From 24af40e7c0fa01a818a5c835ec8848ad6744e661 Mon Sep 17 00:00:00 2001
From: Carlos Santos <casantos@redhat.com>
Date: Wed, 11 Jun 2025 21:26:08 -0300
Subject: xvnc.c: faster handling of the display argument in
 ddxProcessArgument()

Return zero if the current argument starts with ":". It's useless to
check if it matches any of the other Xvnc arguments.

Also use the global variable explicit_display, set by the X server code,
instead of a private flag.

Signed-off-by: Carlos Santos <casantos@redhat.com>
---
 unix/xserver/hw/vnc/xvnc.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'unix/xserver/hw')

diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
index 4c50c670..8aaed379 100644
--- a/unix/xserver/hw/vnc/xvnc.c
+++ b/unix/xserver/hw/vnc/xvnc.c
@@ -110,7 +110,6 @@ static VncScreenInfo vncScreenInfo = {
 static Bool vncPixmapDepths[33];
 static Bool Render = TRUE;
 
-static Bool displaySpecified = FALSE;
 static char displayNumStr[16];
 
 static int vncVerbose = 0;
@@ -278,7 +277,7 @@ ddxProcessArgument(int argc, char *argv[], int i)
     }
 
     if (argv[i][0] == ':')
-        displaySpecified = TRUE;
+        return 0;
 
 #if XORG_OLDER_THAN(1, 21, 1)
 #define CHECK_FOR_REQUIRED_ARGUMENTS(num) \
@@ -386,7 +385,7 @@ ddxProcessArgument(int argc, char *argv[], int i)
         dup2(nullfd, 2);
         close(nullfd);
 
-        if (!displaySpecified) {
+        if (!explicit_display) {
             int port = vncGetSocketPort(vncInetdSock);
             int displayNum = port - 5900;
 
@@ -400,9 +399,9 @@ ddxProcessArgument(int argc, char *argv[], int i)
                     FatalError
                         ("Xvnc error: No free display number for -inetd\n");
             }
-
-            display = displayNumStr;
             sprintf(displayNumStr, "%d", displayNum);
+            display = displayNumStr;
+            explicit_display = TRUE;
         }
 
         return 1;
-- 
cgit v1.2.3


From 1cc5daeb9640a49b92e0df8f6badbc687ff66538 Mon Sep 17 00:00:00 2001
From: Carlos Santos <casantos@redhat.com>
Date: Thu, 12 Jun 2025 17:40:30 -0300
Subject: Make Xvnc and x0vncserver pass the display name to PAM modules.

Fixes: https://issues.redhat.com/browse/RHEL-34880

Signed-off-by: Carlos Santos <casantos@redhat.com>
---
 common/rfb/UnixPasswordValidator.cxx | 15 +++++++++++++++
 common/rfb/UnixPasswordValidator.h   |  7 +++++++
 unix/x0vncserver/x0vncserver.cxx     |  5 ++++-
 unix/xserver/hw/vnc/RFBGlue.cc       |  9 +++++++++
 unix/xserver/hw/vnc/RFBGlue.h        |  2 ++
 unix/xserver/hw/vnc/xvnc.c           |  3 +++
 6 files changed, 40 insertions(+), 1 deletion(-)

(limited to 'unix/xserver/hw')

diff --git a/common/rfb/UnixPasswordValidator.cxx b/common/rfb/UnixPasswordValidator.cxx
index 17fab80b..8239463a 100644
--- a/common/rfb/UnixPasswordValidator.cxx
+++ b/common/rfb/UnixPasswordValidator.cxx
@@ -21,6 +21,8 @@
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
+
+#include <assert.h>
 #include <string.h>
 #include <security/pam_appl.h>
 
@@ -38,6 +40,8 @@ static core::StringParameter pamService
 core::AliasParameter pam_service("pam_service", "Alias for PAMService",
                                  &pamService);
 
+std::string UnixPasswordValidator::displayName;
+
 typedef struct
 {
   const char *username;
@@ -108,6 +112,17 @@ bool UnixPasswordValidator::validateInternal(SConnection * /* sc */,
     vlog.error("pam_start(%s) failed: %d", (const char *) pamService, ret);
     return false;
   }
+#ifdef PAM_XDISPLAY
+  /* At this point, displayName should never be empty */
+  assert(displayName.length() > 0);
+  /* Pass the display name to PAM modules but PAM_XDISPLAY may not be
+   * recognized by modules built with old versions of PAM */
+  ret = pam_set_item(pamh, PAM_XDISPLAY, displayName.c_str());
+  if (ret != PAM_SUCCESS && ret != PAM_BAD_ITEM) {
+    vlog.error("pam_set_item(PAM_XDISPLAY) failed: %d (%s)", ret, pam_strerror(pamh, ret));
+    goto error;
+  }
+#endif
   ret = pam_authenticate(pamh, 0);
   if (ret != PAM_SUCCESS) {
     vlog.error("pam_authenticate() failed: %d (%s)", ret, pam_strerror(pamh, ret));
diff --git a/common/rfb/UnixPasswordValidator.h b/common/rfb/UnixPasswordValidator.h
index 46ad2e06..a2cc89c5 100644
--- a/common/rfb/UnixPasswordValidator.h
+++ b/common/rfb/UnixPasswordValidator.h
@@ -26,12 +26,19 @@
 namespace rfb
 {
   class UnixPasswordValidator: public PasswordValidator {
+  public:
+    static void setDisplayName(const std::string& display) {
+      displayName = display;
+    }
+
   protected:
     bool validateInternal(SConnection *sc,
                           const char *username,
                           const char *password,
                           std::string &msg) override;
 
+  private:
+    static std::string displayName;
   };
 }
 
diff --git a/unix/x0vncserver/x0vncserver.cxx b/unix/x0vncserver/x0vncserver.cxx
index 9cdcd81e..f69aa434 100644
--- a/unix/x0vncserver/x0vncserver.cxx
+++ b/unix/x0vncserver/x0vncserver.cxx
@@ -38,6 +38,7 @@
 
 #include <rdr/FdOutStream.h>
 
+#include <rfb/UnixPasswordValidator.h>
 #include <rfb/VNCServerST.h>
 
 #include <network/TcpSocket.h>
@@ -334,12 +335,14 @@ int main(int argc, char** argv)
     exit(1);
   }
 
+  const char *displayName = XDisplayName(displayname);
   if (!(dpy = XOpenDisplay(displayname))) {
     // FIXME: Why not vlog.error(...)?
     fprintf(stderr,"%s: Unable to open display \"%s\"\r\n",
-            programName, XDisplayName(displayname));
+            programName, displayName);
     exit(1);
   }
+  rfb::UnixPasswordValidator::setDisplayName(displayName);
 
   signal(SIGHUP, CleanupSignalHandler);
   signal(SIGINT, CleanupSignalHandler);
diff --git a/unix/xserver/hw/vnc/RFBGlue.cc b/unix/xserver/hw/vnc/RFBGlue.cc
index 4cab255e..f217906a 100644
--- a/unix/xserver/hw/vnc/RFBGlue.cc
+++ b/unix/xserver/hw/vnc/RFBGlue.cc
@@ -32,6 +32,8 @@
 
 #include <network/TcpSocket.h>
 
+#include <rfb/UnixPasswordValidator.h>
+
 #include "RFBGlue.h"
 
 // Loggers used by C code must be created here
@@ -234,3 +236,10 @@ int vncIsValidUTF8(const char* str, size_t bytes)
     return 0;
   }
 }
+
+void vncSetDisplayName(const char *displayNumStr)
+{
+  std::string displayName(":");
+  displayName += displayNumStr;
+  rfb::UnixPasswordValidator::setDisplayName(displayName);
+}
diff --git a/unix/xserver/hw/vnc/RFBGlue.h b/unix/xserver/hw/vnc/RFBGlue.h
index e033314e..86304ad5 100644
--- a/unix/xserver/hw/vnc/RFBGlue.h
+++ b/unix/xserver/hw/vnc/RFBGlue.h
@@ -55,6 +55,8 @@ char* vncUTF8ToLatin1(const char* src, size_t bytes);
 
 int vncIsValidUTF8(const char* str, size_t bytes);
 
+void vncSetDisplayName(const char *displayNumStr);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
index 8aaed379..5cf673aa 100644
--- a/unix/xserver/hw/vnc/xvnc.c
+++ b/unix/xserver/hw/vnc/xvnc.c
@@ -186,6 +186,9 @@ AbortDDX(enum ExitCode error)
 void
 OsVendorInit(void)
 {
+    /* At this point, display has been set, so we can use it to
+     * initialize UnixPasswordValidator */
+    vncSetDisplayName(display);
 }
 
 void
-- 
cgit v1.2.3