The 1.12.0 version of TigerVNC which is present in Slackware 15.0, is quite different from earlier versions such as the 1.6.0 version in Slackware 14.2 and even the previous iterations of this software in Slackware-current ( up to 1.11). It has ‘evolved‘ in a way that it has become dependent on systemd, or so the developers claim.
And indeed, the most prominent change is that the old ‘vncserver
‘ script has been rewritten and should not be run directly any longer. In previous versions, as a user you could run ‘vncserver :1
‘ to start a VNC server on port “5900 + 1” aka TCP Port 5901, and if needed you could kill that VNC server session with ‘vncserver -kill :1
‘.
Fast forward to current-day. You are now expected to start the VNC server via the new command ‘vncsession
‘ which will look in a couple of places to find out who you are and what desktop session you want to start. No longer will it install a “${HOME}/.vnc/xstartup
” script for you to customize, instead it will look first in ‘/usr/share/xsessions
‘ for *.desktop files like graphical login managers also do (SDDM, LightDM). Slackware applied a patch here for convenience, so that the names of sessions to look for also include "/etc/X11/xinit/Xsession", "/etc/X11/Xsession", "${HOME}/.vnc/xstartup", "${HOME}/.xinitrc", "/etc/X11/xinit/xinitrc"
in that order.
The new TigerVNC expects to be launched from a systemd service and it can no longer be started as a non-root user.
Accepting that as a given (we can argue all we want with these developers but it looks that they are not interested), I looked for a way to make life easy for me and other VNC users on Slackware and other non-systemd distros.
In this article I will describe the solution I came up with. It’s a hack, I don’t think it is the best, but it works for me and only needs a one-time configuration by the root user. Let me know in the comments section how you were affected and dealt with the changes in TigerVNC!
- The new TigerVNC uses a user-to-displayport mapping file, ‘
/etc/tigervnc/vncserver.users
‘ with lines that contain “port=user
” mappings.
For instance, a line containing “:9=alien
” means that a VNC server session which is started for user “alien” will be running at VNC port “:9” which corresponds to TCP port 5909.
- If a VNC session can only be started as root, then I will use ‘
sudo
‘ to allow regular users to start a ‘/usr/local/sbin/vncsession-start
‘ wrapper script.
- I have written that wrapper script ‘
/usr/local/sbin/vncsession-start
‘ which checks your username via the ${SUDO_USER}
variable, looks up the VNC display mapping for that useraccount in ‘/etc/tigervnc/vncserver.users
‘ and starts the vncsession program with the user and port as parameters.
What needs to be done?
Wrapper script:
The script ‘/usr/local/sbin/vncsession-start
‘ for which I took inspiration out of the tigervnc repository looks like this:
#!/bin/bash
USERSFILE=/etc/tigervnc/vncserver.users
if [ ! -f ${USERSFILE} ]; then
echo "Users file ${USERSFILE} missing"
exit 1
fi
VNCUSER=${1:-"$SUDO_USER"}
if [ -z "${VNCUSER}" ]; then
echo "No value given for VNCUSER"
exit 1
fi
DISPLAY=$(grep "^ *:.*=${VNCUSER}" "${USERSFILE}" 2>/dev/null | head -1 | cut -d= -f1 | sed 's/^ *//g')
if [ -z "${DISPLAY}" ]; then
echo "No display configured for user ${VNCUSER} in ${USERSFILE}"
exit 1
fi
exec /usr/sbin/vncsession ${VNCUSER} ${DISPLAY}
Don’t forget to make that script executable:
# chmod +x /usr/local/sbin/vncsession-start
Sudo:
I then create a ‘sudoers‘ rule in the file ‘/etc/sudoers.d/vncsession
‘ (the filename does not really matter as long as it’s in that directory and has “0440” permissions) with the following single line of content:
%vnc ALL = (root) NOPASSWD: /usr/local/sbin/vncsession-start
This sudoers rule expects that your VNC users are a member of group ‘vnc
‘, so create that group and add your account(s) to it. In this example I add my own account ‘alien‘ to the new group ‘vnc‘:
# groupadd vnc
# gpasswd -a alien vnc
In order to have ‘/usr/local/sbin
‘ in the $PATH when using ‘sudo‘, you must un-comment the following line in the file ‘/etc/sudoers
‘ (remove the “#” at the beginning of the line):
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
TigerVNC:
The VNC user mappings have to be added on separate lines in ‘/etc/tigervnc/vncserver.users
‘. Note that each user requires a different port mapping:
:1=kenny
:2=bob
:9=alien
In order to have a sane out-of-the-box behavior for our VNC users, edit the global defaults file ‘/etc/tigervnc/vncserver-config-defaults
‘ which by the way can be overruled per-user by a similarly formatted file named ‘${HOME}/.vnc/config
‘ (the user would have to create it):
session=plasma
# securitytypes=vncauth,tlsvnc
# geometry=2000x1200
# localhost
# alwaysshared
The above session type “plasma” is valid because a file ‘/usr/share/xsessions/plasma.desktop
‘ exists. The TigerVNC default session type “gnome” does not exist in Slackware.
Tell new VNC users to run ‘vncpasswd
‘ before starting their first VNC server session, so that their sessions are at least somewhat protected.
That’s all.
Now, if you want to start a VNC server session, all you need to run as a regular user is:
$ sudo vncsession-start
and then connect to the VNC session with any ‘vncviewer
‘ program. Look for my article about NoVNC if you want to give your users a web-based access to their VNC sessions. In that case you can make it mandatory for the VNC session to only bind to localhost address so that VNC sessions can not be accessed un-encrypted over the network. You can enforce this by adding a line only containing “localhost
” to ‘/etc/tigervnc/vncserver-config-mandatory
‘.
Good to know, it is no longer possible – but there is no longer a need – to kill the VNC server when you are done with it as was required in the past. Logging out from your graphical desktop will terminate your login session and stop the VNC server.
An additional bonus of my ‘vncsession-start‘ script is that root can run it for any user, and this makes it easy for instance to start the users’ VNC sessions in your computer’s ‘/etc/rc.d/rc.local
‘ script. You just need to add the following command to start a VNC session for user ‘alien‘ – as long as a port mapping has been configured for ‘alien‘ of course:
/usr/local/sbin/vncsession-start alien
Caveat:
A TigerVNC session can only be started for/by a user if that user is not already running an interactive desktop session. This means that the root user cannot use “vncsession-start alien” to snoop my existing login session, the program will simply refuse to launch.
Thoughts?
Eric
Recent comments