'apt-get install xvfb'. -# -# If you are having trouble getting 'x11vnc -create' to work with this -# script (it can be tricky), try it manually and/or see the x11vnc FAQ -# links below. -# -########################################################################## -# Apache httpd: -# -# You should put this script in, say, a cgi-bin directory. Enable cgi -# scripts in your apache (or other httpd) config. For example, we have -# these lines (not commented): -# -# In httpd.conf: -# -# ScriptAlias /cgi-bin/ "/dist/apache/2.0/cgi-bin/" -# -# <Directory "/dist/apache/2.0/cgi-bin"> -# AllowOverride None -# Options None -# Order allow,deny -# Allow from all -# </Directory> -# -# and in ssl.conf: -# -# <Directory "/dist/apache/2.0/cgi-bin"> -# SSLOptions +StdEnvVars -# </Directory> -# -# Do not be confused by the non-standard /dist/apache/2.0 apache -# installation location that we happen to use. Yours will be different. -# -# You can test that you have CGI scripts working properly with the -# 'test-cgi' and 'printenv' scripts apache provides. -# -# Copy this file (desktop.cgi) to /dist/apache/2.0/cgi-bin and then run -# 'chmod 755 ...' on it to make it executable. -# -########################################################################## -# Applet Jar files served by apache: -# -# You will *also* need to copy the x11vnc classes/ssl/UltraViewerSSL.jar -# file to the httpd DocumentRoot to be accessible by: /UltraViewerSSL.jar -# in a URL (or change $applet_jar below or the html in $applet_html if -# you want to use a different location.) -# -# This location is relative to the apache DocumentRoot 'htdocs' directory. -# For our (non-standard location installation) that meant we copied the -# file to: -# -# /dist/apache/2.0/htdocs/UltraViewerSSL.jar -# -# (your DocumentRoot directory will be different.) -# -# The VncViewer.jar (tightvnc) will also work, but you need to change -# the $applet_jar below. You can get these jar files from the x11vnc -# tarball from: -# -# http://www.karlrunge.com/x11vnc/#downloading -# -# This script requires x11vnc 0.9.10 or later. -# -# Note that the usage mode for this script is a different from regular -# 'x11vnc -http ...' usage where x11vnc acts as a mini web server and -# serves its own applet jars. We don't use that mode for this script. -# Apache (httpd) serves the jars. -# -# -########################################################################## -# Notes and Information: -# -# Each x11vnc server created for a user login will listen on its own port -# (see below for port selection schemes.) Your firewall must let in *ALL* -# of these ports (e.g. a port range, see below for the syntax.) -# -# It is also possible, although not as reliable, to do all of this through -# a single port, see the fixed port scheme $find_free_port = 'fixed:5910' -# below. This single port mode must be different from apache's port -# (usually 443 for https) and must also be allowed in by your firewall. -# -# Note: The fixed port scheme is DISABLED by default. -# -# It is also possible to have this script act as a vnc redirector to SSL -# enabled VNC servers running on *other* machines inside your firewall -# (presumably the users' desktops) See the $enable_port_redirection -# setting below. The user provides 'username@host:port' instead of just -# 'username' when she logs in. This script doesn't start VNC servers -# on those other machines, the servers must be running there already. -# (If you want this script to start them you will need to add it -# yourself.) It is possible to provide a host:port allow list to limit -# which internal machines and ports can be redirected to. This is the -# $port_redirection_allowed_hosts parameter. -# -# Note: The vnc redirector scheme is DISABLED by default. -# -# Note there are *two* SSL certificates involved that the user may be -# asked to inspect: apache's SSL cert and x11vnc's SSL cert. This may -# confuse naive users. You may want to use the same cert for both. -# -# This script provides one example on how to provide the service. You can -# customize it to meet your needs, e.g. switch to php, newer cgi modules, -# different authentication, SQL database for user authentication, etc, -# etc. If you plan to use it in production, please examine all security -# aspects of it carefully; read the comments in the script for more info. -# -# More information and background and troubleshooting: -# -# http://www.karlrunge.com/x11vnc/faq.html#faq-xvfb -# http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-tunnel-viewers -# http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-java-viewer-proxy -# http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-portal -# http://www.karlrunge.com/x11vnc/faq.html#faq-unix-passwords -# http://www.karlrunge.com/x11vnc/faq.html#faq-userlogin -# -# -# Please also read the comments below for changing specific settings. -# You can modify them in this script or by override file 'desktop.cgi.conf' - - -#------------------------------------------------------------------------- -# Copyright (c) 2010 by Karl J. Runge <runge@karlrunge.com> -# -# desktop.cgi is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or (at -# your option) any later version. -# -# desktop.cgi is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with desktop.cgi; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -# or see <http://www.gnu.org/licenses/>. -#------------------------------------------------------------------------- - -use strict; -use IO::Socket::INET; - -# Test for INET6 support: -# -my $have_inet6 = 0; -eval "use IO::Socket::INET6;"; -$have_inet6 = 1 if $@ eq ""; - -########################################################################## -# Path to the x11vnc program: -# -my $x11vnc = '/usr/bin/x11vnc'; - - -########################################################################## -# You can set some extra x11vnc cmdline options here: -# -my $x11vnc_extra_opts = ''; - - -########################################################################## -# Override the default x11vnc viewer connection timeout of 75 seconds: -# -my $x11vnc_timeout = ''; - - -########################################################################## -# TCP Ports: -# -# Set find_free_port to 1 (or the other modes described below) to -# autoselect a free port to use. The default is to use a port based on -# the userid number (7000 + uid). -# -my $find_free_port = 0; - -# Or specify a port range: -# -#$find_free_port = '7000-8000'; -# -# Or indicate to use a kludge to try to do everything through a SINGLE -# port. To try to avoid contention on the port, simultaneous instances -# of this script attempt to 'take turns' using it the single port. -# -#$find_free_port = 'fixed:5910'; - -# This is the starting port for 7000 + uid and also $find_free_port = 1 -# autoselection: -# -my $starting_port = 7000; - -# Listen on AF_INET6 if IO::Socket::INET6 is available. -# -my $listen_on_ipv6 = 0; - - -########################################################################## -# Port redirection mode: -# -# This is to enable port redirection mode: username@host:port. If -# username is valid, there will be a port redirection to internal machine -# host:port. Presumably there is already an SSL enabled and password -# protected VNC server running there. We don't start that VNC server. -# (You might be able to figure out a way to do this yourself.) -# -# See the next setting for an allowed hosts file. The default for port -# redirection is off. -# -my $enable_port_redirection = 0; - -# A file with allowed port redirections. The empty string '' (the -# default) means all host:port redirections would be allowed. -# -# Format of the file: A list of 'user@host:port' or 'host:port' -# entries, one per line. Port ranges, e.g. host:n-m are also accepted. -# -# Leading and trailing whitespace is trimmed off each line. Blank lines -# and comment lines starting with '#' are skipped. A line consisting of -# 'ALL' matches everything. If no match can be found or the file cannot -# be opened the connection is dropped. -# -my $port_redirection_allowed_hosts = ''; - - -########################################################################## -# Allowed users: -# -# To limit which users can use this service, set the following to a file -# that contains the allowed user names one per line. Lines starting with -# the '#' character are skipped. -# -my $allowed_users_file = ''; - - -########################################################################## -# Denied users: -# -# As with $allowed_users_file, but to deny certain users. Applied after -# any $allowed_users_file check and overrides the result. -# -my $denied_users_file = ''; - - -########################################################################## -# trustUrlVncCert applet parameter: -# -# Set to 0 to have the java applet html set the parameter -# trustUrlVncCert=no, i.e. the applet will not automatically accept -# an SSL cert already accepted by an HTTPS URL. See $applet_html and -# print_applet_html() below for more info. -# -my $trustUrlVncCert = 1; - - -########################################################################## -# One-time VNC password fifo: -# -# For extra security against local untrusted users a fifo is used -# to copy the one-time VNC password to the user's VNC password file -# ~user/x11vnc.pw. If that fifo transfer technique causes problems, -# you can set this value to 1 to disable the security feature: -# -my $disable_vnc_passwd_fifo_safety = 0; - - -########################################################################## -# Comment this out if you don't want PATH modified: -# -$ENV{PATH} = "/usr/bin:/bin:$ENV{PATH}"; - - -########################################################################## -# For the next two settings, note that most users will be confused that -# geometry and session are ignored when they are returning to their -# existing desktop session (x11vnc FINDDISPLAY action.) - - -########################################################################## -# Used below if user did not specify preferred geometry and color depth: -# -my $default_geometry = '1024x768x24'; - - -# Set this to the list of x11vnc -create sessions types to show a session -# dropdown for the user to select from. -# -my $session_types = ''; -# -# example: -#$session_types = 'gnome kde xfce lxde wmaker enlightenment mwm twm failsafe'; - - -########################################################################## -# Set this to 1 to enable user setting a unique tag for each one -# of his desktops and so can have multiple ones simultaneously and -# select which one he wants. For now we just hack this onto geometry -# 1024x768x24:my_2nd_desktop but ultimately there should be a form entry -# for it. Search for enable_unique_tags for more info: -# -my $enable_unique_tags = 0; -my $unique_tag = ''; - - -########################################################################## -# String of HTML for the login form: -# -# Feel free to customize to your taste, _USERNAME_ and _GEOMETRY_ are -# expanded to that of the request. -# -my $login_str = <<"END"; -<title>x11vnc web access</title> -<h3>x11vnc web access</h3> -<form action="$ENV{REQUEST_URI}" method="post"> - <table border="0"> - <tr><td colspan=2><h2>Login</h2></td></tr> - <tr><td>Username:</td><td> - <input type="text" name="username" maxlength="40" value="_USERNAME_"> - </td></tr> - <tr><td>Password:</td><td> - <input type="password" name="password" maxlength="50"> - </td></tr> - <tr><td>Geometry:</td><td> - <input type="text" name="geometry" maxlength="40" value="_GEOMETRY_"> - </td></tr> - <!-- session --> - <tr><td colspan="2" align="right"> - <input type="submit" name="submit" value="Login"> - </td></tr> - </table> -</form> -END - - -########################################################################## -# String of HTML returned to web browser to launch applet: -# -# Feel free to customize to your taste, _UID_, _VNC_PORT_, _WIDTH_, -# _HEIGHT_, _PASS_, _TRUST_UVC_, _APPLET_JAR_, and _APPLET_CLASS_ are -# expanded to the appropriate values before sending out to the browser. -# -my $applet_html = <<"END"; -<html> -<TITLE> -x11vnc desktop (_UID_/_VNC_PORT_) -</TITLE> -<APPLET CODE=_APPLET_CLASS_ ARCHIVE=_APPLET_JAR_ WIDTH=_WIDTH_ HEIGHT=_HEIGHT_> -<param name=PORT value=_VNC_PORT_> -<param name=VNCSERVERPORT value=_VNC_PORT_> -<param name=PASSWORD value=_PASS_> -<param name=trustUrlVncCert value=_TRUST_UVC_> -<param name="Open New Window" value=yes> -<param name="Offer Relogin" value=no> -<param name="ignoreMSLogonCheck" value=yes> -<param name="delayAuthPanel" value=yes> -<!-- extra --> -</APPLET> -<br> -<a href="$ENV{REQUEST_URI}">Login page</a><br> -<a href=http://www.karlrunge.com/x11vnc>x11vnc website</a> -</html> -END - - -########################################################################## -# These java applet strings are expanded into the above $applet_html. -# Note that $applet_jar is relative to your apache DocumentRoot (htdocs) -# not the filesystem root. -# -my $applet_jar = '/UltraViewerSSL.jar'; -my $applet_class = 'VncViewer.class'; - -# These make the applet panel smaller because we use 'Open New Window' -# anyway (set to 'W' or 'H' to use actual session geometry values): -# -my $applet_width = '400'; -my $applet_height = '300'; - -# To customize ALL of the HTML printed out you may need to redefine -# the bye() subtroutine in your desktop.cgi.conf file. - - -########################################################################## -# Override any of the above settings by setting them in a file named -# 'desktop.cgi.conf'. It is sourced here. -# -# You can override any variable set above by supplying perl code -# in $0.conf that sets it to the desired value. -# -# Some examples you could put in $0.conf: -# -# $x11vnc = '/usr/local/bin/x11vnc'; -# $x11vnc_extra_opts = '-env FD_PROG=/usr/bin/xclock'; -# $x11vnc_extra_opts = '-ssl /usr/local/etc/dtcgi.pem'; -# $find_free_port = 'fixed:5999'; -# $enable_port_redirection = 1; -# $allowed_users_file = '/usr/local/etc/dtcgi.allowed'; -# -if (-f "$0.conf") { - eval `cat "$0.conf"`; -} - - -########################################################################## -# END OF MAIN USER SETTINGS. -# Only power users should change anything below. -########################################################################## - -# Print http header reply: -# -print STDOUT "Content-Type: text/html\r\n\r\n"; - - -# Require HTTPS so that unix and vnc passwords are not sent in clear text -# (perhaps it is too late...) Disable HTTPS here at your own risk. -# -if ($ENV{HTTPS} !~ /^on$/i) { - bye("HTTPS must be used (to encrypt passwords)"); -} - - -# Read URL request: -# -my $request; -if ($ENV{'REQUEST_METHOD'} eq "POST") { - read(STDIN, $request, $ENV{'CONTENT_LENGTH'}); -} elsif ($ENV{'REQUEST_METHOD'} eq "GET" ) { - $request = $ENV{'QUERY_STRING'}; -} else { - $request = $ARGV[0]; -} - -my %request = url_decode(split(/[&=]/, $request)); - - -# Experiment for FD_TAG x11vnc feature for multiple desktops for a -# single user: -# -# we hide it in geometry:tag for now: -# -if ($enable_unique_tags && $request{geometry} =~ /^(.*):(\w+)$/) { - $request{geometry} = $1; - $unique_tag = $2; -} - -# Check/set geometry and session: -# -if (!exists $request{geometry} || $request{geometry} !~ /^[x\d]+$/) { - # default geometry and depth: - $request{geometry} = $default_geometry; -} -if (!exists $request{session} || $request{session} =~ /^\s*$/) { - $request{session} = ''; -} - - -# Expand _USERNAME_ and _GEOMETRY_ in the login string HTML: -# -$login_str =~ s/_USERNAME_/$request{username}/g; -$login_str =~ s/_GEOMETRY_/$request{geometry}/g; - - -# Check x11vnc version for installers of this script who do not know -# how to read and follow instructions: -# -my $version = (split(' ', `$x11vnc -version`))[1]; -$version =~ s/\D*$//; - -my ($major, $minor, $micro) = split(/\./, $version); -if ($major !~ /^\d+$/ || $minor !~ /^\d+$/) { - bye("The x11vnc program is not installed correctly."); -} -$micro = 0 unless $micro; -my $level = $major * 100 * 100 + $minor * 100 + $micro; -my $needed = 0 * 100 * 100 + 9 * 100 + 10; -if ($level < $needed) { - bye("x11vnc version 0.9.10 or later is required. (Found version $version)"); -} - - -# Set up user selected desktop session list, if enabled: -# -my %sessions; - -if ($session_types ne '') { - my $str = "<tr><td>Session:</td><td>\n<select name=session>"; - $str .= "<option value=none>select</option>"; - - foreach my $sess (split(' ', $session_types)) { - next if $sess =~ /^\s*$/; - next if $sess !~ /^\w+$/; # alphanumeric - $sessions{$sess} = 1; - $str .= "<option value=$sess>$sess</option>"; - } - $str .= "</select>\n</td></tr>"; - - # This forces $request{session} to be a valid one: - # - if (! exists $sessions{$request{session}}) { - $request{session} = 'none'; - } - - # Insert into login_str: - # - my $r = $request{session}; - $str =~ s/option value=\Q$r\E/option selected value=$r/; - $login_str =~ s/<!-- session -->/$str/; -} - - -# If no username or password, show login form: -# -if (!$request{username} && !$request{password}) { - bye($login_str); -} elsif (!$request{username}) { - bye("No Username.<p>$login_str"); -} elsif (!$request{password}) { - bye("No Password.<p>$login_str"); -} - - -# Some shorthand names: -# -my $username = $request{username}; -my $password = $request{password}; -my $geometry = $request{geometry}; -my $session = $request{session}; - - -# If port redirection is enabled, split username@host:port -# -my $redirect_host = ''; -my $current_fh1 = ''; -my $current_fh2 = ''; - -if ($enable_port_redirection) { - ($username, $redirect_host) = split(/@/, $username, 2); - if ($redirect_host ne '') { - # will exit if the redirection is not allowed: - check_redirect_host(); - } -} - -# If there is an $allowed_users_file, check username against it: -# -if ($allowed_users_file ne '') { - if (! open(USERS, "<$allowed_users_file")) { - bye("Internal Error #0"); - } - my $ok = 0; - while (<USERS>) { - chomp; - $_ =~ s/^\s*//; - $_ =~ s/\s*$//; - next if /^#/; - if ($username eq $_) { - $ok = 1; - } - } - close USERS; - if (! $ok) { - bye("Denied Username.<p>$login_str"); - } -} - -# If there is a $denied_users_file, check username against it: -# -if ($denied_users_file ne '') { - if (! open(USERS, "<$denied_users_file")) { - bye("Internal Error #0"); - } - my $ok = 1; - while (<USERS>) { - chomp; - $_ =~ s/^\s*//; - $_ =~ s/\s*$//; - next if /^#/; - if ($username eq $_) { - $ok = 0; - } - } - close USERS; - if (! $ok) { - bye("Denied Username.<p>$login_str"); - } -} - -# Require username to be alphanumeric + '-' + '_': -# (one may want to add '.' as well) -# -if ($username !~ /^\w[-\w]*$/) { - bye("Invalid Username.<p>$login_str"); -} - - -# Get the userid number, we may use it as his VNC display port; this -# also checks if the username exists: -# -my $uid = `/usr/bin/id -u '$username'`; -chomp $uid; -if ($? != 0 || $uid !~ /^\d+$/) { - bye("Invalid Username.<p>$login_str"); -} - - -# Use x11vnc trick to check if the unix password is valid: -# (requires x11vnc 0.9.10 or later.) -# -if (!open(X11VNC, "| $x11vnc -unixpw \%stdin > /dev/null")) { - bye("Internal Error #1"); -} -print X11VNC "$username:$password\n"; - -if (!close X11VNC) { - # x11vnc returns non-zero for invalid username+password: - bye("Invalid Password.<p>$login_str"); -} - - -# Initialize random number generator for use below: -# -initialize_random(); - - -# Set vnc port: -# -my $vnc_port = 0; -my $fixed_port = 0; - -if (! $find_free_port) { - # Fixed port based on userid (we assume it is free): - # - $vnc_port = $starting_port + $uid; - -} elsif ($find_free_port =~ /^fixed:(\d+)$/) { - # - # Enable the -loopbg method that tries to share a single port: - # - $vnc_port = $1; - $fixed_port = 1; -} else { - # Autoselect a port, either default range (7000-8000) or a user - # supplied range. (note that $find_free_port will now contain - # a socket listening on the found port so that it is held.) - # - $vnc_port = auto_select_port(); -} - -# Check for crazy port value: -# -if ($vnc_port > 64000 || $vnc_port < 1) { - bye("Internal Error #2 $vnc_port"); -} - - -# If port redirection is enabled and the user selected it via -# username@host:port, we do that right now and then exit. -# -if ($enable_port_redirection && $redirect_host ne '') { - port_redir(); - exit 0; -} - - -# Make a random, onetime vnc password: -# -my $pass = ''; -my $chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; -my @abc = split(//, $chars); - -for (my $i = 0; $i < 8; $i++) { - $pass .= $abc[ rand(scalar(@abc)) ]; -} - -# Use x11vnc trick to switch to user and store vnc pass in the passwdfile. -# Result is $pass is placed in user's $HOME/x11vnc.pw -# -# (This is actually difficult to do without untrusted LOCAL users being -# able to see the pass as well, see copy_password_to_user() for details -# on how we try to avoid this.) -# -copy_password_to_user($pass); - - -# Make a tmp file for x11vnc launcher script: -# -my $tmpfile = `/bin/mktemp /tmp/desktop.cgi.XXXXXX`; -chomp $tmpfile; - -# Check if the tmpfile is valid: -# -if (! -e $tmpfile || ! -o $tmpfile || -l $tmpfile) { - unlink $tmpfile; - bye("Internal Error #3"); -} -if (!chmod 0644, $tmpfile) { - unlink $tmpfile; - bye("Internal Error #4"); -} -if (!open(TMP, ">$tmpfile")) { - unlink $tmpfile; - bye("Internal Error #5"); -} - - -# The x11vnc command. You adjust it to suit your needs. -# -# some ideas: -env FD_PROG=/usr/bin/gnome-session -# -env FD_SESS=kde -# -env FD_TAG=my_2nd_desktop -# -ultrafilexfer -# -# Note that -timeout will cause it to exit if client does not connect -# and -sslonly disables VeNCrypt SSL connections. - -# Some settings: -# (change these if you encounter timing problems, etc.) -# -my $timeout = 75; -my $extra = ''; -if ($fixed_port) { - # settings for fixed port case: - $timeout = 45; - $extra .= " -loopbg100,1"; -} -$timeout = $x11vnc_timeout if $x11vnc_timeout ne ''; - -if ($session_types ne '') { - # settings for session selection case: - if (exists $sessions{$session}) { - $extra .= " -env FD_SESS='$session'"; - } -} -if ($enable_unique_tags && $unique_tag ne '' && $unique_tag =~ /^\w+$/) { - $extra .= " -env FD_TAG='$unique_tag'"; -} - -# This md5sum check of the vnc passwd is for extra safety (see -# copy_password_to_user for details.) -# -my $md5sum = ''; -system("type md5sum > /dev/null"); -if ($? == 0) { - my $md5 = `/bin/mktemp /tmp/desktop.cgi.XXXXXX`; - chomp $md5; - # compute md5sum of password: - if (-o $md5 && open(MD5, "| md5sum > $md5")) { - print MD5 "$pass\n"; - close MD5; - if (open(MD5, "<$md5")) { - # read it: - my $line = <MD5>; - close MD5; - my ($s, $t) = split(' ', $line); - if (length($s) >= 32 && $s =~ /^\w+$/) { - # shell code for user to check he has correct passwd: - $md5sum = "if md5sum \$HOME/x11vnc.pw | grep '$s' > /dev/null; then true; else exit 1; fi"; - } - } - } - unlink $md5; -} - -# Write x11vnc command to the tmp file: -# -print TMP <<"END"; -#!/bin/sh -export PATH=/usr/bin:/bin:\$PATH -$md5sum -$x11vnc -sigpipe ignore:HUP -nopw -rfbport $vnc_port \\ - -passwdfile \$HOME/x11vnc.pw -oa \$HOME/x11vnc.log \\ - -create -ssl SAVE -sslonly -env FD_GEOM=$geometry \\ - -timeout $timeout $extra $x11vnc_extra_opts \\ - >/dev/null 2>/dev/null </dev/null & -sleep 2 -exit 0 -END - -close TMP; - -# Now launch x11vnc to switch to user and run the wrapper script: -# (this requires x11vnc 0.9.10 or later.) -# -$ENV{UNIXPW_CMD} = "/bin/sh $tmpfile"; - -# For the fixed port scheme we try to cooperate via lock file: -# (disabled by default.) -# -my $rmlock = ''; -# -if ($fixed_port) { - # try to grab the fixed port for the next 90 secs removing stale - # locks older than 60 secs: - # - $rmlock = lock_fixed_port(90, 60); -} - -# Start the x11vnc cmd: -# -if (!open(X11VNC, "| $x11vnc -unixpw \%stdin > /dev/null")) { - unlink $tmpfile; - unlink $rmlock if $rmlock; - bye("Internal Error #6"); -} - -select(X11VNC); $| = 1; select(STDOUT); - -# Close any port we held. There is still a gap of time between now -# and when when x11vnc in $tmpfile reopens the port after the password -# authentication. So another instance of this script could accidentally -# think it is free... -# -sleep 1; -close $find_free_port if $find_free_port; - -print X11VNC "$username:$password\n"; -close X11VNC; # note we ignore return value. -unlink $tmpfile; - -if ($rmlock) { - # let our x11vnc proceed a bit before removing lock. - sleep 2; - unlink $rmlock; -} - -# Return html for the java applet to connect to x11vnc. -# -print_applet_html(); - -exit 0; - -################################################################# -# Subroutines: - -# print the message to client and exit with success. -# -sub bye { - my $msg = shift; - print STDOUT "<html>$msg</html>\n"; - exit 0; -} - -# decode %xx to character: -# -sub url_decode { - foreach (@_) { - tr/+/ /; - s/%(..)/pack("c",hex($1))/ge; - } - @_; -} - -# seed random -# -sub initialize_random { - my $rbytes = ''; - if (open(RAN, "</dev/urandom")) { - read(RAN, $rbytes, 8); - } elsif (open(RAN, "</dev/random")) { - read(RAN, $rbytes, 8); - } else { - $rbytes = sprintf("%08d", $$); - } - close RAN; - - # set seed: - # - my $seed = join('', unpack("C8", $rbytes)); - $seed = substr($seed, -9); - srand($seed); - - for (my $i = 0; $i < ($$ % 4096); $i++) { - # Mix it up even a little bit more. There should be - # over 1 billion possible vnc passwords now. - rand(); - } -} - -# Autoselect a port for vnc. Note that a socket for the found port -# is kept open (and stored in $find_free_port) until we call x11vnc at -# the end. -# -sub auto_select_port { - my $pmin = $starting_port; # default range 7000-8000. - my $pmax = $starting_port + 1000; - - if ($find_free_port =~ /^(\d+)-(\d+)$/) { - # user supplied a range: - $pmin = $1; - $pmax = $2; - if ($pmin > $pmax) { - ($pmin, $pmax) = ($pmax, $pmin); - } - } elsif ($find_free_port > 1024) { - # user supplied a starting port: - $pmin = $find_free_port; - $pmax = $pmin + 1000; - } - - # Try to add a bit of randomness to the starting port so - # simultaneous instances of this script won't be fooled by the gap - # of time before x11vnc reopens the port (see near the bottom.) - # - my $dp = int(rand(1.0) * 0.25 * ($pmax - $pmin)); - if ($pmin + $dp < $pmax - 20) { - $pmin = $pmin + $dp; - } - - my $port = 0; - - # Now try to find a free one: - # - for (my $p = $pmin; $p <= $pmax; $p++) { - my $sock = ''; - if ($have_inet6 && $listen_on_ipv6) { - eval {$sock = IO::Socket::INET6->new( - Listen => 1, - LocalPort => $p, - ReuseAddr => 1, - Domain => AF_INET6, - LocalAddr => "::", - Proto => "tcp" - );}; - } else { - $sock = IO::Socket::INET->new( - Listen => 1, - LocalPort => $p, - ReuseAddr => 1, - Proto => "tcp" - ); - } - if ($sock) { - # we will keep this open until we call x11vnc: - $find_free_port = $sock; - $port = $p; - last; - } - } - return $port; -} - -# Since apache typically runs as user 'apache', 'nobody', etc, and not -# as root it is tricky for us to copy the pass string to a file owned by -# the user without some other untrusted local user being able to learn -# the password (e.g. via reading a file or watching ps.) Note that with -# the x11vnc -unixpw trick we unfortunately can't use a pipe because -# the user command is run in its own tty. -# -# The best way would be a sudo action or a special setuid program for -# copying. So consider doing that and thereby simplify this function. -# -# Short of a special program doing this, we use a fifo so ONLY ONE -# process can read the password. If the untrusted local user reads it, -# then the logging-in user's x11vnc won't get it. The login and x11vnc -# will fail, but the untrusted user won't gain access to the logging-in -# user's desktop. -# -# So here we start long, tedious work carefully managing the fifo. -# -sub copy_password_to_user { - - my $pass = shift; - - my $use_fifo = ''; - - # Find a command to make a fifo: - # - system("type mkfifo > /dev/null"); - if ($? == 0) { - $use_fifo = 'mkfifo %s'; - } else { - system("type mknod > /dev/null"); - if ($? == 0) { - $use_fifo = 'mknod %s p'; - } - } - - # Create the filename for our fifo: - # - my $fifo = `/bin/mktemp /tmp/desktop.cgi.XXXXXX`; - chomp $fifo; - - if (! -e $fifo || ! -o $fifo || -l $fifo) { - unlink $fifo; - bye("Internal Error #7"); - } - - # disable fifo safety if requested: - # - if ($disable_vnc_passwd_fifo_safety) { - $use_fifo = ''; - } - - # Make the fifo: - # - if ($use_fifo) { - $use_fifo = sprintf($use_fifo, $fifo); - - # there is a small race here: - system("umask 077; rm -f $fifo; $use_fifo; chmod 600 $fifo"); - - if (!chmod 0600, $fifo) { - # we chmod once more.. - unlink $fifo; - bye("Internal Error #8"); - } - - if (! -o $fifo || ! -p $fifo || -l $fifo) { - # but we get out if not owned by us anymore: - unlink $fifo; - bye("Internal Error #9"); - } - } - - # Build cmd for user to read our fifo: - # - my $upw = '$HOME/x11vnc.pw'; - $ENV{UNIXPW_CMD} = "touch $upw; chmod 600 $upw; cat $fifo > $upw"; - - # Start it: - # - if (!open(X11VNC, "| $x11vnc -unixpw \%stdin > /dev/null")) { - unlink $fifo; - bye("Internal Error #10"); - } - select(X11VNC); $| = 1; select(STDOUT); - - if (! $use_fifo) { - # regular file, we need to write it now. - if (!open(FIFO, ">$fifo")) { - close X11VNC; - unlink $fifo; - bye("Internal Error #11"); - } - print FIFO "$pass\n"; - close FIFO; - } - - # open fifo up for reading. - # (this means the bad guy can read it too.) - # - if (!chmod 0644, $fifo) { - unlink $fifo; - bye("Internal Error #12"); - } - - # send the user's passwd now: - # - print X11VNC "$username:$password\n"; - - if ($use_fifo) { - # wait a bit for the cat $fifo to start, reader will block. - sleep 1; - if (!open(FIFO, ">$fifo")) { - close X11VNC; - unlink $fifo; - bye("Internal Error #13"); - } - # here it goes: - print FIFO "$pass\n"; - close FIFO; - } - close X11VNC; # note we ignore return value. - fsleep(0.5); - unlink $fifo; - - # Done! -} - -# For fixed, single port mode. Try to open and lock the port before -# proceeding. -# -sub lock_fixed_port { - my ($t_max, $t_age) = @_; - - # lock file name: - # - my $lock = '/tmp/desktop.cgi.lock'; - my $remove = ''; - - my $t = 0; - my $sock = ''; - - while ($t < $t_max) { - if (-e $lock) { - # clean out stale locks if possible: - if (! -l $lock) { - unlink $lock; - } else { - my ($pid, $time) = split(/:/, readlink($lock)); - if (! -d "/proc/$pid") { - unlink $lock; - } - if (time() > $time + $t_age) { - unlink $lock; - } - } - } - - my $reason = ''; - - if (-l $lock) { - # someone has locked it. - $reason = 'locked'; - } else { - # unlocked, try to listen on port: - if ($have_inet6 && $listen_on_ipv6) { - eval {$sock = IO::Socket::INET6->new( - Listen => 1, - LocalPort => $vnc_port, - ReuseAddr => 1, - Domain => AF_INET6, - LocalAddr => "::", - Proto => "tcp" - );}; - } else { - $sock = IO::Socket::INET->new( - Listen => 1, - LocalPort => $vnc_port, - ReuseAddr => 1, - Proto => "tcp" - ); - } - if ($sock) { - # we got it, now try to lock: - my $str = "$$:" . time(); - if (symlink($str, $lock)) { - $remove = $lock; - $find_free_port = $sock; - last; - } - # wow, we didn't lock it... - $reason = "symlink failed: $!"; - close $sock; - } else { - $reason = "listen failed: $!"; - } - } - # sleep a bit and then try again: - # - print STDERR "$$ failed to get fixed port $vnc_port for $username at $t ($reason)\n"; - $sock = ''; - $t += 5; - sleep 5; - } - if (! $sock) { - bye("Failed to lock fixed TCP port. Try again a bit later.<p>$login_str"); - } - print STDERR "$$ got fixed port $vnc_port for $username at $t\n"; - - # Return the file to remove, if any: - # - return $remove; -} - - -# Return html for the java applet to connect to x11vnc. -# -# N.B. Please examine the applet params, e.g. trustUrlVncCert=yes to -# see if you agree with them. See x11vnc classes/ssl/README for all -# parameters. -# -# Note how we do not take extreme care to authenticate the server to -# the client applet (but note that trustUrlVncCert=yes is better than -# trustAllVncCerts=yes) One can tighten all of this up at the expense -# of extra certificate dialogs (assuming the user bothers to check...) -# -# This assumes /UltraViewerSSL.jar is at document root; you need to put -# it there. -# -sub print_applet_html { - my ($W, $H, $D) = split(/x/, $geometry); - - # make it smaller since we 'Open New Window' below anyway. - if ($applet_width ne 'W') { - $W = $applet_width; - } - if ($applet_height ne 'H') { - $H = $applet_height; - } - - my $tUVC = ($trustUrlVncCert ? 'yes' : 'no'); - - # see $applet_html set in defaults section for more info: - # - my $str = $applet_html; - - $str =~ s/_UID_/$uid/g; - $str =~ s/_VNC_PORT_/$vnc_port/g; - $str =~ s/_WIDTH_/$W/g; - $str =~ s/_HEIGHT_/$H/g; - $str =~ s/_PASS_/$pass/g; - $str =~ s/_APPLET_JAR_/$applet_jar/g; - $str =~ s/_APPLET_CLASS_/$applet_class/g; - $str =~ s/_TRUST_UVC_/$tUVC/g; - - if ($enable_port_redirection && $redirect_host ne '') { - $str =~ s/name=PASSWORD value=.*>/name=NOT_USED value=yes>/i; - #$str =~ s/<!-- extra -->/<!-- extra -->\n<param name="ignoreProxy" value=yes>/; - } - - print $str; -} - -########################################################################## -# The following subroutines are for port redirection only, which is -# disabled by default ($enable_port_redirection == 0) -# -sub port_redir { - # To aid in avoiding zombies: - # - setpgrp(0, 0); - - # For the fixed port scheme we try to cooperate via lock file: - # - my $rmlock = ''; - # - if ($fixed_port) { - # try to grab the fixed port for the next 90 secs removing - # stale locks older than 60 secs: - # - $rmlock = lock_fixed_port(90, 60); - - } elsif ($find_free_port eq '0') { - if ($have_inet6 && $listen_on_ipv6) { - eval {$find_free_port = IO::Socket::INET6->new( - Listen => 1, - LocalPort => $vnc_port, - ReuseAddr => 1, - Domain => AF_INET6, - LocalAddr => "::", - Proto => "tcp" - );}; - } else { - $find_free_port = IO::Socket::INET->new( - Listen => 1, - LocalPort => $vnc_port, - ReuseAddr => 1, - Proto => "tcp" - ); - } - } - # In all cases, at this point $find_free_port is the listening - # socket. - - # fork a helper process to do the port redir: - # - # Actually we need to spawn 4(!) of them in case the proxy check - # /check.https.proxy.connection (it is by default) and the other - # test connections. Spawn one for each expected connection, for - # whatever applet parameter usage mode you set up. - # - for (my $n = 1; $n <= 4; $n++) { - my $pid = fork(); - if (! defined $pid) { - bye("Internal Error #14"); - } elsif ($pid) { - wait; - } else { - if (fork) { - exit 0; - } - setpgrp(0, 0); - handle_conn(); - exit 0; - } - } - - # We now close the listening socket: - # - close $find_free_port; - - if ($rmlock) { - # let our process proceed a bit before removing lock. - sleep 1; - unlink $rmlock; - } - - # Now send html to the browser so it can connect: - # - print_applet_html(); - - exit 0; -} - -# This checks the validity of a username@host:port for the port -# redirection mode. Finishes and exits if it is invalid. -# -sub check_redirect_host { - # First check that the host:port string is valid: - # - if ($redirect_host !~ /^\w[-\w\.]*:\d+$/) { - bye("Invalid Redirect Host:Port.<p>$login_str"); - } - # Second, check if the allowed host file permits it: - # - if ($port_redirection_allowed_hosts ne '') { - if (! open(ALLOWED, "<$port_redirection_allowed_hosts")) { - bye("Internal Error #15"); - } - my $ok = 0; - while (my $line = <ALLOWED>) { - chomp $line; - # skip blank lines and '#' comments: - next if $line =~ /^\s*$/; - next if $line =~ /^\s*#/; - - # trim spaces from ends: - $line =~ s/^\s*//; - $line =~ s/\s*$//; - - # collect host:ports in case port range given: - my @items; - if ($line =~ /^(.*):(\d+)-(\d+)$/) { - # port range: - my $host = $1; - my $pmin = $2; - my $pmax = $3; - for (my $p = $pmin; $p <= $pmax; $p++) { - push @items, "$host:$p"; - } - } else { - push @items, $line; - } - - # now check each item for a match: - foreach my $item (@items) { - if ($item eq 'ALL') { - $ok = 1; - last; - } elsif ($item =~ /@/) { - if ("$username\@$redirect_host" eq $item) { - $ok = 1; - last; - } - } elsif ($redirect_host eq $item) { - $ok = 1; - last; - } - } - # got a match: - last if $ok; - } - close ALLOWED; - - if (! $ok) { - bye("Disallowed Redirect Host:Port.<p>$login_str"); - } - } -} - -# Much of this code is borrowed from 'connect_switch': -# -# (it only applies to the vnc redirector $enable_port_redirection mode -# which is off by default.) -# -sub handle_conn { - close STDIN; - close STDOUT; - close STDERR; - - $SIG{ALRM} = sub {close $find_free_port; exit 0}; - - # We only wait 30 secs for the redir case, esp. since - # we need to spawn so many helpers... - # - alarm(30); - - my ($client, $ip) = $find_free_port->accept(); - - alarm(0); - - close $find_free_port; - - if (!$client) { - exit 1; - } - - my $host = ''; - my $port = ''; - if ($redirect_host =~ /^(.*):(\d+)$/) { - ($host, $port) = ($1, $2); - } - - my $sock = IO::Socket::INET->new( - PeerAddr => $host, - PeerPort => $port, - Proto => "tcp" - ); - if (! $sock && $have_inet6) { - eval {$sock = IO::Socket::INET6->new( - PeerAddr => $host, - PeerPort => $port, - Proto => "tcp" - );}; - } - - if (! $sock) { - close $client; - exit 1; - } - - $current_fh1 = $client; - $current_fh2 = $sock; - - $SIG{TERM} = sub {close $current_fh1; close $current_fh2; exit 0}; - - my $killpid = 1; - - my $parent = $$; - if (my $child = fork()) { - xfer($sock, $client, 'S->C'); - if ($killpid) { - fsleep(0.5); - kill 'TERM', $child; - } - } else { - xfer($client, $sock, 'C->S'); - if ($killpid) { - fsleep(0.75); - kill 'TERM', $parent; - } - } - exit 0; -} - -# This does socket data transfer in one direction. -# -sub xfer { - my($in, $out, $lab) = @_; - my ($RIN, $WIN, $EIN, $ROUT); - $RIN = $WIN = $EIN = ""; - $ROUT = ""; - vec($RIN, fileno($in), 1) = 1; - vec($WIN, fileno($in), 1) = 1; - $EIN = $RIN | $WIN; - my $buf; - - while (1) { - my $nf = 0; - while (! $nf) { - $nf = select($ROUT=$RIN, undef, undef, undef); - } - my $len = sysread($in, $buf, 8192); - if (! defined($len)) { - next if $! =~ /^Interrupted/; - last; - } elsif ($len == 0) { - last; - } - - my $offset = 0; - my $quit = 0; - while ($len) { - my $written = syswrite($out, $buf, $len, $offset); - if (! defined $written) { - $quit = 1; - last; - } - $len -= $written; - $offset += $written; - } - last if $quit; - } - close($in); - close($out); -} - -# Sleep a small amount of time (float) -# -sub fsleep { - my ($time) = @_; - select(undef, undef, undef, $time) if $time; -} |
