From a51702deac8c89308bc5969bed04ccbc4b253202 Mon Sep 17 00:00:00 2001 From: Chuck Zmudzinski Date: Sat, 29 Jul 2023 01:39:01 -0400 Subject: [PATCH] tigervnc: update to 1.13.1, add service directory Also add necessary customizations: - Void-compatible PAM configuration - fallback Xsession wrapper script - define conf_files - README.voidlinux file - patch vncsession.c to prevent it from forking The patch to vncsession.c hopefully will be accepted upstream to fix upstream issue https://github.com/TigerVNC/tigervnc/issues/1649 Signed-off-by: Chuck Zmudzinski --- srcpkgs/tigervnc/files/README.voidlinux | 65 +++++++++++++++ srcpkgs/tigervnc/files/vncserver/conf | 4 + srcpkgs/tigervnc/files/vncserver/run | 5 ++ srcpkgs/tigervnc/files/xsession | 58 +++++++++++++ .../tigervnc/patches/Xsession-fallback.patch | 15 ++++ .../tigervnc/patches/pam-configuration.patch | 19 +++++ .../patches/use-no-fork-vncsession.patch | 10 +++ .../tigervnc/patches/vncsession-no-fork.patch | 82 +++++++++++++++++++ srcpkgs/tigervnc/template | 11 ++- 9 files changed, 267 insertions(+), 2 deletions(-) create mode 100644 srcpkgs/tigervnc/files/README.voidlinux create mode 100644 srcpkgs/tigervnc/files/vncserver/conf create mode 100644 srcpkgs/tigervnc/files/vncserver/run create mode 100644 srcpkgs/tigervnc/files/xsession create mode 100644 srcpkgs/tigervnc/patches/Xsession-fallback.patch create mode 100644 srcpkgs/tigervnc/patches/pam-configuration.patch create mode 100644 srcpkgs/tigervnc/patches/use-no-fork-vncsession.patch create mode 100644 srcpkgs/tigervnc/patches/vncsession-no-fork.patch diff --git a/srcpkgs/tigervnc/files/README.voidlinux b/srcpkgs/tigervnc/files/README.voidlinux new file mode 100644 index 0000000000000..9eb0947ea87e7 --- /dev/null +++ b/srcpkgs/tigervnc/files/README.voidlinux @@ -0,0 +1,65 @@ +The system service /etc/sv/vncserver runs a TigerVNC server on DISPLAY :1 + +A. Quick start + +1. Map a user to display :1 in /etc/tigervnc/vncserver.users +2. Configure session, geometry, security, etc. - see man pages for details +3. Enable the service: $ sudo ln -s /etc/sv/vncserver /var/service +4. To use another display instead of :1, map the user to the alternate display + in /etc/tigervnc/vncserver.users and set DISPLAY to the alternate display + in /etc/sv/vncserver/conf + +B: Running multiple vncserver services + +The administrator can create multiple vncserver services. For example: + +$ sudo mkdir -p /etc/sv/vncserver-2/log +$ sudo cp /etc/sv/vncserver/run /etc/sv/vncserver-2/run +$ sudo cp /etc/sv/vncserver/log/run /etc/sv/vncserver-2/log/run +$ echo DISPLAY=\":2\" > conf.tmp && sudo mv conf.tmp /etc/sv/vncserver-2/conf + +creates a system service named vncserver-2 that runs on display :2. + +C: Enabling services + +For example, to enable two two vncserver services, vncserver and vncserver-2: + +$ sudo ln -s /etc/sv/vncserver /var/service +$ sudo ln -s /etc/sv/vncserver-2 /var/service + +Do not enable a service for a display before that display is mapped +to a user in /etc/tigervnc/vncserver.users. + +D. Security warning + +Upstream warns that vncserver should not be run on an untrusted LAN. Upstream +has some suggestions for securing vncserver on an untrusted network at these links: + +https://github.com/TigerVNC/tigervnc/blob/master/unix/vncserver/vncserver%40.service.in + +https://github.com/TigerVNC/tigervnc/wiki/Secure-your-connection + +E: The Xsession wrapper script + +The upstream TigerVNC server requires a system-wide Xsession wrapper script at +/etc/X11/xinit/Xsession or /etc/X11/Xsession, but not all Void systems have +such a file. + +So the tigervnc package provides a minimal Xsession wrapper script +in /etc/tigervnc/Xsession-fallback. It is only used if neither +/etc/X11/xinit/Xsession nor /etc/X11/Xsession exists. Currently, this +is the Xsession script provided by the lightdm display manager package. + +This way, if there is an Xsession wrapper script where upstream +TigerVNC expects it to be, that script will be used instead of +the minimal wrapper provided by the Void tigervnc package. + +As an alternative to the minimal Xsession wrapper script, one +can use any other suitable Xsession script. For example, do: + +$ sudo ln -s /etc/lxdm/Xsession /etc/X11/xinit/Xsession + +and the TigerVNC server will use the lxdm Xsession script instead. + +The administrator can also write any suitable Xsession script for +custom needs and install it under /etc/X11/xinit or /etc/X11. diff --git a/srcpkgs/tigervnc/files/vncserver/conf b/srcpkgs/tigervnc/files/vncserver/conf new file mode 100644 index 0000000000000..42a4e437a46ec --- /dev/null +++ b/srcpkgs/tigervnc/files/vncserver/conf @@ -0,0 +1,4 @@ +# Set alternate display +# If not set, vncserver will use DISPLAY=":1" +# E.g.: +# DISPLAY=":2" diff --git a/srcpkgs/tigervnc/files/vncserver/run b/srcpkgs/tigervnc/files/vncserver/run new file mode 100644 index 0000000000000..401d31d41af24 --- /dev/null +++ b/srcpkgs/tigervnc/files/vncserver/run @@ -0,0 +1,5 @@ +#!/bin/sh +sv check dbus >/dev/null || exit 1 +exec 2>&1 +[ -r ./conf ] && . ./conf +exec /usr/libexec/vncsession-start "${DISPLAY:-:1}" diff --git a/srcpkgs/tigervnc/files/xsession b/srcpkgs/tigervnc/files/xsession new file mode 100644 index 0000000000000..f61a76b146b06 --- /dev/null +++ b/srcpkgs/tigervnc/files/xsession @@ -0,0 +1,58 @@ +#!/bin/sh +# +# Fallback TigerVNC wrapper to run around X sessions. +# Used on systems that do not have /etc/X11/xinit/Xsession or /etc/X11/Xsession + +echo "Running X session wrapper" + +# Load profile +for file in "/etc/profile" "$HOME/.profile" "/etc/xprofile" "$HOME/.xprofile"; do + if [ -f "$file" ]; then + echo "Loading profile from $file"; + . "$file" + fi +done + +# Load resources +for file in "/etc/X11/Xresources" "$HOME/.Xresources"; do + if [ -f "$file" ]; then + echo "Loading resource: $file" + xrdb -nocpp -merge "$file" + fi +done + +# Load keymaps +for file in "/etc/X11/Xkbmap" "$HOME/.Xkbmap"; do + if [ -f "$file" ]; then + echo "Loading keymap: $file" + setxkbmap `cat "$file"` + XKB_IN_USE=yes + fi +done + +# Load xmodmap if not using XKB +if [ -z "$XKB_IN_USE" ]; then + for file in "/etc/X11/Xmodmap" "$HOME/.Xmodmap"; do + if [ -f "$file" ]; then + echo "Loading modmap: $file" + xmodmap "$file" + fi + done +fi + +unset XKB_IN_USE + +# Run all system xinitrc shell scripts. +xinitdir="/etc/X11/xinit/xinitrc.d" +if [ -d "$xinitdir" ]; then + for script in $xinitdir/*; do + echo "Loading xinit script $script" + if [ -x "$script" -a ! -d "$script" ]; then + . "$script" + fi + done +fi + +echo "X session wrapper complete, running session $@" + +exec $@ diff --git a/srcpkgs/tigervnc/patches/Xsession-fallback.patch b/srcpkgs/tigervnc/patches/Xsession-fallback.patch new file mode 100644 index 0000000000000..0dc837548fe02 --- /dev/null +++ b/srcpkgs/tigervnc/patches/Xsession-fallback.patch @@ -0,0 +1,15 @@ +Some Void systems, inluding an installation from the live image, do not have an +Xsession script where upstream expects it to be, so use the fallback Xsession +script provided by the Void tigervnc package. + +--- a/unix/vncserver/vncserver.in 2023-02-28 10:11:20.000000000 -0500 ++++ b/unix/vncserver/vncserver.in 2023-07-30 17:55:47.604000000 -0400 +@@ -439,7 +439,7 @@ + die "$prog: couldn't find \"$cmd\" on your PATH.\n"; + } + +- foreach $cmd ("/etc/X11/xinit/Xsession", "/etc/X11/Xsession") { ++ foreach $cmd ("/etc/X11/xinit/Xsession", "/etc/X11/Xsession", "/etc/tigervnc/Xsession-fallback") { + if (-x "$cmd") { + $Xsession = $cmd; + last; diff --git a/srcpkgs/tigervnc/patches/pam-configuration.patch b/srcpkgs/tigervnc/patches/pam-configuration.patch new file mode 100644 index 0000000000000..42046c49860fc --- /dev/null +++ b/srcpkgs/tigervnc/patches/pam-configuration.patch @@ -0,0 +1,19 @@ +Void requires some tweaks to the default upstream PAM configuration. + +--- a/unix/vncserver/tigervnc.pam 2023-02-28 10:11:20.000000000 -0500 ++++ b/unix/vncserver/tigervnc.pam 2023-07-30 17:54:21.281000000 -0400 +@@ -1,11 +1,11 @@ + #%PAM-1.0 + # pam_selinux.so close should be the first session rule +--session required pam_selinux.so close ++-session optional pam_selinux.so close + session required pam_loginuid.so +--session required pam_selinux.so open ++-session optional pam_selinux.so open + session required pam_namespace.so + session optional pam_keyinit.so force revoke + session required pam_limits.so +--session optional pam_systemd.so ++-session optional pam_elogind.so + session required pam_unix.so + -session optional pam_reauthorize.so prepare diff --git a/srcpkgs/tigervnc/patches/use-no-fork-vncsession.patch b/srcpkgs/tigervnc/patches/use-no-fork-vncsession.patch new file mode 100644 index 0000000000000..fcdd5cf59cfb5 --- /dev/null +++ b/srcpkgs/tigervnc/patches/use-no-fork-vncsession.patch @@ -0,0 +1,10 @@ +On Void, use the non-forking option -D when starting vncsession + +--- a/unix/vncserver/vncsession-start.in 2023-02-28 10:11:20.000000000 -0500 ++++ b/unix/vncserver/vncsession-start.in 2023-07-30 17:53:09.330000000 -0400 +@@ -40,4 +40,4 @@ + exit 1 + fi + +-exec "@CMAKE_INSTALL_FULL_SBINDIR@/vncsession" "${USER}" "${DISPLAY}" ++exec "@CMAKE_INSTALL_FULL_SBINDIR@/vncsession" -D "${USER}" "${DISPLAY}" diff --git a/srcpkgs/tigervnc/patches/vncsession-no-fork.patch b/srcpkgs/tigervnc/patches/vncsession-no-fork.patch new file mode 100644 index 0000000000000..d54c4b24ed70e --- /dev/null +++ b/srcpkgs/tigervnc/patches/vncsession-no-fork.patch @@ -0,0 +1,82 @@ +Add option to run as a non-forking daemon + +See upstream issue: https://github.com/TigerVNC/tigervnc/issues/1649 + +--- a/unix/vncserver/vncsession.c 2021-11-09 02:51:28.000000000 -0500 ++++ b/unix/vncserver/vncsession.c 2023-07-27 17:43:26.711000000 -0400 +@@ -506,14 +506,23 @@ + + const char *username, *display; + +- if ((argc != 3) || (argv[2][0] != ':')) { ++ int forking = 1; ++ if (argc == 4) { ++ if ((getopt(argc, argv, "D") == 'D') && (argv[3][0] == ':')) ++ forking = 0; ++ else { ++ fprintf(stderr, "Syntax:\n"); ++ fprintf(stderr, " %s [-D] \n", argv[0]); ++ return EX_USAGE; ++ } ++ } else if ((argc != 3) || (argv[2][0] != ':')) { + fprintf(stderr, "Syntax:\n"); +- fprintf(stderr, " %s \n", argv[0]); ++ fprintf(stderr, " %s [-D] \n", argv[0]); + return EX_USAGE; + } + +- username = argv[1]; +- display = argv[2]; ++ username = argv[argc - 2]; ++ display = argv[argc - 1]; + + if (geteuid() != 0) { + fprintf(stderr, "This program needs to be run as root!\n"); +@@ -529,8 +538,10 @@ + return EX_OSERR; + } + +- if (begin_daemon() == -1) +- return EX_OSERR; ++ if (forking) { ++ if (begin_daemon() == -1) ++ return EX_OSERR; ++ } + + openlog("vncsession", LOG_PID, LOG_AUTH); + +@@ -581,7 +592,8 @@ + fclose(f); + } + +- finish_daemon(); ++ if (forking) ++ finish_daemon(); + + while (1) { + int status; +--- a/unix/vncserver/vncsession.man.in 2023-07-27 22:03:56.095000000 -0400 ++++ b/unix/vncserver/vncsession.man.in 2023-07-27 22:11:53.605000000 -0400 +@@ -3,6 +3,7 @@ + vncsession \- start a VNC server + .SH SYNOPSIS + .B vncsession ++.RI [-D] + .RI < username > + .RI <: display# > + .SH DESCRIPTION +@@ -16,6 +17,14 @@ + is rarely called directly and is normally started by the system service + manager. + ++.SH -D OPTION ++.B vncsession ++by default forks and detaches so it normally is a systemd Type=forking service. ++If the -D option is used, it does not fork and detach. This option is provided ++for use with other types of systemd services such as Type=simple and Type=exec ++and for use with non-systemd system service managers that are not compatible ++with Type=forking services. ++ + .SH FILES + Several VNC-related files are found in the directory $HOME/.vnc: + .TP diff --git a/srcpkgs/tigervnc/template b/srcpkgs/tigervnc/template index a4eb2bab648f1..3f873b5a8f277 100644 --- a/srcpkgs/tigervnc/template +++ b/srcpkgs/tigervnc/template @@ -1,6 +1,6 @@ # Template file for 'tigervnc' pkgname=tigervnc -version=1.12.0 +version=1.13.1 revision=1 _xorg_version=1.20.0 create_wrksrc=yes @@ -16,10 +16,14 @@ license="GPL-2.0-or-later" homepage="https://www.tigervnc.org" distfiles="https://github.com/TigerVNC/tigervnc/archive/v${version}.tar.gz ${XORG_SITE}/xserver/xorg-server-${_xorg_version}.tar.bz2" -checksum="9ff3f3948f2a4e8cc06ee598ee4b1096beb62094c13e0b1462bff78587bed789 +checksum="b7c5b8ed9e4e2c2f48c7b2c9f21927db345e542243b4be88e066b2daa3d1ae25 9d967d185f05709274ee0c4f861a4672463986e550ca05725ce27974f550d3e6" conflicts="turbovnc>=0" skip_extraction="xorg-server-${_xorg_version}.tar.gz" +conf_files=" + /etc/tigervnc/vncserver-config-defaults + /etc/tigervnc/vncserver-config-mandatory + /etc/tigervnc/vncserver.users" post_extract() { mv tigervnc-${version}/* . @@ -58,6 +62,9 @@ post_build() { } post_install() { + vinstall ${FILESDIR}/xsession 755 etc/tigervnc Xsession-fallback + vsv vncserver + vdoc "${FILESDIR}/README.voidlinux" cd ${wrksrc}/unix/xserver/hw/vnc make TIGERVNC_BUILDDIR=${wrksrc}/build DESTDIR=${DESTDIR} install }