|
|
|
@ -1,37 +1,188 @@
|
|
|
|
|
#!/usr/bin/perl
|
|
|
|
|
#
|
|
|
|
|
# desktop.cgi
|
|
|
|
|
##########################################################################
|
|
|
|
|
# desktop.cgi:
|
|
|
|
|
#
|
|
|
|
|
# This is an example CGI script to provide multi-user web access to
|
|
|
|
|
# x11vnc desktops. The user desktop sessions run in 'Xvfb' displays
|
|
|
|
|
# that are created automatically.
|
|
|
|
|
#
|
|
|
|
|
# This script should/must be served by an HTTPS (i.e. SSL) webserver,
|
|
|
|
|
# otherwise the unix and vnc passwords would be sent over the network
|
|
|
|
|
# unencrypted (see below to disable if you really want to.)
|
|
|
|
|
#
|
|
|
|
|
# The Java VNC Viewer applet connections are encrypted by SSL as well.
|
|
|
|
|
#
|
|
|
|
|
# You can use this script to provide unix users desktops available on
|
|
|
|
|
# demand via any Java enabled web browser. One could also use this for
|
|
|
|
|
# a special-purpose 'single application' service running in a minimal
|
|
|
|
|
# window manager.
|
|
|
|
|
#
|
|
|
|
|
# One example of a special-purpose application would be a scientific
|
|
|
|
|
# data visualization tool running on a server where the data is housed.
|
|
|
|
|
# To do this set $x11vnc_extra_opts = '-env FD_PROG=/path/to/app/launcher'
|
|
|
|
|
# where the program launches your special purpose application. A very
|
|
|
|
|
# simple example: '-env FD_PROG=/usr/bin/xclock'
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# Depending on where you place this script, the user accesses the service
|
|
|
|
|
# with the URL:
|
|
|
|
|
#
|
|
|
|
|
# https://your.webserver.net/cgi-bin/desktop.cgi
|
|
|
|
|
#
|
|
|
|
|
# Then they login with their unix username and password to get their
|
|
|
|
|
# own desktop session.
|
|
|
|
|
#
|
|
|
|
|
# If the user has an existing desktop it is connected to directly,
|
|
|
|
|
# otherwise a new session is created inside an Xvfb display and then
|
|
|
|
|
# connected to by VNC.
|
|
|
|
|
#
|
|
|
|
|
# It is possible to do port redirection to other machines running SSL
|
|
|
|
|
# enabled VNC servers (see below.) This script does not start the VNC
|
|
|
|
|
# servers on the other machines, although with some extra rigging you
|
|
|
|
|
# should be able to do that as well.
|
|
|
|
|
#
|
|
|
|
|
# You can customize the login procedure to whatever you want by modifying
|
|
|
|
|
# this script, or by using ideas in this script write your own PHP,
|
|
|
|
|
# (for example), script.
|
|
|
|
|
#
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Overriding default settings:
|
|
|
|
|
#
|
|
|
|
|
# If you want to override any settings in this script and do not
|
|
|
|
|
# want to edit this script create the assignments in a file named
|
|
|
|
|
# 'desktop.cgi.conf' in the same directory as desktop.cgi. It will be
|
|
|
|
|
# sourced after the defaults are set. The format of desktop.cgi.conf
|
|
|
|
|
# is simply perl statements that make the assignments.
|
|
|
|
|
#
|
|
|
|
|
# For example, if you put something like this in desktop.cgi.conf:
|
|
|
|
|
#
|
|
|
|
|
# $x11vnc = '/usr/local/bin/x11vnc';
|
|
|
|
|
#
|
|
|
|
|
# that will set the path to the x11vnc binary to that location. Look at
|
|
|
|
|
# the settings below for the other variables that you can modify, for
|
|
|
|
|
# example one could set $allowed_users_file.
|
|
|
|
|
#
|
|
|
|
|
##########################################################################
|
|
|
|
|
# x11vnc:
|
|
|
|
|
#
|
|
|
|
|
# An example cgi script to provide multi-user web access to x11vnc
|
|
|
|
|
# desktops. This script should/must be served by an HTTPS webserver,
|
|
|
|
|
# otherwise the unix and vnc passwords are sent over the network
|
|
|
|
|
# unencrypted (see below to disable)
|
|
|
|
|
# You need to install x11vnc or otherwise have it available. It is
|
|
|
|
|
# REQUIRED that you use x11vnc 0.9.10 or later. It won't work with
|
|
|
|
|
# earlier versions. See below the $x11vnc parameter that you can set
|
|
|
|
|
# to the full path to x11vnc.
|
|
|
|
|
#
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Xvfb:
|
|
|
|
|
#
|
|
|
|
|
# Note that the x11vnc -create virtual desktop service used below requires
|
|
|
|
|
# that you install the 'Xvfb' program.
|
|
|
|
|
# that you install the 'Xvfb' program. On debian this is currently done
|
|
|
|
|
# via 'apt-get install xvfb'.
|
|
|
|
|
#
|
|
|
|
|
# If you are having trouble getting 'x11vnc -create' to work with this
|
|
|
|
|
# script (it can be tricky), try it manually and/or see the x11vnc FAQ
|
|
|
|
|
# links below.
|
|
|
|
|
#
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Apache httpd:
|
|
|
|
|
#
|
|
|
|
|
# You should put this script in, say, a cgi-bin directory. Enable cgi
|
|
|
|
|
# scripts in your apache (or other httpd) config. For example, we have
|
|
|
|
|
# these lines (not commented):
|
|
|
|
|
#
|
|
|
|
|
# In httpd.conf:
|
|
|
|
|
#
|
|
|
|
|
# You should put this script in, say, a cgi-bin directory.
|
|
|
|
|
# ScriptAlias /cgi-bin/ "/dist/apache/2.0/cgi-bin/"
|
|
|
|
|
#
|
|
|
|
|
# <Directory "/dist/apache/2.0/cgi-bin">
|
|
|
|
|
# AllowOverride None
|
|
|
|
|
# Options None
|
|
|
|
|
# Order allow,deny
|
|
|
|
|
# Allow from all
|
|
|
|
|
# </Directory>
|
|
|
|
|
#
|
|
|
|
|
# and in ssl.conf:
|
|
|
|
|
#
|
|
|
|
|
# <Directory "/dist/apache/2.0/cgi-bin">
|
|
|
|
|
# SSLOptions +StdEnvVars
|
|
|
|
|
# </Directory>
|
|
|
|
|
#
|
|
|
|
|
# Do not be confused by the non-standard /dist/apache/2.0 apache
|
|
|
|
|
# installation location that we happen to use. Yours will be different.
|
|
|
|
|
#
|
|
|
|
|
# You can test that you have CGI scripts working properly with the
|
|
|
|
|
# 'test-cgi' and 'printenv' scripts apache provides.
|
|
|
|
|
#
|
|
|
|
|
# Copy this file (desktop.cgi) to /dist/apache/2.0/cgi-bin and then run
|
|
|
|
|
# 'chmod 755 ...' on it to make it executable.
|
|
|
|
|
#
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Applet Jar files served by apache:
|
|
|
|
|
#
|
|
|
|
|
# You will *also* need to copy the x11vnc classes/ssl/UltraViewerSSL.jar
|
|
|
|
|
# file to the document root: /UltraViewerSSL.jar (or change the html
|
|
|
|
|
# at bottom.)
|
|
|
|
|
# file to the httpd DocumentRoot to be accessible by: /UltraViewerSSL.jar
|
|
|
|
|
# in a URL (or change $applet_jar below or the html in $applet_html if
|
|
|
|
|
# you want to use a different location.)
|
|
|
|
|
#
|
|
|
|
|
# This location is relative to the apache DocumentRoot 'htdocs' directory.
|
|
|
|
|
# For our (non-standard location installation) that meant we copied the
|
|
|
|
|
# file to:
|
|
|
|
|
#
|
|
|
|
|
# /dist/apache/2.0/htdocs/UltraViewerSSL.jar
|
|
|
|
|
#
|
|
|
|
|
# (your DocumentRoot directory will be different.)
|
|
|
|
|
#
|
|
|
|
|
# The VncViewer.jar (tightvnc) will also work, but you need to change
|
|
|
|
|
# the $applet_jar below. You can get these jar files from the x11vnc
|
|
|
|
|
# tarball from:
|
|
|
|
|
#
|
|
|
|
|
# http://www.karlrunge.com/x11vnc/#downloading
|
|
|
|
|
#
|
|
|
|
|
# This script requires x11vnc 0.9.10 or later.
|
|
|
|
|
#
|
|
|
|
|
# Each x11vnc server created for a login will listen on its own port (see
|
|
|
|
|
# below for port selection schemes.) Your firewall must let in these ports.
|
|
|
|
|
# It is difficult and not as reliable to do all of this through a single port;
|
|
|
|
|
# however, see the fixed port scheme find_free_port = 'fixed:5900' below.
|
|
|
|
|
# Note that the usage mode for this script is a different from regular
|
|
|
|
|
# 'x11vnc -http ...' usage where x11vnc acts as a mini web server and
|
|
|
|
|
# serves its own applet jars. We don't use that mode for this script.
|
|
|
|
|
# Apache (httpd) serves the jars.
|
|
|
|
|
#
|
|
|
|
|
# Note there are two SSL certificates involved that the user may be
|
|
|
|
|
#
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Notes and Information:
|
|
|
|
|
#
|
|
|
|
|
# Each x11vnc server created for a user login will listen on its own port
|
|
|
|
|
# (see below for port selection schemes.) Your firewall must let in *ALL*
|
|
|
|
|
# of these ports (e.g. a port range, see below for the syntax.)
|
|
|
|
|
#
|
|
|
|
|
# It is also possible, although not as reliable, to do all of this through
|
|
|
|
|
# a single port, see the fixed port scheme $find_free_port = 'fixed:5910'
|
|
|
|
|
# below. This single port mode must be different from apache's port
|
|
|
|
|
# (usually 443 for https) and must also be allowed in by your firewall.
|
|
|
|
|
#
|
|
|
|
|
# Note: The fixed port scheme is DISABLED by default.
|
|
|
|
|
#
|
|
|
|
|
# It is also possible to have this script act as a vnc redirector to SSL
|
|
|
|
|
# enabled VNC servers running on *other* machines inside your firewall
|
|
|
|
|
# (presumably the users' desktops) See the $enable_port_redirection
|
|
|
|
|
# setting below. The user provides 'username@host:port' instead of just
|
|
|
|
|
# 'username' when she logs in. This script doesn't start VNC servers
|
|
|
|
|
# on those other machines, the servers must be running there already.
|
|
|
|
|
# (If you want this script to start them you will need to add it
|
|
|
|
|
# yourself.) It is possible to provide a host:port allow list to limit
|
|
|
|
|
# which internal machines and ports can be redirected to. This is the
|
|
|
|
|
# $port_redirection_allowed_hosts parameter.
|
|
|
|
|
#
|
|
|
|
|
# Note: The vnc redirector scheme is DISABLED by default.
|
|
|
|
|
#
|
|
|
|
|
# Note there are *two* SSL certificates involved that the user may be
|
|
|
|
|
# asked to inspect: apache's SSL cert and x11vnc's SSL cert. This may
|
|
|
|
|
# confuse the user.
|
|
|
|
|
# confuse naive users. You may want to use the same cert for both.
|
|
|
|
|
#
|
|
|
|
|
# This script provides one example on how to provide the service. You can
|
|
|
|
|
# customize to meet your needs, e.g. switch to php, newer modules,
|
|
|
|
|
# different authentication, SQL database, etc. If you plan to use it
|
|
|
|
|
# in production, please examine all security aspects of it carefully;
|
|
|
|
|
# read the comments in the script for more info.
|
|
|
|
|
# customize it to meet your needs, e.g. switch to php, newer cgi modules,
|
|
|
|
|
# different authentication, SQL database for user authentication, etc,
|
|
|
|
|
# etc. If you plan to use it in production, please examine all security
|
|
|
|
|
# aspects of it carefully; read the comments in the script for more info.
|
|
|
|
|
#
|
|
|
|
|
# More information and background:
|
|
|
|
|
# More information and background and troubleshooting:
|
|
|
|
|
#
|
|
|
|
|
# http://www.karlrunge.com/x11vnc/faq.html#faq-xvfb
|
|
|
|
|
# http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-tunnel-viewers
|
|
|
|
@ -39,6 +190,10 @@
|
|
|
|
|
# http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-portal
|
|
|
|
|
# http://www.karlrunge.com/x11vnc/faq.html#faq-unix-passwords
|
|
|
|
|
# http://www.karlrunge.com/x11vnc/faq.html#faq-userlogin
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# Please also read the comments below for changing specific settings.
|
|
|
|
|
# You can modify them in this script or by override file 'desktop.cgi.conf'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#-------------------------------------------------------------------------
|
|
|
|
@ -64,31 +219,58 @@ use strict;
|
|
|
|
|
use IO::Socket::INET;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Path to the x11vnc program:
|
|
|
|
|
#
|
|
|
|
|
my $x11vnc = '/usr/bin/x11vnc';
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# You can set some extra x11vnc cmdline options here:
|
|
|
|
|
#
|
|
|
|
|
my $x11vnc_extra_opts = '';
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Override the default x11vnc viewer connection timeout of 75 seconds:
|
|
|
|
|
#
|
|
|
|
|
my $x11vnc_timeout = '';
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# TCP Ports:
|
|
|
|
|
#
|
|
|
|
|
# Set find_free_port to 1 (or the other modes described below) to
|
|
|
|
|
# autoselect a free port to use. The default is to use a fixed port
|
|
|
|
|
# based on the userid.
|
|
|
|
|
# autoselect a free port to use. The default is to use a port based on
|
|
|
|
|
# the userid number (7000 + uid).
|
|
|
|
|
#
|
|
|
|
|
my $find_free_port = 0;
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
# Or specify a port range:
|
|
|
|
|
#
|
|
|
|
|
#$find_free_port = '7000-8000';
|
|
|
|
|
#
|
|
|
|
|
# Or indicate to use a kludge to try to do everything through a SINGLE
|
|
|
|
|
# port. To try to avoid contention on the port, simultaneous instances
|
|
|
|
|
# of this script attempt to 'take turns' using it.
|
|
|
|
|
# of this script attempt to 'take turns' using it the single port.
|
|
|
|
|
#
|
|
|
|
|
#$find_free_port = 'fixed:5900';
|
|
|
|
|
#$find_free_port = 'fixed:5910';
|
|
|
|
|
|
|
|
|
|
# This is the starting port for 7000 + uid and also $find_free_port = 1
|
|
|
|
|
# autoselection:
|
|
|
|
|
#
|
|
|
|
|
my $starting_port = 7000;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Port redirection mode:
|
|
|
|
|
#
|
|
|
|
|
# This is to allow port redirection mode: username@host:port If username
|
|
|
|
|
# is valid, there will be a port redirection to internal machine
|
|
|
|
|
# This is to enable port redirection mode: username@host:port. If
|
|
|
|
|
# username is valid, there will be a port redirection to internal machine
|
|
|
|
|
# host:port. Presumably there is already an SSL enabled and password
|
|
|
|
|
# protected VNC server running there. We don't start that server.
|
|
|
|
|
# protected VNC server running there. We don't start that VNC server.
|
|
|
|
|
# (You might be able to figure out a way to do this yourself.)
|
|
|
|
|
#
|
|
|
|
|
# See the next setting for an allowed hosts file. The default for port
|
|
|
|
|
# redirection is off.
|
|
|
|
|
#
|
|
|
|
@ -108,23 +290,60 @@ my $enable_port_redirection = 0;
|
|
|
|
|
my $port_redirection_allowed_hosts = '';
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Allowed users:
|
|
|
|
|
#
|
|
|
|
|
# To limit which users can use this service, set the following to a file
|
|
|
|
|
# that contains the allowed user names one per line. Lines starting with
|
|
|
|
|
# the '#' character are skipped.
|
|
|
|
|
#
|
|
|
|
|
my $allowed_users_file = '';
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Denied users:
|
|
|
|
|
#
|
|
|
|
|
# As with $allowed_users_file, but to deny certain users. Applied after
|
|
|
|
|
# any $allowed_users_file check and overrides the result.
|
|
|
|
|
#
|
|
|
|
|
my $denied_users_file = '';
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# trustUrlVncCert applet parameter:
|
|
|
|
|
#
|
|
|
|
|
# Set to 0 to have the java applet html set the parameter
|
|
|
|
|
# trustUrlVncCert=no, i.e. the applet will not automatically accept an
|
|
|
|
|
# SSL cert already accepted by an HTTPS URL. See print_applet_html()
|
|
|
|
|
# below for more info.
|
|
|
|
|
# trustUrlVncCert=no, i.e. the applet will not automatically accept
|
|
|
|
|
# an SSL cert already accepted by an HTTPS URL. See $applet_html and
|
|
|
|
|
# print_applet_html() below for more info.
|
|
|
|
|
#
|
|
|
|
|
my $trustUrlVncCert = 1;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# One-time VNC password fifo:
|
|
|
|
|
#
|
|
|
|
|
# For extra security against local untrusted users a fifo is used
|
|
|
|
|
# to copy the one-time VNC password to the user's VNC password file
|
|
|
|
|
# ~user/x11vnc.pw. If that fifo transfer technique causes problems,
|
|
|
|
|
# you can set this value to 1 to disable the security feature:
|
|
|
|
|
#
|
|
|
|
|
my $disable_vnc_passwd_fifo_safety = 0;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Comment this out if you don't want PATH modified:
|
|
|
|
|
#
|
|
|
|
|
$ENV{PATH} = "/usr/bin:bin:$ENV{PATH}";
|
|
|
|
|
$ENV{PATH} = "/usr/bin:/bin:$ENV{PATH}";
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# For the next two settings, note that most users will be confused that
|
|
|
|
|
# geometry and session are ignored when they are returning to their
|
|
|
|
|
# existing desktop session (x11vnc FINDDISPLAY action.)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Used below if user did not specify preferred geometry and color depth:
|
|
|
|
|
#
|
|
|
|
|
my $default_geometry = '1024x768x24';
|
|
|
|
@ -139,6 +358,7 @@ my $session_types = '';
|
|
|
|
|
#$session_types = 'gnome kde xfce lxde wmaker enlightenment mwm twm failsafe';
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Set this to 1 to enable user setting a unique tag for each one
|
|
|
|
|
# of his desktops and so can have multiple ones simultaneously and
|
|
|
|
|
# select which one he wants. For now we just hack this onto geometry
|
|
|
|
@ -148,37 +368,125 @@ my $session_types = '';
|
|
|
|
|
my $enable_unique_tags = 0;
|
|
|
|
|
my $unique_tag = '';
|
|
|
|
|
|
|
|
|
|
# You can set some extra x11vnc cmdline options here:
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# String of HTML for the login form:
|
|
|
|
|
#
|
|
|
|
|
my $x11vnc_extra_opts = '';
|
|
|
|
|
# Feel free to customize to your taste, _USERNAME_ and _GEOMETRY_ are
|
|
|
|
|
# expanded to that of the request.
|
|
|
|
|
#
|
|
|
|
|
my $login_str = <<"END";
|
|
|
|
|
<title>x11vnc web access</title>
|
|
|
|
|
<h3>x11vnc web access</h3>
|
|
|
|
|
<form action="$ENV{REQUEST_URI}" method="post">
|
|
|
|
|
<table border="0">
|
|
|
|
|
<tr><td colspan=2><h2>Login</h2></td></tr>
|
|
|
|
|
<tr><td>Username:</td><td>
|
|
|
|
|
<input type="text" name="username" maxlength="40" value="_USERNAME_">
|
|
|
|
|
</td></tr>
|
|
|
|
|
<tr><td>Password:</td><td>
|
|
|
|
|
<input type="password" name="password" maxlength="50">
|
|
|
|
|
</td></tr>
|
|
|
|
|
<tr><td>Geometry:</td><td>
|
|
|
|
|
<input type="text" name="geometry" maxlength="40" value="_GEOMETRY_">
|
|
|
|
|
</td></tr>
|
|
|
|
|
<!-- session -->
|
|
|
|
|
<tr><td colspan="2" align="right">
|
|
|
|
|
<input type="submit" name="submit" value="Login">
|
|
|
|
|
</td></tr>
|
|
|
|
|
</table>
|
|
|
|
|
</form>
|
|
|
|
|
END
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Path to x11vnc program:
|
|
|
|
|
##########################################################################
|
|
|
|
|
# String of HTML returned to web browser to launch applet:
|
|
|
|
|
#
|
|
|
|
|
my $x11vnc = '/usr/bin/x11vnc';
|
|
|
|
|
# Feel free to customize to your taste, _UID_, _VNC_PORT_, _WIDTH_,
|
|
|
|
|
# _HEIGHT_, _PASS_, _TRUST_UVC_, _APPLET_JAR_, and _APPLET_CLASS_ are
|
|
|
|
|
# expanded to the appropriate values before sending out to the browser.
|
|
|
|
|
#
|
|
|
|
|
my $applet_html = <<"END";
|
|
|
|
|
<html>
|
|
|
|
|
<TITLE>
|
|
|
|
|
x11vnc desktop (_UID_/_VNC_PORT_)
|
|
|
|
|
</TITLE>
|
|
|
|
|
<APPLET CODE=_APPLET_CLASS_ ARCHIVE=_APPLET_JAR_ WIDTH=_WIDTH_ HEIGHT=_HEIGHT_>
|
|
|
|
|
<param name=PORT value=_VNC_PORT_>
|
|
|
|
|
<param name=VNCSERVERPORT value=_VNC_PORT_>
|
|
|
|
|
<param name=PASSWORD value=_PASS_>
|
|
|
|
|
<param name=trustUrlVncCert value=_TRUST_UVC_>
|
|
|
|
|
<param name="Open New Window" value=yes>
|
|
|
|
|
<param name="Offer Relogin" value=no>
|
|
|
|
|
<param name="ignoreMSLogonCheck" value=yes>
|
|
|
|
|
<param name="delayAuthPanel" value=yes>
|
|
|
|
|
<!-- extra -->
|
|
|
|
|
</APPLET>
|
|
|
|
|
<br>
|
|
|
|
|
<a href="$ENV{REQUEST_URI}">Login page</a><br>
|
|
|
|
|
<a href=http://www.karlrunge.com/x11vnc>x11vnc website</a>
|
|
|
|
|
</html>
|
|
|
|
|
END
|
|
|
|
|
|
|
|
|
|
if (`uname -n` =~ /haystack/) {
|
|
|
|
|
# for my testing:
|
|
|
|
|
if (-f "/home/runge/dtcgi.test") {
|
|
|
|
|
eval `cat /home/runge/dtcgi.test`;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# These java applet strings are expanded into the above $applet_html.
|
|
|
|
|
# Note that $applet_jar is relative to your apache DocumentRoot (htdocs)
|
|
|
|
|
# not the filesystem root.
|
|
|
|
|
#
|
|
|
|
|
my $applet_jar = '/UltraViewerSSL.jar';
|
|
|
|
|
my $applet_class = 'VncViewer.class';
|
|
|
|
|
|
|
|
|
|
# These make the applet panel smaller because we use 'Open New Window'
|
|
|
|
|
# anyway (set to 'W' or 'H' to use actual session geometry values):
|
|
|
|
|
#
|
|
|
|
|
my $applet_width = '400';
|
|
|
|
|
my $applet_height = '300';
|
|
|
|
|
|
|
|
|
|
# To customize ALL of the HTML printed out you may need to redefine
|
|
|
|
|
# the bye() subtroutine in your desktop.cgi.conf file.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
# Override any of the above settings by setting them in a file named
|
|
|
|
|
# 'desktop.cgi.conf'. It is sourced here.
|
|
|
|
|
#
|
|
|
|
|
# You can override any variable set above by supplying perl code
|
|
|
|
|
# in $0.conf that sets it to the desired value.
|
|
|
|
|
#
|
|
|
|
|
# Some examples you could put in $0.conf:
|
|
|
|
|
#
|
|
|
|
|
# $x11vnc = '/usr/local/bin/x11vnc';
|
|
|
|
|
# $x11vnc_extra_opts = '-env FD_PROG=/usr/bin/xclock';
|
|
|
|
|
# $x11vnc_extra_opts = '-ssl /usr/local/etc/dtcgi.pem';
|
|
|
|
|
# $find_free_port = 'fixed:5999';
|
|
|
|
|
# $enable_port_redirection = 1;
|
|
|
|
|
# $allowed_users_file = '/usr/local/etc/dtcgi.allowed';
|
|
|
|
|
#
|
|
|
|
|
if (-f "$0.conf") {
|
|
|
|
|
eval `cat "$0.conf"`;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# http header:
|
|
|
|
|
##########################################################################
|
|
|
|
|
# END OF MAIN USER SETTINGS.
|
|
|
|
|
# Only power users should change anything below.
|
|
|
|
|
##########################################################################
|
|
|
|
|
|
|
|
|
|
# Print http header reply:
|
|
|
|
|
#
|
|
|
|
|
print STDOUT "Content-Type: text/html\r\n\r\n";
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Require HTTPS so that unix and vnc passwords are not sent in clear text
|
|
|
|
|
# (perhaps it is too late...) Disable HTTPS at your own risk.
|
|
|
|
|
# (perhaps it is too late...) Disable HTTPS here at your own risk.
|
|
|
|
|
#
|
|
|
|
|
if ($ENV{HTTPS} !~ /^on$/i) {
|
|
|
|
|
bye("HTTPS must be used (to encrypt passwords)");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Read request:
|
|
|
|
|
# Read URL request:
|
|
|
|
|
#
|
|
|
|
|
my $request;
|
|
|
|
|
if ($ENV{'REQUEST_METHOD'} eq "POST") {
|
|
|
|
@ -192,7 +500,8 @@ if ($ENV{'REQUEST_METHOD'} eq "POST") {
|
|
|
|
|
my %request = url_decode(split(/[&=]/, $request));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Experiment for FD_TAG x11vnc feature for multiple desktops:
|
|
|
|
|
# Experiment for FD_TAG x11vnc feature for multiple desktops for a
|
|
|
|
|
# single user:
|
|
|
|
|
#
|
|
|
|
|
# we hide it in geometry:tag for now:
|
|
|
|
|
#
|
|
|
|
@ -212,30 +521,28 @@ if (!exists $request{session} || $request{session} =~ /^\s*$/) {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# String for the login form:
|
|
|
|
|
# Expand _USERNAME_ and _GEOMETRY_ in the login string HTML:
|
|
|
|
|
#
|
|
|
|
|
my $login_str = <<"END";
|
|
|
|
|
<title>x11vnc web access</title>
|
|
|
|
|
<h3>x11vnc web access</h3>
|
|
|
|
|
<form action="$ENV{REQUEST_URI}" method="post">
|
|
|
|
|
<table border="0">
|
|
|
|
|
<tr><td colspan=2><h2>Login</h2></td></tr>
|
|
|
|
|
<tr><td>Username:</td><td>
|
|
|
|
|
<input type="text" name="username" maxlength="40" value="$request{username}">
|
|
|
|
|
</td></tr>
|
|
|
|
|
<tr><td>Password:</td><td>
|
|
|
|
|
<input type="password" name="password" maxlength="50">
|
|
|
|
|
</td></tr>
|
|
|
|
|
<tr><td>Geometry:</td><td>
|
|
|
|
|
<input type="text" name="geometry" maxlength="40" value="$request{geometry}">
|
|
|
|
|
</td></tr>
|
|
|
|
|
<!-- session -->
|
|
|
|
|
<tr><td colspan="2" align="right">
|
|
|
|
|
<input type="submit" name="submit" value="Login">
|
|
|
|
|
</td></tr>
|
|
|
|
|
</table>
|
|
|
|
|
</form>
|
|
|
|
|
END
|
|
|
|
|
$login_str =~ s/_USERNAME_/$request{username}/g;
|
|
|
|
|
$login_str =~ s/_GEOMETRY_/$request{geometry}/g;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Check x11vnc version for installers of this script who do not know
|
|
|
|
|
# how to read and follow instructions:
|
|
|
|
|
#
|
|
|
|
|
my $version = (split(' ', `$x11vnc -version`))[1];
|
|
|
|
|
$version =~ s/\D*$//;
|
|
|
|
|
|
|
|
|
|
my ($major, $minor, $micro) = split(/\./, $version);
|
|
|
|
|
if ($major !~ /^\d+$/ || $minor !~ /^\d+$/) {
|
|
|
|
|
bye("The x11vnc program is not installed correctly.");
|
|
|
|
|
}
|
|
|
|
|
$micro = 0 unless $micro;
|
|
|
|
|
my $level = $major * 100 * 100 + $minor * 100 + $micro;
|
|
|
|
|
my $needed = 0 * 100 * 100 + 9 * 100 + 10;
|
|
|
|
|
if ($level < $needed) {
|
|
|
|
|
bye("x11vnc version 0.9.10 or later is required. (Found version $version)");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Set up user selected desktop session list, if enabled:
|
|
|
|
@ -301,6 +608,49 @@ if ($enable_port_redirection) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# If there is an $allowed_users_file, check username against it:
|
|
|
|
|
#
|
|
|
|
|
if ($allowed_users_file ne '') {
|
|
|
|
|
if (! open(USERS, "<$allowed_users_file")) {
|
|
|
|
|
bye("Internal Error #0");
|
|
|
|
|
}
|
|
|
|
|
my $ok = 0;
|
|
|
|
|
while (<USERS>) {
|
|
|
|
|
chomp;
|
|
|
|
|
$_ =~ s/^\s*//;
|
|
|
|
|
$_ =~ s/\s*$//;
|
|
|
|
|
next if /^#/;
|
|
|
|
|
if ($username eq $_) {
|
|
|
|
|
$ok = 1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
close USERS;
|
|
|
|
|
if (! $ok) {
|
|
|
|
|
bye("Denied Username.<p>$login_str");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# If there is a $denied_users_file, check username against it:
|
|
|
|
|
#
|
|
|
|
|
if ($denied_users_file ne '') {
|
|
|
|
|
if (! open(USERS, "<$denied_users_file")) {
|
|
|
|
|
bye("Internal Error #0");
|
|
|
|
|
}
|
|
|
|
|
my $ok = 1;
|
|
|
|
|
while (<USERS>) {
|
|
|
|
|
chomp;
|
|
|
|
|
$_ =~ s/^\s*//;
|
|
|
|
|
$_ =~ s/\s*$//;
|
|
|
|
|
next if /^#/;
|
|
|
|
|
if ($username eq $_) {
|
|
|
|
|
$ok = 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
close USERS;
|
|
|
|
|
if (! $ok) {
|
|
|
|
|
bye("Denied Username.<p>$login_str");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Require username to be alphanumeric + '-' + '_':
|
|
|
|
|
# (one may want to add '.' as well)
|
|
|
|
@ -321,6 +671,7 @@ if ($? != 0 || $uid !~ /^\d+$/) {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Use x11vnc trick to check if the unix password is valid:
|
|
|
|
|
# (requires x11vnc 0.9.10 or later.)
|
|
|
|
|
#
|
|
|
|
|
if (!open(X11VNC, "| $x11vnc -unixpw \%stdin > /dev/null")) {
|
|
|
|
|
bye("Internal Error #1");
|
|
|
|
@ -346,7 +697,7 @@ my $fixed_port = 0;
|
|
|
|
|
if (! $find_free_port) {
|
|
|
|
|
# Fixed port based on userid (we assume it is free):
|
|
|
|
|
#
|
|
|
|
|
$vnc_port = 7000 + $uid;
|
|
|
|
|
$vnc_port = $starting_port + $uid;
|
|
|
|
|
|
|
|
|
|
} elsif ($find_free_port =~ /^fixed:(\d+)$/) {
|
|
|
|
|
#
|
|
|
|
@ -391,7 +742,7 @@ for (my $i = 0; $i < 8; $i++) {
|
|
|
|
|
# Use x11vnc trick to switch to user and store vnc pass in the passwdfile.
|
|
|
|
|
# Result is $pass is placed in user's $HOME/x11vnc.pw
|
|
|
|
|
#
|
|
|
|
|
# (This is actually difficult to do without untrusted local users being
|
|
|
|
|
# (This is actually difficult to do without untrusted LOCAL users being
|
|
|
|
|
# able to see the pass as well, see copy_password_to_user() for details
|
|
|
|
|
# on how we try to avoid this.)
|
|
|
|
|
#
|
|
|
|
@ -430,6 +781,7 @@ if (!open(TMP, ">$tmpfile")) {
|
|
|
|
|
# and -sslonly disables VeNCrypt SSL connections.
|
|
|
|
|
|
|
|
|
|
# Some settings:
|
|
|
|
|
# (change these if you encounter timing problems, etc.)
|
|
|
|
|
#
|
|
|
|
|
my $timeout = 75;
|
|
|
|
|
my $extra = '';
|
|
|
|
@ -438,6 +790,8 @@ if ($fixed_port) {
|
|
|
|
|
$timeout = 45;
|
|
|
|
|
$extra .= " -loopbg100,1";
|
|
|
|
|
}
|
|
|
|
|
$timeout = $x11vnc_timeout if $x11vnc_timeout ne '';
|
|
|
|
|
|
|
|
|
|
if ($session_types ne '') {
|
|
|
|
|
# settings for session selection case:
|
|
|
|
|
if (exists $sessions{$session}) {
|
|
|
|
@ -474,7 +828,7 @@ if ($? == 0) {
|
|
|
|
|
unlink $md5;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# write x11vnc command to the tmp file:
|
|
|
|
|
# Write x11vnc command to the tmp file:
|
|
|
|
|
#
|
|
|
|
|
print TMP <<"END";
|
|
|
|
|
#!/bin/sh
|
|
|
|
@ -497,6 +851,7 @@ close TMP;
|
|
|
|
|
$ENV{UNIXPW_CMD} = "/bin/sh $tmpfile";
|
|
|
|
|
|
|
|
|
|
# For the fixed port scheme we try to cooperate via lock file:
|
|
|
|
|
# (disabled by default.)
|
|
|
|
|
#
|
|
|
|
|
my $rmlock = '';
|
|
|
|
|
#
|
|
|
|
@ -593,8 +948,8 @@ sub initialize_random {
|
|
|
|
|
# the end.
|
|
|
|
|
#
|
|
|
|
|
sub auto_select_port {
|
|
|
|
|
my $pmin = 7000; # default range.
|
|
|
|
|
my $pmax = 8000;
|
|
|
|
|
my $pmin = $starting_port; # default range 7000-8000.
|
|
|
|
|
my $pmax = $starting_port + 1000;
|
|
|
|
|
|
|
|
|
|
if ($find_free_port =~ /^(\d+)-(\d+)$/) {
|
|
|
|
|
# user supplied a range:
|
|
|
|
@ -647,7 +1002,7 @@ sub auto_select_port {
|
|
|
|
|
# the user command is run in its own tty.
|
|
|
|
|
#
|
|
|
|
|
# The best way would be a sudo action or a special setuid program for
|
|
|
|
|
# copying. So consider using that and thereby simplify this function.
|
|
|
|
|
# copying. So consider doing that and thereby simplify this function.
|
|
|
|
|
#
|
|
|
|
|
# Short of a special program doing this, we use a fifo so ONLY ONE
|
|
|
|
|
# process can read the password. If the untrusted local user reads it,
|
|
|
|
@ -685,6 +1040,12 @@ sub copy_password_to_user {
|
|
|
|
|
bye("Internal Error #7");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# disable fifo safety if requested:
|
|
|
|
|
#
|
|
|
|
|
if ($disable_vnc_passwd_fifo_safety) {
|
|
|
|
|
$use_fifo = '';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Make the fifo:
|
|
|
|
|
#
|
|
|
|
|
if ($use_fifo) {
|
|
|
|
@ -756,7 +1117,6 @@ sub copy_password_to_user {
|
|
|
|
|
}
|
|
|
|
|
close X11VNC; # note we ignore return value.
|
|
|
|
|
fsleep(0.5);
|
|
|
|
|
#print STDERR `ls -l $fifo ~$username/x11vnc.pw`;
|
|
|
|
|
unlink $fifo;
|
|
|
|
|
|
|
|
|
|
# Done!
|
|
|
|
@ -854,33 +1214,32 @@ sub lock_fixed_port {
|
|
|
|
|
#
|
|
|
|
|
sub print_applet_html {
|
|
|
|
|
my ($W, $H, $D) = split(/x/, $geometry);
|
|
|
|
|
$W = 640; # make it smaller since we 'Open New Window' below anyway.
|
|
|
|
|
$H = 480;
|
|
|
|
|
|
|
|
|
|
# make it smaller since we 'Open New Window' below anyway.
|
|
|
|
|
if ($applet_width ne 'W') {
|
|
|
|
|
$W = $applet_width;
|
|
|
|
|
}
|
|
|
|
|
if ($applet_height ne 'H') {
|
|
|
|
|
$H = $applet_height;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
my $tUVC = ($trustUrlVncCert ? 'yes' : 'no');
|
|
|
|
|
my $str = <<"END";
|
|
|
|
|
<html>
|
|
|
|
|
<TITLE>
|
|
|
|
|
x11vnc desktop ($uid/$vnc_port)
|
|
|
|
|
</TITLE>
|
|
|
|
|
<APPLET CODE=VncViewer.class ARCHIVE=/UltraViewerSSL.jar WIDTH=$W HEIGHT=$H>
|
|
|
|
|
<param name=PORT value=$vnc_port>
|
|
|
|
|
<param name=VNCSERVERPORT value=$vnc_port>
|
|
|
|
|
<param name=PASSWORD value=$pass>
|
|
|
|
|
<param name=trustUrlVncCert value=$tUVC>
|
|
|
|
|
<param name="Open New Window" value=yes>
|
|
|
|
|
<param name="Offer Relogin" value=no>
|
|
|
|
|
<param name="ignoreMSLogonCheck" value=yes>
|
|
|
|
|
<param name="delayAuthPanel" value=yes>
|
|
|
|
|
<!-- extra -->
|
|
|
|
|
</APPLET>
|
|
|
|
|
<br>
|
|
|
|
|
<a href="$ENV{REQUEST_URI}">Login page</a><br>
|
|
|
|
|
<a href=http://www.karlrunge.com/x11vnc>x11vnc website</a>
|
|
|
|
|
</html>
|
|
|
|
|
END
|
|
|
|
|
|
|
|
|
|
# see $applet_html set in defaults section for more info:
|
|
|
|
|
#
|
|
|
|
|
my $str = $applet_html;
|
|
|
|
|
|
|
|
|
|
$str =~ s/_UID_/$uid/g;
|
|
|
|
|
$str =~ s/_VNC_PORT_/$vnc_port/g;
|
|
|
|
|
$str =~ s/_WIDTH_/$W/g;
|
|
|
|
|
$str =~ s/_HEIGHT_/$H/g;
|
|
|
|
|
$str =~ s/_PASS_/$pass/g;
|
|
|
|
|
$str =~ s/_APPLET_JAR_/$applet_jar/g;
|
|
|
|
|
$str =~ s/_APPLET_CLASS_/$applet_class/g;
|
|
|
|
|
$str =~ s/_TRUST_UVC_/$tUVC/g;
|
|
|
|
|
|
|
|
|
|
if ($enable_port_redirection && $redirect_host ne '') {
|
|
|
|
|
$str =~ s/name=PASSWORD value=.*>/name=NOT_USED value=yes>/;
|
|
|
|
|
$str =~ s/name=PASSWORD value=.*>/name=NOT_USED value=yes>/i;
|
|
|
|
|
#$str =~ s/<!-- extra -->/<!-- extra -->\n<param name="ignoreProxy" value=yes>/;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -1025,6 +1384,9 @@ sub check_redirect_host {
|
|
|
|
|
|
|
|
|
|
# Much of this code is borrowed from 'connect_switch':
|
|
|
|
|
#
|
|
|
|
|
# (it only applies to the vnc redirector $enable_port_redirection mode
|
|
|
|
|
# which is off by default.)
|
|
|
|
|
#
|
|
|
|
|
sub handle_conn {
|
|
|
|
|
close STDIN;
|
|
|
|
|
close STDOUT;
|
|
|
|
|