diff options
Diffstat (limited to 'x11vnc/help.c')
-rw-r--r-- | x11vnc/help.c | 42 |
1 files changed, 30 insertions, 12 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c index 548d81f..b465773 100644 --- a/x11vnc/help.c +++ b/x11vnc/help.c @@ -1619,9 +1619,10 @@ void print_help(int mode) { " Since this option switches userid it also affects the\n" " userid used to run the processes for the -accept and\n" " -gone options. It also affects the ability to read\n" -" files for options such as -connect, -allow, and -remap.\n" -" Note that the -connect file is also sometimes written\n" -" to.\n" +" files for options such as -connect, -allow, and -remap\n" +" and also the ultra and tight filetransfer feature if\n" +" enabled. Note that the -connect file is also sometimes\n" +" written to.\n" "\n" " So be careful with this option since in some situations\n" " its use can decrease security.\n" @@ -1630,9 +1631,10 @@ void print_help(int mode) { " if the display can still be successfully opened as that\n" " user (this is primarily to try to guess the actual owner\n" " of the session). Example: \"-users fred,wilma,betty\".\n" -" Note that a malicious user \"barney\" by quickly using\n" -" \"xhost +\" when logging in may possibly get the x11vnc\n" -" process to switch to user \"fred\". What happens next?\n" +" Note that a malicious local user \"barney\" by\n" +" quickly using \"xhost +\" when logging in may possibly\n" +" get the x11vnc process to switch to user \"fred\".\n" +" What happens next?\n" "\n" " Under display managers it may be a long time before\n" " the switch succeeds (i.e. a user logs in). To instead\n" @@ -1644,29 +1646,45 @@ void print_help(int mode) { " \"nobody\") is probably the only use of this option\n" " that increases security.\n" "\n" +" Use the following notation to associate a group with\n" +" a user: user1.group1,user2.group2,... Note that\n" +" initgroups(2) will still be called first to try to\n" +" switch to ALL of a user's groups (primary and additional\n" +" groups). Only if that fails or it is not available\n" +" then the single group specified as above (or the user's\n" +" primary group if not specified) is switched to with\n" +" setgid(2). Use -env X11VNC_SINGLE_GROUP=1 to prevent\n" +" trying initgroups(2) and only switch to the single\n" +" group. This sort of setting is only really needed to\n" +" make the ultra or tight filetransfer permissions work\n" +" properly. This format applies to any comma separated list\n" +" of users, even the special \"=\" modes described below.\n" +"\n" " In -unixpw mode, if \"-users unixpw=\" is supplied\n" " then after a user authenticates himself via the\n" " -unixpw mechanism, x11vnc will try to switch to that\n" " user as though \"-users +username\" had been supplied.\n" " If you want to limit which users this will be done for,\n" " provide them as a comma separated list after \"unixpw=\"\n" +" Groups can also be specified as described above.\n" "\n" " Similarly, in -ssl mode, if \"-users sslpeer=\" is\n" " supplied then after an SSL client authenticates with his\n" " cert (the -sslverify option is required for this) x11vnc\n" " will extract a UNIX username from the \"emailAddress\"\n" -" field ([email protected]) of the \"Subject\" in the\n" +" field ([email protected]) of the \"Subject\" of the\n" " x509 SSL cert and then try to switch to that user as\n" " though \"-users +username\" had been supplied. If you\n" " want to limit which users this will be done for, provide\n" " them as a comma separated list after \"sslpeer=\".\n" " Set the env. var X11VNC_SSLPEER_CN to use the Common\n" " Name (normally a hostname) instead of the Email field.\n" -" NOTE: the x11vnc administrator must take great care\n" -" that any client certs he adds to -sslverify have the\n" -" correct UNIX username in the \"emailAddress\" field\n" -" of the cert. Otherwise a user may be able to log in\n" -" as another. The following command can be of use in\n" +"\n" +" NOTE: for sslpeer= mode the x11vnc administrator must\n" +" take care that any client certs he adds to -sslverify\n" +" have the intended UNIX username in the \"emailAddress\"\n" +" field of the cert. Otherwise a user may be able to\n" +" log in as another. This command can be of use in\n" " checking: \"openssl x509 -text -in file.crt\", see the\n" " \"Subject:\" line. Also, along with the normal RFB_*\n" " env. vars. (see -accept) passed to external cmd=\n" |