diff options
Diffstat (limited to 'x11vnc/help.c')
| -rw-r--r-- | x11vnc/help.c | 150 | 
1 files changed, 107 insertions, 43 deletions
| diff --git a/x11vnc/help.c b/x11vnc/help.c index 248887e..ff697af 100644 --- a/x11vnc/help.c +++ b/x11vnc/help.c @@ -335,8 +335,8 @@ void print_help(int mode) {  "                       is needed for the latter, feel free to ask).\n"  "\n"  "-scale fraction        Scale the framebuffer by factor \"fraction\".  Values\n" -"                       less than 1 shrink the fb, larger ones expand it.  Note:\n" -"                       image may not be sharp and response may be slower.\n" +"                       less than 1 shrink the fb, larger ones expand it. Note:\n" +"                       the image may not be sharp and response may be slower.\n"  "                       If \"fraction\" contains a decimal point \".\" it\n"  "                       is taken as a floating point number, alternatively\n"  "                       the notation \"m/n\" may be used to denote fractions\n" @@ -507,7 +507,7 @@ void print_help(int mode) {  "                       Repeater mode: Some services provide an intermediate\n"  "                       \"vnc repeater\": http://www.uvnc.com/addons/repeater.html\n"  "                       (and also http://koti.mbnet.fi/jtko/ for linux port)\n" -"                       that acts as a proxy / gateway.  Modes like these require\n" +"                       that acts as a proxy/gateway.  Modes like these require\n"  "                       an initial string to be sent for the reverse connection\n"  "                       before the VNC protocol is started.  Here are the ways\n"  "                       to do this:\n" @@ -782,12 +782,12 @@ void print_help(int mode) {  "                       full-access passwords)\n"  "\n"  "-unixpw [list]         Use Unix username and password authentication.  x11vnc\n" -"                       uses the su(1) program to verify the user's password.\n" -"                       [list] is an optional comma separated list of allowed\n" -"                       Unix usernames.  If the [list] string begins with the\n" -"                       character \"!\" then the entire list is taken as an\n" -"                       exclude list.  See below for per-user options that can\n" -"                       be applied.\n" +"                       will use the su(1) program to verify the user's\n" +"                       password.  [list] is an optional comma separated list\n" +"                       of allowed Unix usernames.  If the [list] string begins\n" +"                       with the character \"!\" then the entire list is taken\n" +"                       as an exclude list.  See below for per-user options\n" +"                       that can be applied.\n"  "\n"  "                       A familiar \"login:\" and \"Password:\" dialog is\n"  "                       presented to the user on a black screen inside the\n" @@ -803,8 +803,9 @@ void print_help(int mode) {  "\n"  "                       Since the detailed behavior of su(1) can vary from\n"  "                       OS to OS and for local configurations, test the mode\n" -"                       carefully.  x11vnc will attempt to be conservative and\n" -"                       reject a login if anything abnormal occurs.\n" +"                       before deployment to make sure it is working properly.\n" +"                       x11vnc will attempt to be conservative and reject a\n" +"                       login if anything abnormal occurs.\n"  "\n"  "                       One case to note: FreeBSD and the other BSD's by\n"  "                       default it is impossible for the user running x11vnc to\n" @@ -837,7 +838,7 @@ void print_help(int mode) {  "                       to come from the same machine x11vnc is running on\n"  "                       (e.g. from a ssh -L port redirection).  And that the\n"  "                       -stunnel SSL mode be used for encryption over the\n" -"                       network.(see the description of -stunnel below).\n" +"                       network. (see the description of -stunnel below).\n"  "\n"  "                       Note: as a convenience, if you ssh(1) in and start\n"  "                       x11vnc it will check if the environment variable\n" @@ -865,7 +866,7 @@ void print_help(int mode) {  "                       Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"  "                       requirement in Method 2).  One should never do this\n"  "                       (i.e. allow the Unix passwords to be sniffed on the\n" -"                       network).\n" +"                       network.)\n"  "\n"  "                       Regarding reverse connections (e.g. -R connect:host\n"  "                       and -connect host), when the -localhost constraint is\n" @@ -883,7 +884,7 @@ void print_help(int mode) {  "                       in -inetd mode (thereby bypassing inetd).  See the FAQ\n"  "                       for details.\n"  "\n" -"                       The user names in the comma separated [list] can have\n" +"                       The user names in the comma separated [list] may have\n"  "                       per-user options after a \":\", e.g. \"fred:opts\"\n"  "                       where \"opts\" is a \"+\" separated list of\n"  "                       \"viewonly\", \"fullaccess\", \"input=XXXX\", or\n" @@ -891,13 +892,13 @@ void print_help(int mode) {  "                       For \"input=\" it is the K,M,B,C described under -input.\n"  "\n"  "                       If an item in the list is \"*\" that means those\n" -"                       options apply to all users.  It also means all users\n" +"                       options apply to all users.  It ALSO implies all users\n"  "                       are allowed to log in after supplying a valid password.\n"  "                       Use \"deny\" to explicitly deny some users if you use\n" -"                       \"*\" to set a global option.  If [list] begins with\n" -"                       the \"!\" character then \"*\" is ignored for checking\n" -"                       if the user is allowed, but the any value of options\n" -"                       associated with it does apply as normal.\n" +"                       \"*\" to set a global option.  If [list] begins with the\n" +"                       \"!\" character then \"*\" is ignored for checking if\n" +"                       the user is allowed, but the option values associated\n" +"                       with it do apply as normal.\n"  "\n"  "                       There are also some utilities for testing password\n"  "                       if [list] starts with the \"%%\" character.  See the\n" @@ -922,32 +923,89 @@ void print_help(int mode) {  "\n"  "                       NIS is not required for this mode to work (only that\n"  "                       getpwnam(3) return the encrypted password is required),\n" -"                       but it is unlikely it will work for any most modern\n" -"                       environments unless x11vnc is run as root to be able\n" -"                       to access /etc/shadow (note running as root is often\n" -"                       done when running x11vnc from inetd and xdm/gdm/kdm).\n" +"                       but it is unlikely it will work (as an ordinary user)\n" +"                       for most modern environments unless NIS is available.\n" +"                       On the other hand, when x11vnc is run as root it will\n" +"                       be able to to access /etc/shadow even if NIS is not\n" +"                       available (note running as root is often done when\n" +"                       running x11vnc from inetd and xdm/gdm/kdm).\n"  "\n"  "                       Looked at another way, if you do not want to use the\n" -"                       su(1) method provided by -unixpw, you can run x11vnc\n" -"                       as root and use -unixpw_nis.  Any users with passwords\n" -"                       in /etc/shadow can then be authenticated.  You may want\n" -"                       to use -users unixpw= to switch the process user after\n" -"                       the user logs in.\n" +"                       su(1) method provided by -unixpw (i.e. su_verify()), you\n" +"                       can run x11vnc as root and use -unixpw_nis.  Any users\n" +"                       with passwords in /etc/shadow can then be authenticated.\n" +"\n" +"                       In -unixpw_nis mode, under no circumstances is x11vnc's\n" +"                       user password verifying function based on su called\n" +"                       (i.e. the function su_verify() that runs /bin/su\n" +"                       in a pseudoterminal to verify passwords.)  However,\n" +"                       if -unixpw_nis is used in conjunction with the -find\n" +"                       and -create -display WAIT:... modes then, if x11vnc is\n" +"                       running as root, /bin/su may be called externally to\n" +"                       run the find or create commands.\n"  "\n"  "-unixpw_cmd cmd        As -unixpw above, however do not use su(1) but rather\n"  "                       run the externally supplied command \"cmd\".  The first\n" -"                       line of its stdin will the username and the second line\n" -"                       the received password.  If the command exits with status\n" -"                       0 (success) the VNC client will be accepted.  It will be\n" -"                       rejected for any other return status.\n" -"\n" -"                       Dynamic passwords and non-unix passwords can be\n" -"                       implemented this way by providing your own custom helper\n" -"                       program.  Note that under unixpw mode the remote viewer\n" -"                       is given 3 tries to enter the correct password.\n" -"\n" -"                       If a list of allowed users is needed use -unixpw [list]\n" -"                       in addition to this option.\n" +"                       line of its stdin will be the username and the second\n" +"                       line the received password.  If the command exits\n" +"                       with status 0 (success) the VNC user will be accepted.\n" +"                       It will be rejected for any other return status.\n" +"\n" +"                       Dynamic passwords and non-unix passwords, e.g. LDAP,\n" +"                       can be implemented this way by providing your own custom\n" +"                       helper program.  Note that the remote viewer is given 3\n" +"                       tries to enter the correct password, and so the program\n" +"                       may be called in a row that many (or more) times.\n" +"\n" +"                       If a list of allowed users is needed to limit who can\n" +"                       log in, use -unixpw [list] in addition to this option.\n" +"\n" +"                       In FINDDISPLAY and FINDCREATEDISPLAY modes the \"cmd\"\n" +"                       will also be run with the RFB_UNIXPW_CMD_RUN env. var.\n" +"                       non-empty and set to the corresponding display\n" +"                       find/create command.  The first two lines of input are\n" +"                       the username and passwd as in the normal case described\n" +"                       above.  To support FINDDISPLAY and FINDCREATEDISPLAY,\n" +"                       \"cmd\" should run the requested command as the user\n" +"                       (and most likely refusing to run it if the password is\n" +"                       not correct.)  Here is an example script (note it has\n" +"                       a hardwired bogus password \"abc\"!)\n" +"\n" +"                         #!/bin/sh\n" +"                         # Example x11vnc -unixpw_cmd script.\n" +"                         # Read the first two lines of stdin (user and passwd)\n" +"                         read user\n" +"                         read pass\n" +"                         \n" +"                         debug=0\n" +"                         if [ $debug = 1 ]; then\n" +"                         	echo \"user: $user\" 1>&2\n" +"                         	echo \"pass: $pass\" 1>&2\n" +"                         	env | egrep -i 'rfb|vnc' 1>&2\n" +"                         fi\n" +"                         \n" +"                         # Check if the password is valid.\n" +"                         # (A real example would use ldap lookup, etc!)\n" +"                         if [ \"X$pass\" != \"Xabc\" ]; then\n" +"                         	exit 1	# incorrect password\n" +"                         fi\n" +"                         \n" +"                         if [ \"X$RFB_UNIXPW_CMD_RUN\" = \"X\" ]; then\n" +"                         	exit 0	# correct password\n" +"                         else\n" +"                         	# Run the requested command (finddisplay)\n" +"                         	if [ $debug = 1 ]; then\n" +"                         		echo \"run: $RFB_UNIXPW_CMD_RUN\" 1>&2\n" +"                         	fi\n" +"                         	exec /bin/su - \"$user\" -c \"$RFB_UNIXPW_CMD_RUN\"\n" +"                         fi\n" +"\n" +"                       In -unixpw_cmd mode, under no circumstances is x11vnc's\n" +"                       user password verifying function based on su called\n" +"                       (i.e. the function su_verify() that runs /bin/su in a\n" +"                       pseudoterminal to verify passwords.)  It is up to the\n" +"                       supplied unixpw_cmd to do user switching if desired\n" +"                       and if it has the permissions to do so.\n"  "\n"  "-find                  Find the user's display using FINDDISPLAY. This is an\n"  "                       alias for \"-display WAIT:cmd=FINDDISPLAY\".\n" @@ -1064,9 +1122,15 @@ void print_help(int mode) {  "\n"  "                            xauth extract - $DISPLAY\"\n"  "\n" -"                       In the case of -unixpw (but not -unixpw_nis), then the\n" -"                       cmd= command is run as the user who just authenticated\n" -"                       via the login and password prompt.\n" +"                       In the case of -unixpw (and -unixpw_nis only if x11vnc\n" +"                       is running as root), then the cmd= command is run\n" +"                       as the user who just authenticated via the login and\n" +"                       password prompt.\n" +"\n" +"                       In the case of -unixpw_cmd, the commands will also be\n" +"                       run as the logged-in user, as long as the user-supplied\n" +"                       helper program supports RFB_UNIXPW_CMD_RUN (see the\n" +"                       -unixpw_cmd option.)\n"  "\n"  "                       Also in the case of -unixpw, the user logging in can\n"  "                       place a colon at the end of her username and supply\n" | 
