summaryrefslogtreecommitdiffstats
path: root/x11vnc/x11vnc.1
diff options
context:
space:
mode:
Diffstat (limited to 'x11vnc/x11vnc.1')
-rw-r--r--x11vnc/x11vnc.148
1 files changed, 35 insertions, 13 deletions
diff --git a/x11vnc/x11vnc.1 b/x11vnc/x11vnc.1
index 99305a7..462a9a7 100644
--- a/x11vnc/x11vnc.1
+++ b/x11vnc/x11vnc.1
@@ -2,7 +2,7 @@
.TH X11VNC "1" "May 2007" "x11vnc " "User Commands"
.SH NAME
x11vnc - allow VNC connections to real X11 displays
- version: 0.9.1, lastmod: 2007-05-03
+ version: 0.9.1, lastmod: 2007-05-05
.SH SYNOPSIS
.B x11vnc
[OPTION]...
@@ -1842,9 +1842,10 @@ must be run as the user owning the desktop session.
Since this option switches userid it also affects the
userid used to run the processes for the \fB-accept\fR and
\fB-gone\fR options. It also affects the ability to read
-files for options such as \fB-connect,\fR \fB-allow,\fR and \fB-remap.\fR
-Note that the \fB-connect\fR file is also sometimes written
-to.
+files for options such as \fB-connect,\fR \fB-allow,\fR and \fB-remap\fR
+and also the ultra and tight filetransfer feature if
+enabled. Note that the \fB-connect\fR file is also sometimes
+written to.
.IP
So be careful with this option since in some situations
its use can decrease security.
@@ -1853,9 +1854,10 @@ In general the switch to a user will only take place
if the display can still be successfully opened as that
user (this is primarily to try to guess the actual owner
of the session). Example: "\fB-users\fR \fIfred,wilma,betty\fR".
-Note that a malicious user "barney" by quickly using
-"xhost +" when logging in may possibly get the x11vnc
-process to switch to user "fred". What happens next?
+Note that a malicious local user "barney" by
+quickly using "xhost +" when logging in may possibly
+get the x11vnc process to switch to user "fred".
+What happens next?
.IP
Under display managers it may be a long time before
the switch succeeds (i.e. a user logs in). To instead
@@ -1867,29 +1869,49 @@ The latter (i.e. switching immediately to user
"nobody") is probably the only use of this option
that increases security.
.IP
+Use the following notation to associate a group with
+a user: user1.group1,user2.group2,... Note that
+.IR initgroups (2)
+will still be called first to try to
+switch to ALL of a user's groups (primary and additional
+groups). Only if that fails or it is not available
+then the single group specified as above (or the user's
+primary group if not specified) is switched to with
+.IR setgid (2).
+Use \fB-env\fR X11VNC_SINGLE_GROUP=1 to prevent
+trying
+.IR initgroups (2)
+and only switch to the single
+group. This sort of setting is only really needed to
+make the ultra or tight filetransfer permissions work
+properly. This format applies to any comma separated list
+of users, even the special "=" modes described below.
+.IP
In \fB-unixpw\fR mode, if "\fB-users\fR \fIunixpw=\fR" is supplied
then after a user authenticates himself via the
\fB-unixpw\fR mechanism, x11vnc will try to switch to that
user as though "\fB-users\fR \fI+username\fR" had been supplied.
If you want to limit which users this will be done for,
provide them as a comma separated list after "unixpw="
+Groups can also be specified as described above.
.IP
Similarly, in \fB-ssl\fR mode, if "\fB-users\fR \fIsslpeer=\fR" is
supplied then after an SSL client authenticates with his
cert (the \fB-sslverify\fR option is required for this) x11vnc
will extract a UNIX username from the "emailAddress"
-field ([email protected]) of the "Subject" in the
+field ([email protected]) of the "Subject" of the
x509 SSL cert and then try to switch to that user as
though "\fB-users\fR \fI+username\fR" had been supplied. If you
want to limit which users this will be done for, provide
them as a comma separated list after "sslpeer=".
Set the env. var X11VNC_SSLPEER_CN to use the Common
Name (normally a hostname) instead of the Email field.
-NOTE: the x11vnc administrator must take great care
-that any client certs he adds to \fB-sslverify\fR have the
-correct UNIX username in the "emailAddress" field
-of the cert. Otherwise a user may be able to log in
-as another. The following command can be of use in
+.IP
+NOTE: for sslpeer= mode the x11vnc administrator must
+take care that any client certs he adds to \fB-sslverify\fR
+have the intended UNIX username in the "emailAddress"
+field of the cert. Otherwise a user may be able to
+log in as another. This command can be of use in
checking: "openssl x509 \fB-text\fR \fB-in\fR file.crt", see the
"Subject:" line. Also, along with the normal RFB_*
env. vars. (see \fB-accept)\fR passed to external cmd=