Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 746227 - net-misc/tigervnc-1.11.0-r2[server] different calling conventions for vncserver startup
Summary: net-misc/tigervnc-1.11.0-r2[server] different calling conventions for vncserv...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal with 4 votes (vote)
Assignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it
URL:
Whiteboard:
Keywords: PATCH, PMASKED, PullRequest
Depends on: 301051
Blocks: CVE-2019-15691, CVE-2019-15692, CVE-2019-15694, CVE-2019-15695, CVE-2020-26117
  Show dependency tree
 
Reported: 2020-10-03 11:15 UTC by Paul Osmialowski
Modified: 2022-03-20 03:49 UTC (History)
16 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Build logs, as requested (tigervnc.log.tar.gz,78.06 KB, application/octet-stream)
2020-10-03 15:46 UTC, Paul Osmialowski
Details
Bypass Xsession script from vncserver perl script (tigervnc-1.11.0-gentoo-customizations.patch,1.28 KB, patch)
2020-12-04 01:19 UTC, Roberto Castagnola
Details | Diff
use vncsession to start the server (tigervnc_files.patch,1.90 KB, patch)
2020-12-04 01:25 UTC, Roberto Castagnola
Details | Diff
New ebuild (tigervnc-1.12.0-r3.ebuild,4.47 KB, text/plain)
2022-02-15 19:35 UTC, Norman Back
Details
Patch (tigervnc-1.12.0-remove-selinux.patch,490 bytes, patch)
2022-02-15 19:36 UTC, Norman Back
Details | Diff
Patch (tigervnc-1.12.0-vncsession.c.patch,1.72 KB, patch)
2022-02-15 19:37 UTC, Norman Back
Details | Diff
Patch (tigervnc-1.12.0-vncserver.in.patch,1.62 KB, patch)
2022-02-15 19:37 UTC, Norman Back
Details | Diff
Config (tigervnc.confd.1.12,337 bytes, text/plain)
2022-02-15 19:38 UTC, Norman Back
Details
init (tigervnc.initd.1.12,1.83 KB, text/plain)
2022-02-15 19:39 UTC, Norman Back
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Osmialowski 2020-10-03 11:15:47 UTC
After updating net-misc/tigervnc to version 1.11.0-r1 I can't start vncserver anymore. Turned out, vncserver binary was not build.

Downgrade to version 1.9.0-r1 helped.



Reproducible: Always




The last thing I need on remote machine with restricted access is a broken VNC server...

Portage 3.0.4 (python 3.7.9-final-0, default/linux/arm64/17.0/desktop, gcc-9.3.0, glibc-2.31-r6, 4.4.38-tegra aarch64)
=================================================================
System uname: Linux-4.4.38-tegra-aarch64-with-gentoo-2.7
KiB Mem:     8039124 total,   4352824 free
KiB Swap:    4194300 total,   4183224 free
Timestamp of repository gentoo: Sat, 03 Oct 2020 09:30:01 +0000
Head commit of repository gentoo: da727d207e20951b7817e5df492452f5ce1ebb16
sh bash 5.0_p18
ld GNU ld (Gentoo 2.34 p6) 2.34.0
app-shells/bash:          5.0_p18::gentoo
dev-java/java-config:     2.3.1::gentoo
dev-lang/perl:            5.30.3::gentoo
dev-lang/python:          2.7.18-r2::gentoo, 3.6.12::gentoo, 3.7.9::gentoo, 3.8.5::gentoo
dev-util/cmake:           3.18.3::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.7::gentoo
sys-apps/openrc:          0.42.1::gentoo
sys-apps/sandbox:         2.18::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.69-r5::gentoo
sys-devel/automake:       1.11.6-r3::gentoo, 1.15.1-r2::gentoo, 1.16.1-r1::gentoo
sys-devel/binutils:       2.34-r2::gentoo
sys-devel/gcc:            9.3.0-r1::gentoo
sys-devel/gcc-config:     2.3.1::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.2.1-r4::gentoo
sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)
sys-libs/glibc:           2.31-r6::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-extra-opts: -4
    sync-rsync-verify-metamanifest: yes
    sync-rsync-verify-max-age: 24
    sync-rsync-verify-jobs: 1

jetson
    location: /usr/local/portage/overlay
    masters: gentoo
    priority: 0

armhpc
    location: /home/pawelo/portage/armhpc-gentoo-repo.git
    masters: gentoo
    priority: 1

fuverlay
    location: /var/lib/layman/fuverlay
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="arm64"
ACCEPT_LICENSE="*"
CBUILD="aarch64-unknown-linux-gnu"
CFLAGS="-O2 -pipe -march=native -mcpu=cortex-a57 -mtune=cortex-a57"
CHOST="aarch64-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.6/conf"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -march=native -mcpu=cortex-a57 -mtune=cortex-a57"
DISTDIR="/usr/portage/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j1 -l1"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="-4"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="7zip X Xaw3d a52 aac aalib acl acpi adplug alsa amrenc anacron ao arm64 aspell audiofile bat berkdb bluetooth bonjour boost branding bzip2 c++11 cacert cairo canberra caps cdda cddb cdparanoia cdr chromaprint cli conntrack contrib cookie_check corefonts crypt cscope cups curl cxx dbus declarative detex djvu dri dri3 dts dv dvdr dvi2tty egl elfutils elogind emboss encode equalizer evdev exif expat extras faac faad ffmpeg fft fftw flac fontconfig fontforge fonts fortran fpx frei0r ftp games gcr gdbm gdk-pixbuf gif gimp glamor glib gme gmp gmplayer gold gopher graphviz gsettings gsl gsm gssapi gstaudio gstreamer gstvideo gtk gtk2 gtk3 gui guile haptic hdf5 heif heterogeneous highlight hires-icons hotkeys http hwloc iconv icu imagemagick int64 iproute2 ipv4 isabelle jadetex java javascript jbig jemalloc jms joystick jpeg jpeg2k json kdrive kpathsea lame lapack lapacke large-stack largepages latex latex3 lcms ldap ldap-sasl ldapdb lensfun libatomic libcanberra libdrm libffi libglvnd libmpeg2 libnotify libsamplerate libsoxr libtirpc libudev lldb lmdb log4j lqr lua luajitex luatex lvm lvm1 lz4 lzma lzo mad md5sum mdnsresponder-compat melt metis minizip mng mp3 mp3rtp mp4 mpeg mpfi mpfr mplayer multimedia ncurses netcdf nls nptl ntl numa ocr offensive ogg ogm ompt openal opencv opendx openexr opengl openh264 openldap openmp openpgp openssl opus osmesa pam pango paraview pcre pdf perl pgm phonon physfs pie plugins png pnm policykit postproc postscript ppds preview-latex previewer ptex pulseaudio python qml qt5 rar raw readline rle romio rustfmt sasl scp seccomp secure-delete sendto serialport servletapi sha2 sixel slang smp smpeg sndfile sound source-highlight sox soxr speex spell split-usr sqlite ssh ssl standalone startup-notification subunit suggested svg system-llvm szip tahoma tcl tcpd telnet tex4ht texi2html texteffect theora tiff tk toolame tools traceroute6 tre tremor truetype twm twolame udev udisks udisks2 umfpack unicode unwind upower usb utils v4l v4l2 vector-icons vidstab vnc vorbis wad wavpack wayland webkit webp widgets wmf woff2 wxwidgets x11extras x264 x265 xattr xcb xephyr xetex xft xinetd xml xmlpatterns xmp xnest xpm xv xvfb xvid yaml yuv4mpeg z3 zeroconf zeromq zimg zlib zstd" ADA_TARGET="gnat_2018" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_ARM="edsp thumb vfp vfpv3 vfpv4 vfp-d32 aes sha1 sha2 crc32 v4 v5 v6 v7 v8 thumb2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" L10N="pl" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2 php7-3 php7-4" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_7" PYTHON_TARGETS="python2_7 python3_7" RUBY_TARGETS="ruby25" USERLAND="GNU" VIDEO_CARDS="tegra fbdev" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Comment 1 Jonas Stein gentoo-dev 2020-10-03 14:03:43 UTC
Thank you for the report. We need to have all information at hand before ticket assignment. That is why I ask you to 
* attach the logs
as described on https://wiki.gentoo.org/wiki/Attach_the_logs_to_the_bug_ticket
Please reopen this ticket (Status:UNCONFIRMED) afterwards.
Comment 2 Paul Osmialowski 2020-10-03 15:26:16 UTC
I need your help here. Please instruct me how can I obtain a log from a build that does not fail.
Comment 3 Paul Osmialowski 2020-10-03 15:46:32 UTC
Created attachment 663613 [details]
Build logs, as requested

Ok, I've managed to preserve build logs for both versions (with and without bin/vncserver built).
Comment 4 Ulrich Müller gentoo-dev 2020-10-03 17:19:39 UTC
The vncserver binary is being built, but its install location has changed from /usr/bin to /usr/libexec.

Looks like the intention is that it should be started through an additional wrapper named vncsession.
Comment 5 Ulrich Müller gentoo-dev 2020-10-03 17:41:04 UTC
(In reply to Ulrich Müller from comment #4)
> [...] vncserver binary [...]

It is a Perl script, in fact.
Comment 6 Paul Osmialowski 2020-10-03 19:42:25 UTC
Thanks for your analysis.

The trouble is, this is not-systemd host, hence /etc/init.d/tigervnc script must be uptated, it still refers to vncserver executable.
Comment 7 Ulrich Müller gentoo-dev 2020-10-04 07:11:25 UTC
(In reply to Paul Osmialowski from comment #6)
> The trouble is, this is not-systemd host, hence /etc/init.d/tigervnc script
> must be uptated, it still refers to vncserver executable.

Yes, I am aware. Simply replacing vncserver by vncsession in the init script won't work though, because vncsession has different arguments. I also must be run as root (while vncserver had to be started under the user's account) because it switches to the user itself. All in all I think the init script will become much simpler because the "su" logic can be dropped.

However, I am not the maintainer, and I don't use tigervnc as a server. So I am not the right person to test this.

I wonder, should we package mask 1.11.0 until this issue will be fixed?
Comment 8 Ulrich Müller gentoo-dev 2020-10-04 07:17:08 UTC
@jer: Any comment? You have bumped the package to 1.11.0.
Comment 9 Larry the Git Cow gentoo-dev 2020-10-04 07:25:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ceb78937c6177d52ebf8628eb1cf85a6e6e28b74

commit ceb78937c6177d52ebf8628eb1cf85a6e6e28b74
Author:     Ulrich Müller <ulm@gentoo.org>
AuthorDate: 2020-10-04 07:24:05 +0000
Commit:     Ulrich Müller <ulm@gentoo.org>
CommitDate: 2020-10-04 07:24:05 +0000

    profiles: Package mask >=net-misc/tigervnc-1.11.0, bug 746227.
    
    Bug: https://bugs.gentoo.org/746227
    Signed-off-by: Ulrich Müller <ulm@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)
Comment 10 Joakim Tjernlund 2020-10-11 17:32:17 UTC
This needs to be resolved, currently users are forced to downgrade to 1.9.0 which is unsecure
Comment 11 Joakim Tjernlund 2020-10-13 10:42:11 UTC
(In reply to Ulrich Müller from comment #8)
> @jer: Any comment? You have bumped the package to 1.11.0.

@ulm, mind just masking the server USE flag instead of the whole pkg?
Comment 12 Ulrich Müller gentoo-dev 2020-10-13 13:07:39 UTC
(In reply to Joakim Tjernlund from comment #11)
> @ulm, mind just masking the server USE flag instead of the whole pkg?

Then users would get the new version but with server disabled, potentially locking them out of their system. I think that's not an option.


(In reply to Joakim Tjernlund from comment #10)
> This needs to be resolved, currently users are forced to downgrade to 1.9.0
> which is unsecure

Is that vulnerability in the client or server code?
Comment 13 Joakim Tjernlund 2020-10-13 13:10:38 UTC
(In reply to Ulrich Müller from comment #12)
> (In reply to Joakim Tjernlund from comment #11)
> > @ulm, mind just masking the server USE flag instead of the whole pkg?
> 
> Then users would get the new version but with server disabled, potentially
> locking them out of their system. I think that's not an option.
> 
> 
> (In reply to Joakim Tjernlund from comment #10)
> > This needs to be resolved, currently users are forced to downgrade to 1.9.0
> > which is unsecure
> 
> Is that vulnerability in the client or server code?

version 1.10.1 says:

This is a security release to fix a number of issues that were found by Kaspersky Lab. These issues affect both the client and server and could theoretically allow an malicious peer to take control over the software on the other side.

No working exploit is known at this time, and the issues require the peer to first be authenticated. We still urge users to upgrade when possible.
Comment 14 Ulrich Müller gentoo-dev 2020-10-13 13:39:31 UTC
Hm, copying tigervnc-1.9.0-r1.ebuild to tigervnc-1.10.1.ebuild would be a quick workaround. I had to remove ${PN}-1.9.0-030_manpages.patch from PATCHES, otherwise it builds and installs just fine.

@Joakim Tjernlund: Would that be feasible as a stop-gap measure, until we get a real fix for 1.11? Could you test if 1.10.1 works at runtime?
Comment 15 Joakim Tjernlund 2020-10-13 15:32:22 UTC
(In reply to Ulrich Müller from comment #14)
> Hm, copying tigervnc-1.9.0-r1.ebuild to tigervnc-1.10.1.ebuild would be a
> quick workaround. I had to remove ${PN}-1.9.0-030_manpages.patch from
> PATCHES, otherwise it builds and installs just fine.
> 
> @Joakim Tjernlund: Would that be feasible as a stop-gap measure, until we
> get a real fix for 1.11? Could you test if 1.10.1 works at runtime?

Not really as I don't us the server/client at all, just the xorg module
Comment 16 Roberto Castagnola 2020-12-04 01:19:57 UTC
Created attachment 676600 [details, diff]
Bypass Xsession script from vncserver perl script

Starting from version 1.11 the xstartup script is no more used and the windows manager is selected between /usr/share/xsessions/*.desktop files (it can be forced with property "session" in the configuration file, ex. session=plasma).
Looking how it works on fedora, the server is then started with a command like:
  xinit /etc/X11/xinit/Xsession /usr/bin/startplasma-x11 -- /usr/bin/Xvnc :1 ...
but gentoo script Xsession (/etc/X11/Sessions/Xsession) does not take care of additional argument (except when it is "failsafe"), so it is not suitable to be used in this way.
With this patch the vncserver script will use directly the command found into *.desktop file, hoping that it works for any possible .desktop file that can be found there (I have tested it only with plasma)
Comment 17 Roberto Castagnola 2020-12-04 01:25:27 UTC
Created attachment 676603 [details, diff]
use vncsession to start the server

The patch will modify the init script to use the new tool vncsession to start the service.
When the service is stopped, the command started with xinit (in my test /usr/bin/startplasma-x11) is still running, but it was the same with the old version (1.9.0)
Comment 18 Roberto Castagnola 2020-12-04 01:28:27 UTC
As per the changelog:
  Support for building Xvnc/libvnc.so with Xorg 1.20.7+ and deprecate support for Xorg older than 1.16

the xorg-server version can be updated
Comment 19 Ulrich Müller gentoo-dev 2020-12-04 12:27:13 UTC
Thank you for the patches. We would need a copyright signoff for them:
https://www.gentoo.org/glep/glep-0076.html#certificate-of-origin

(In reply to Roberto Castagnola from comment #16)
> Created attachment 676600 [details, diff] [details, diff]
> Bypass Xsession script from vncserver perl script

> --- a/unix/vncserver/tigervnc.pam	2020-09-08 14:16:08.000000000 +0200
> +++ b/unix/vncserver/tigervnc.pam	2020-12-03 21:28:34.100507590 +0100
> @@ -1,8 +1,8 @@
>  #%PAM-1.0
>  # pam_selinux.so close should be the first session rule
> --session   required     pam_selinux.so close
> +-session   optional     pam_selinux.so close
>  session    required     pam_loginuid.so
> --session   required     pam_selinux.so open
> +-session   optional     pam_selinux.so open

What is the purpose of the two changes from "required" to "optional"?
Comment 20 Roberto Castagnola 2020-12-04 13:57:42 UTC
(In reply to Ulrich Müller from comment #19)
> Thank you for the patches. We would need a copyright signoff for them:
> https://www.gentoo.org/glep/glep-0076.html#certificate-of-origin
> 
> (In reply to Roberto Castagnola from comment #16)
> > Created attachment 676600 [details, diff] [details, diff] [details, diff]
> > Bypass Xsession script from vncserver perl script
> 
> > --- a/unix/vncserver/tigervnc.pam	2020-09-08 14:16:08.000000000 +0200
> > +++ b/unix/vncserver/tigervnc.pam	2020-12-03 21:28:34.100507590 +0100
> > @@ -1,8 +1,8 @@
> >  #%PAM-1.0
> >  # pam_selinux.so close should be the first session rule
> > --session   required     pam_selinux.so close
> > +-session   optional     pam_selinux.so close
> >  session    required     pam_loginuid.so
> > --session   required     pam_selinux.so open
> > +-session   optional     pam_selinux.so open
> 
> What is the purpose of the two changes from "required" to "optional"?

It avoids vncsession to fail if selinux is not installed.
Comment 21 Roberto Castagnola 2020-12-04 14:48:30 UTC
(In reply to Ulrich Müller from comment #19)
> Thank you for the patches. We would need a copyright signoff for them:
> https://www.gentoo.org/glep/glep-0076.html#certificate-of-origin

Sorry but the link refers to commits, so I cannot figure how it should be applied to an attached proposed patch; could you give me an hint?
Comment 22 Ulrich Müller gentoo-dev 2020-12-04 17:51:24 UTC
(In reply to Roberto Castagnola from comment #20)
> > > --session   required     pam_selinux.so open
> > > +-session   optional     pam_selinux.so open
> > 
> > What is the purpose of the two changes from "required" to "optional"?
> 
> It avoids vncsession to fail if selinux is not installed.

IIUC that's what the minus sign at the beginning of the line is for. But I've asked our PAM expert in IRC; waiting for an answer here.


(In reply to Roberto Castagnola from comment #21)
> (In reply to Ulrich Müller from comment #19)
> > Thank you for the patches. We would need a copyright signoff for them:
> > https://www.gentoo.org/glep/glep-0076.html#certificate-of-origin
> 
> Sorry but the link refers to commits, so I cannot figure how it should be
> applied to an attached proposed patch; could you give me an hint?

You can simply post the Signed-off-by line as a comment to this bug.
Comment 23 Jason Zaman gentoo-dev 2020-12-04 18:27:23 UTC
Looks like a few of these things come from redhat where SELinux is always enabled, we have SELinux optional in gentoo and the policies are handled quite differently.

The gentoo policies dont have anything for vncserver so tigervnc should not be built with any selinux stuff.

pam_selinux is definitely required to login on an selinux-enforcing system so the line should either be "required" or completely not there. pambase handles this in /etc/pam.d/system-login.

The best course of action for this package would be to use pamd_mimic from pam.eclass to include system-remote-login which includes system-login.

dropbear has this line:
pamd_mimic system-remote-login dropbear auth account password session

I don't know if tigervnc should have all or only session, but probably all wont hurt
Comment 24 Roberto Castagnola 2020-12-04 19:30:36 UTC
(In reply to Ulrich Müller from comment #22)
> You can simply post the Signed-off-by line as a comment to this bug.

Signed-off-by: Roberto Castagnola <roberto.castagnola@gmail.com>
Comment 25 Roberto Castagnola 2020-12-04 20:38:57 UTC
(In reply to Jason Zaman from comment #23)
> Looks like a few of these things come from redhat where SELinux is always
> enabled, we have SELinux optional in gentoo and the policies are handled
> quite differently.
> 
> The gentoo policies dont have anything for vncserver so tigervnc should not
> be built with any selinux stuff.
> 
> pam_selinux is definitely required to login on an selinux-enforcing system
> so the line should either be "required" or completely not there.

Maybe the selinux use flag can be added to manage this: if not enabled, lines with pam_selinux could be removed by ebuild, otherwise they can be kept as is. In the latter case selinux policies should be created for tigervnc as well.
I know almost nothing of selinux policies, but I can find them in the source code (tigervnc-1.11.0/unix/vncserver/selinux/), so maybe they can be used for gentoo system as well.
Comment 26 Roberto Castagnola 2020-12-07 17:33:57 UTC
I looked on Xsession script provided by few display manager (xdm, sddm, ...) and I have come to the conclusion that it is better to patch Xsession script provided by xinit package instead of bypass it.
A bug was already opened in the past for it (bug #301051)
Comment 27 justwhiskey 2021-11-04 18:25:54 UTC
Solved as a temporary workaround for my headless vnc configuration by copying /usr/bin/vncserver script from version 1.9.0-r2. I didn't change anything else. I think it's not a solution, but as a temporary workaround in case if somebody needs new version.
Comment 28 Alexander Wessel 2021-12-07 22:18:29 UTC
Is there any need to still mask 1.11.0 with the patch applied? Do we know the correct PAM configuration now?

Currently this blocks upgrades of org-server:

WARNING: One or more updates/rebuilds have been skipped due to a dependency conflict:

x11-base/xorg-server:0

  (x11-base/xorg-server-21.1.1-r2:0/21.1.1::gentoo, ebuild scheduled for merge) USE="elogind udev xorg xvfb -debug -doc -minimal (-selinux) -suid -systemd -test -unwind -xcsecurity -xephyr -xnest" ABI_X86="(64)" conflicts with
    x11-base/xorg-server:0/1.20.13= required by (x11-drivers/xf86-input-joystick-1.6.3:0/0::gentoo, installed) USE="" ABI_X86="(64)"
                        ^^^^^^^^^^^
    x11-base/xorg-server:0/1.20.13= required by (x11-drivers/xf86-input-wacom-0.40.0:0/0::gentoo, installed) USE="-debug" ABI_X86="(64)"
                        ^^^^^^^^^^^
    x11-base/xorg-server:0/1.20.13= required by (x11-drivers/xf86-video-intel-2.99.917_p20201215:0/0::gentoo, installed) USE="dri sna tools udev uxa xvmc -debug" ABI_X86="(64)"
                        ^^^^^^^^^^^
    x11-base/xorg-server:0/1.20.13= required by (x11-drivers/xf86-input-libinput-1.2.0:0/0::gentoo, installed) USE="" ABI_X86="(64)"
                        ^^^^^^^^^^^
    x11-base/xorg-server:0/1.20.13= required by (x11-drivers/xf86-input-void-1.4.1:0/0::gentoo, installed) USE="" ABI_X86="(64)"
                        ^^^^^^^^^^^
    x11-base/xorg-server:0/1.20.13= required by (x11-drivers/xf86-input-evdev-2.10.6:0/0::gentoo, installed) USE="" ABI_X86="(64)"
                        ^^^^^^^^^^^
    =x11-base/xorg-server-1.20* required by (net-misc/tigervnc-1.9.0-r2:0/0::gentoo, installed) USE="dri3 drm java nls opengl pam server xinerama xorgmodule -gnutls" ABI_X86="(64)"
    ^                     ^^^^^

What's still needed here, actually? Sorry if I missed anything...

Cheers,
Alexander
Comment 29 Larry the Git Cow gentoo-dev 2021-12-07 23:16:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9dc0ec55803692786e6538bca4a12b0102e775f3

commit 9dc0ec55803692786e6538bca4a12b0102e775f3
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-07 23:16:18 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-07 23:16:42 +0000

    net-misc/tigervnc: add 1.12.0 (still masked)
    
    Note that this doesn't yet fix the xsession handling stuff, but
    am looking to see what we can do about it.
    
    Bug: https://bugs.gentoo.org/746227
    Closes: https://bugs.gentoo.org/746359
    Closes: https://bugs.gentoo.org/746365
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/tigervnc/Manifest               |   1 +
 net-misc/tigervnc/tigervnc-1.12.0.ebuild | 184 +++++++++++++++++++++++++++++++
 net-misc/tigervnc/tigervnc-9999.ebuild   |   9 +-
 3 files changed, 189 insertions(+), 5 deletions(-)
Comment 30 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-07 23:19:33 UTC
(In reply to Alexander Wessel from comment #28)
> Is there any need to still mask 1.11.0 with the patch applied? Do we know
> the correct PAM configuration now?
> 

So, I don't think anybody applied the xsession patches.

Roberto posted some patches but then decided it'd be a better idea to fix the xinit packages instead.

> 
> What's still needed here, actually? Sorry if I missed anything...
> 

I think we have two options:
1. try apply / rebase Roberto's patches;
2. wait for the xinit patches to be applied.

I don't use TigerVNC (or VNC at all much at the moment) so I'm a bit stuck on what to do given I'm not really familiar with this.
Comment 31 Joakim Tjernlund 2021-12-07 23:27:41 UTC
(In reply to Larry the Git Cow from comment #29)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=9dc0ec55803692786e6538bca4a12b0102e775f3
> 
> commit 9dc0ec55803692786e6538bca4a12b0102e775f3
> Author:     Sam James <sam@gentoo.org>
> AuthorDate: 2021-12-07 23:16:18 +0000
> Commit:     Sam James <sam@gentoo.org>
> CommitDate: 2021-12-07 23:16:42 +0000
> 
>     net-misc/tigervnc: add 1.12.0 (still masked)
>     
>     Note that this doesn't yet fix the xsession handling stuff, but
>     am looking to see what we can do about it.
>     
>     Bug: https://bugs.gentoo.org/746227
>     Closes: https://bugs.gentoo.org/746359
>     Closes: https://bugs.gentoo.org/746365
>     Signed-off-by: Sam James <sam@gentoo.org>
> 
>  net-misc/tigervnc/Manifest               |   1 +
>  net-misc/tigervnc/tigervnc-1.12.0.ebuild | 184
> +++++++++++++++++++++++++++++++
>  net-misc/tigervnc/tigervnc-9999.ebuild   |   9 +-
>  3 files changed, 189 insertions(+), 5 deletions(-)

In new ebuild there is:
		eapply "${FILESDIR}"/xserver120.patch
Here you need use the 21.1.1 server patch that comes with tigervnc.
See https://github.com/TigerVNC/tigervnc/blob/master/unix/xserver21.1.1.patch
Comment 32 Joakim Tjernlund 2021-12-07 23:35:19 UTC
(In reply to Joakim Tjernlund from comment #31)
> (In reply to Larry the Git Cow from comment #29)
> > The bug has been referenced in the following commit(s):
> > 
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/
> > ?id=9dc0ec55803692786e6538bca4a12b0102e775f3
> > 
> > commit 9dc0ec55803692786e6538bca4a12b0102e775f3
> > Author:     Sam James <sam@gentoo.org>
> > AuthorDate: 2021-12-07 23:16:18 +0000
> > Commit:     Sam James <sam@gentoo.org>
> > CommitDate: 2021-12-07 23:16:42 +0000
> > 
> >     net-misc/tigervnc: add 1.12.0 (still masked)
> >     
> >     Note that this doesn't yet fix the xsession handling stuff, but
> >     am looking to see what we can do about it.
> >     
> >     Bug: https://bugs.gentoo.org/746227
> >     Closes: https://bugs.gentoo.org/746359
> >     Closes: https://bugs.gentoo.org/746365
> >     Signed-off-by: Sam James <sam@gentoo.org>
> > 
> >  net-misc/tigervnc/Manifest               |   1 +
> >  net-misc/tigervnc/tigervnc-1.12.0.ebuild | 184
> > +++++++++++++++++++++++++++++++
> >  net-misc/tigervnc/tigervnc-9999.ebuild   |   9 +-
> >  3 files changed, 189 insertions(+), 5 deletions(-)
> 
> In new ebuild there is:
> 		eapply "${FILESDIR}"/xserver120.patch
> Here you need use the 21.1.1 server patch that comes with tigervnc.
> See https://github.com/TigerVNC/tigervnc/blob/master/unix/xserver21.1.1.patch

I forgot, you need two patches as well:
https://github.com/TigerVNC/tigervnc/commit/736b50d04e1ba965696cd15d456dc2b7fc123150
and
https://github.com/TigerVNC/tigervnc/commit/f2577107f7f55382c524d8c738a777e5cdd80f60
Comment 33 Larry the Git Cow gentoo-dev 2021-12-07 23:45:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=14e8c0f75ccd89f10dca5f83b3991c3bab5c7523

commit 14e8c0f75ccd89f10dca5f83b3991c3bab5c7523
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-07 23:44:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-07 23:45:29 +0000

    net-misc/tigervnc: fix 1.12.0 for xorg 1.21.1
    
    Add additional patches and apply the right one in the source tree too.
    
    Bug: https://bugs.gentoo.org/746227
    Thanks-to: Joakim Tjernlund <joakim.tjernlund@infinera.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/tigervnc/Manifest                         |  1 +
 .../tigervnc/files/tigervnc-1.12.0-xorg-1.21.patch | 55 ++++++++++++++++++++++
 ...vnc-1.12.0.ebuild => tigervnc-1.12.0-r1.ebuild} | 15 +++---
 3 files changed, 65 insertions(+), 6 deletions(-)
Comment 34 Joakim Tjernlund 2021-12-08 00:10:34 UTC
(In reply to Larry the Git Cow from comment #33)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=14e8c0f75ccd89f10dca5f83b3991c3bab5c7523
> 
> commit 14e8c0f75ccd89f10dca5f83b3991c3bab5c7523
> Author:     Sam James <sam@gentoo.org>
> AuthorDate: 2021-12-07 23:44:49 +0000
> Commit:     Sam James <sam@gentoo.org>
> CommitDate: 2021-12-07 23:45:29 +0000
> 
>     net-misc/tigervnc: fix 1.12.0 for xorg 1.21.1
>     
>     Add additional patches and apply the right one in the source tree too.
>     
>     Bug: https://bugs.gentoo.org/746227
>     Thanks-to: Joakim Tjernlund <joakim.tjernlund@infinera.com>
>     Signed-off-by: Sam James <sam@gentoo.org>
> 
>  net-misc/tigervnc/Manifest                         |  1 +
>  .../tigervnc/files/tigervnc-1.12.0-xorg-1.21.patch | 55
> ++++++++++++++++++++++
>  ...vnc-1.12.0.ebuild => tigervnc-1.12.0-r1.ebuild} | 15 +++---
>  3 files changed, 65 insertions(+), 6 deletions(-)

Noticed you patched away Present deps in tigervnc. If that does not work out
you can just configure xorg-server with  present. Then it builds without patching away present
Comment 35 Reva Denis 2021-12-11 06:06:41 UTC
What is current state of this bug? I vote to solve it.
Comment 36 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-11 06:16:59 UTC
(In reply to Reva Denis from comment #35)
> What is current state of this bug? I vote to solve it.

I explained a few days ago: https://bugs.gentoo.org/746227#c30.

It's not a matter of votes or more people wanting it fixed: I don't really know much about this area and I need somebody who does (possibly a user!) to assist.
Comment 37 Paul Osmialowski 2021-12-11 10:11:29 UTC
| I don't really know much about this area and I need somebody who does (possibly a user!) to assist.

Well, I'm having one ARM64 Gentoo box which I mostly access remotely, also using VNC. I could possibly use it for testing. Currently it has the following installed:

[ebuild   R   ~] x11-base/xorg-server-21.1.1-r2:0/21.1.1::gentoo  USE="elogind udev unwind xephyr xnest xorg xvfb -debug -doc -minimal (-selinux) -suid -systemd -test -xcsecurity" 0 KiB
[ebuild   R   ~] net-misc/tigervnc-1.9.0-r2::gentoo  USE="dri3 drm gnutls java nls opengl pam server -xinerama -xorgmodule" 0 KiB

Do you have a specific scenario I could test on it?
Comment 38 Joakim Tjernlund 2022-01-19 19:42:14 UTC
Now that xorg-server-21.1.3 is stable one need >=tigervnc-1.12.0-r1
to use the xorg vnc module
Comment 39 simon 2022-01-26 10:44:31 UTC
Just tried to install on my second machine (main machine is still on 1.9 version) using the 1.12.0-r1 version. Compiled fine but startup of server fails with "Failure daemonizing"  in daemon.log

in auth.log it shows

Jan 26 11:39:41 machinename vncsession[10736]: pam_unix(tigervnc:session): session opened for user Username(uid=1000) by (uid=0)
Jan 26 11:39:41 machinename vncsession[10736]: pam_open_session failed: 28 (Module is unknown)

If wanted i can supply an strace or execute other tests?
Comment 40 simon 2022-01-26 17:35:49 UTC
Hi, I found a few minutes to dig deeper (no final success/understanding yet).
After removing the pam_selinux.so related lines in /etc/pam.d/tigervnc it tries to start. 
My interpretation is that it would only work if the mention .so files are present. Which i guess depends on pam having the "selinux" use flag. 

I was then able to launch a second xserver for vnc by manually invoking
"xinit  /usr/bin/fluxbox -- /usr/bin/Xvnc :1 -rfbauth /home/myuser/.vnc/passwd"

If i understand the discussion here the skipped "/etc/X11/xinit/Xsession" is what is not updated yet to pass the arguments (in my case fluxbox) and therefore it can not be fixed easily.

What also confuses me is the statement in their Howto (https://github.com/TigerVNC/tigervnc/blob/master/unix/vncserver/HOWTO.md)
"You will not be able to start a TigerVNC server for a user who is already logged into a graphical session". Why would it not just run an additional instance (as in my example, is this a limitation on xsession handling).

Don't want to spam or confuse. But if i can help further by testing i'll try to support.
Comment 41 Norman Back 2022-02-15 19:35:13 UTC
Created attachment 765203 [details]
New ebuild
Comment 42 Norman Back 2022-02-15 19:36:29 UTC
Created attachment 765204 [details, diff]
Patch
Comment 43 Norman Back 2022-02-15 19:37:19 UTC
Created attachment 765205 [details, diff]
Patch
Comment 44 Norman Back 2022-02-15 19:37:48 UTC
Created attachment 765206 [details, diff]
Patch
Comment 45 Norman Back 2022-02-15 19:38:54 UTC
Created attachment 765207 [details]
Config
Comment 46 Norman Back 2022-02-15 19:39:25 UTC
Created attachment 765208 [details]
init
Comment 47 Norman Back 2022-02-15 19:41:18 UTC
I've reviewed the posts above and archlinux bug https://bugs.archlinux.org/task/67869.
Unlike most distributions, every Gentoo install is different, with many different display managers.
So my feeling is that the Xsession file used by tigervnc must be configurable.
So expanding on the patches by Roberto Castagnola, adding an Xsession file choice to /etc/conf.d/tigervnc, adding the use flag selinux to the ebuild and further patches to get it working.
As sddm is used on all my systems, so far I have only tested with the sddm Xsession file.
The above attachments provide all the changes required.

Regards
Norman Back
Comment 48 Norman Back 2022-02-16 14:30:03 UTC
I have now checked that the Xsession files for ebuilds:
x11-misc/sddm-0.18.1-r5
x11-misc/lightdm-1.30.0-r2
lxde-base/lxdm-0.5.3-r3
x11-apps/xdm-1.1.12-r1
work OK.

However x11-misc/wdm-1.28-r8 fails.

I also attempted to check gnome-base/gdm-40.1 but failed compile some dependencies.
Comment 49 Norman Back 2022-02-16 15:01:01 UTC
By using ebuild install on gnome-base/gdm-40.1 and manually copying the
Xsession file into /etc/gdm, I have now checked that the gdm Xsession file
also works OK.
Comment 50 Larry the Git Cow gentoo-dev 2022-03-18 18:52:33 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=caf073483a915d187c7c9b76678425006bdf0873

commit caf073483a915d187c7c9b76678425006bdf0873
Author:     Viorel Munteanu <ceamac.paragon@gmail.com>
AuthorDate: 2022-02-20 08:17:45 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-18 18:52:05 +0000

    profiles/package.mask: unmask tigervnc 1.11+
    
    Closes: https://bugs.gentoo.org/746227
    Signed-off-by: Viorel Munteanu <ceamac.paragon@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/24252
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 5 -----
 1 file changed, 5 deletions(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0660ebeeddda8fb14f5f34f40d467b6e6f288d1

commit c0660ebeeddda8fb14f5f34f40d467b6e6f288d1
Author:     Viorel Munteanu <ceamac.paragon@gmail.com>
AuthorDate: 2022-02-18 17:38:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-18 18:51:58 +0000

    net-misc/tigervnc: fix start server with openrc
    
    Add support to override the default Xsession file
    
    Bug: https://bugs.gentoo.org/746227
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Viorel Munteanu <ceamac.paragon@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/tigervnc-1.12.0-xsession-path.patch      |  28 +++
 net-misc/tigervnc/files/tigervnc-1.12.0.confd      |  15 ++
 net-misc/tigervnc/files/tigervnc-1.12.0.initd      |  75 ++++++++
 net-misc/tigervnc/tigervnc-1.12.0-r2.ebuild        | 201 +++++++++++++++++++++
 4 files changed, 319 insertions(+)
Comment 51 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-18 18:52:55 UTC
Big thanks to Anarchy for testing.
Comment 52 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-20 03:49:55 UTC
(In reply to Sam James from comment #51)
> Big thanks to Anarchy for testing.

(and ceamac for doing the work!)