tigervncsession service won't start, deletes password file

rgov

7/14/24, 6:35 PM

On Ubuntu 22.04, I'm using TigerVNC (via the tigervnc-standalone-server package) to provide remote desktop access to a headless server.

For one user, the tigervncserver service exits with no diagnostic message:

$ sudo systemctl restart tigervncserver@:2
$ sudo systemctl status tigervncserver@:2
○ tigervncserver@:2.service - Remote desktop service (VNC)
     Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
     Active: inactive (dead)

Jul 14 18:31:53 myserver systemd[1]: Starting Remote desktop service (VNC)...
Jul 14 18:31:53 myserver tigervncsession[14835]: pam_unix(tigervnc:session): session opened for user user2(uid=1002) by (uid=0)
Jul 14 18:31:53 myserver systemd[1]: Started Remote desktop service (VNC).
Jul 14 18:31:53 myserver tigervncsession[14835]: tigervncsession: tigervncserver exited with status=1
Jul 14 18:31:53 myserver tigervncsession[14835]: pam_unix(tigervnc:session): session closed for user user2
Jul 14 18:31:53 myserver systemd[1]: tigervncserver@:2.service: Deactivated successfully.

Even though tigervncserver exits with status 1 the overall service does not show as failed.

In ~user2/.vnc/hostname:2.log, it looks like it's asking for a password, which fails because it's running as a service and can't receive input:

You will require a password to access your desktops.

getpassword error: Inappropriate ioctl for device
Password:

I do have a ~user2/.vnc/passwd file, but bizarrely it's being deleted when the service tries to start:

[pid 15789] unlink("/home/user2/.vnc/passwd") = 0
[pid 15789] write(1, "\nYou will require a password to "..., 55) = 55

1 + 0

vnc

Score:1

Ubuntu

rgov

7/14/24, 7:07 PM

The behavior is implemented in /usr/share/perl5/TigerVNC/Wrapper.pm:

# Make sure the user has a password.
sub CreateVNCPasswd {
  my ( $options ) = @_;

  my $passwordArgSpecified =
    ($options->{'src'}{'vncPasswdFile'}//"undef") eq "cmdline";

  # Check whether VNC authentication is enabled, and if so, prompt the user to
  # create a VNC password if they don't already have one.
  return if !$options->{'vncAuthEnabled'} || $passwordArgSpecified;
  my $vncPasswdFile = $options->{'vncPasswdFile'};
  my $st = stat($vncPasswdFile);

  if (!defined($st) || ($st->mode & 077)) {
    print "\nYou will require a password to access your desktops.\n\n";
    unless (unlink($vncPasswdFile) || $! == ENOENT) {
      print STDERR "Can't remove old vnc passwd file '$vncPasswdFile': $!!\n";
      exit 1;
    }
    system(getCommand("tigervncpasswd"), $vncPasswdFile);
    exit 1 if (($? >> 8) != 0);
  }
}

The culprit is the check $st->mode & 077 which is testing if the password file has any permission bits set for anyone other than the owner---i.e., the password is unsafely stored on disk.

Because I was creating my password file with:

echo "$PASSWORD" | tigervncpasswd -f > ~/.vnc/passwd

The default permissions of the file were -rw-rw-r--. We can create the file with -rw------ permissions:

SAVED_UMASK=$(umask)
umask 177  # Limit permissions to -rw------
echo "$PASSWORD" | tigervncpasswd -f > ~/.vnc/passwd
umask "$SAVED_UMASK"

Or just chmod 600 ~/.vnc/passwd.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: tigervncsession service won't start, deletes password file

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.