Xvnc configuration for SuSE 9.2
Hello! I was having trouble getting a vnc connection to my SuSE v9.2 box, and ultimately resolved the problem by modifying the xinetd configuration file in /etc/xinetd.d/vnc to specify that the xvnc server execute as user=root instead of the original distro specification of user=nobody. It seems to me that regardless of which window manager is forked from xvnc, it would need root privilege -- I can't see how the originally shipped configuration file would work. Given that I would like to use VNC, is this a reasonable configuration from a security perspective? Is there a preferred configuration? Thanks! Hannes. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
R Hannes Beinert wrote:
Hello!
Hello
I was having trouble getting a vnc connection to my SuSE v9.2 box, and ultimately resolved the problem by modifying the xinetd configuration file in /etc/xinetd.d/vnc to specify that the xvnc server execute as user=root instead of the original distro specification of user=nobody. It seems to me that regardless of which window manager is forked from xvnc, it would need root privilege -- I can't see how the originally shipped configuration file would work.
Given that I would like to use VNC, is this a reasonable configuration from a security perspective? Is there a preferred configuration?
I use VNC on several Boxes (8.2, 9.2, 9.3), all without changing to root. One thing I remember, I never got it to work without a reboot (yepp I know that's Windows-Style *brr*). I only changed the configuration in /etc/xinetd.d/vnc (for display resolution things). Then made an inserv xinetd (to install xinetd in the runlevels) and reboot. All my experiments without rebooting and instead restart xinetd and kdm and so didn't work. (I could connect to the machine via vnc but never got the kdm :-( But with a reboot of the machine I could connect to kdm via vnc. (Never bothered about it, because I configure vnc directly after installing so a reboot isn't a problem at that time.) For security reason I don't know about any problem in vnc at this time, but running a server-apps as root is never good.
Thanks!
Hannes.
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Mit freundlichen Grüßen, Guido Tschakert
Hello, Guido! --- Guido Tschakert <guido.tschakert@src-gmbh.de> wrote:
R Hannes Beinert wrote:
I was having trouble getting a vnc connection to my SuSE v9.2 box, and ultimately resolved the problem by modifying the xinetd configuration file in /etc/xinetd.d/vnc to specify that the xvnc server execute as user=root instead of the original distro specification of user=nobody.
I use VNC on several Boxes (8.2, 9.2, 9.3), all without changing to root. One thing I remember, I never got it to work without a reboot (yepp I know that's Windows-Style *brr*). I only changed the configuration in /etc/xinetd.d/vnc (for display resolution things). Then made an inserv xinetd (to install xinetd in the runlevels) and reboot. All my experiments without rebooting and instead restart xinetd and kdm and so didn't work. (I could connect to the machine via vnc but never got the kdm :-(
I confess that I'm now *really* puzzled. After having read your comments, I reverted my configuration back to the original user=nobody, and restarted xinetd ("rcxinetd restart"). I'm reasonably sure that the configuration change successfully propagated, however vnc has continued to work normally. I even rebooted to verify that this configuration would continue to work after a reboot, and it has. I believe that this was the same configuration that did *not* work when I intially tried to configure vnc. When I originally configured vnc, I merely enabled the xinetd/vnc service but otherwise left the /etc/xinetd.d/vnc file as-is. The problem I was having was that the vnc port would open and allow connections, however I would never get kdm -- all I would see is a blank X11 window. It was only upon changing to user=root that kdm would start. I did not pay any attention to whether (or if) I rebooted the system while I was trying to get vnc to work, however, since I had always assumed that I was restarting all of the affected servers.
For security reason I don't know about any problem in vnc at this time, but running a server-apps as root is never good.
I completely agree, which is what made me nervous about having changed the configuration as I described. Thank you very much for your comments, and for taking the time to reply! Vielen Dank! Hannes. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
participants (2)
-
Guido Tschakert -
R Hannes Beinert