Debian
tigervnc package

Problems with tigervncserver copying credential files to /tmp

Bug #2088433 reported by Juha Aatrokoski on 2024-11-18

260

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	tigervnc (Debian)	New	Unknown	debbugs #1087925
	tigervnc (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

(Ubuntu 24.04.1, TigerVNC 1.13.1+dfsg-2build2)

On startup, tigervncserver (via Wrapper.pm) copies ~/.vnc/passwd (and other credential files) into /tmp/tigervnc.XXXXXX directory and tells Xtigervnc to use those instead. There are at least two problems with this:

1: On Ubuntu, automatic age-based cleaning of /tmp is enabled by default. This is problematic in general (see bug #2088268), but specifically the /tmp/tigervnc.XXXXXX directory can get removed. If /tmp has the noatime mount option, the removal always happens 30 days after the VNC server is started. Without noatime, the removal happens if there is a 30 day period without any new connections to the VNC server. When the directory is removed, the VNC server becomes inaccessible.

2: If the credential files (e.g. password) in ~/.vnc/ are changed, the running VNC server will not pick this up and will continue to use the old cached credential files.

I think there should at least be a mechanism to enable/disable this caching behavior via a configuration file (or a command line argument). Also, if such caching is done, I think the proper location would be under $XDG_RUNTIME_DIR instead of /tmp.

Revision history for this message

Nick Rosbrook (enr0n) wrote on 2024-11-18:

It sounds like tigervnc needs its own runtime directory (e.g. /run/tigervnc/) which it can control with its own tmpfiles configuration (or otherwise). It should not assume that things in /tmp will be around indefinitely.

If you want to change the default on your system, you can do so with a /etc/tmpfiles.d/tmp.conf override.

Changed in systemd (Ubuntu):
status:	New → Won't Fix

Revision history for this message

Juha Aatrokoski (jha-kurp) wrote on 2024-11-19:

Huh, I did not mean to report this for systemd but for tigervnc (only), but looks like the "Report a bug" link at the top-right of an existing bug forces the package, even though it later lets you specify the affected package... Anyway, I guess it's ok now(?)

And yeah, I can fix it for myself but not for others, hence the bug report. Also, fixing the problem with tmpfiles does not address the second problem of stale credential files.

Revision history for this message

Juha Aatrokoski (jha-kurp) wrote on 2024-11-19:

Uh-oh, bad news: I just tested it, and looks like Xtigervnc does not check the owner/permissions of the password file at runtime, so if/when the /tmp/tigervnc.XXXXXX directory is removed, an attacker can hijack the VNC session by recreating the directory and password file (I did not test with other credential files, but presumably they work the same). So this is then also a security vulnerability.

information type:

Public → Public Security

Revision history for this message

Nick Rosbrook (enr0n) wrote on 2024-11-19:

If you have not already, I would recommend opening a bug against upstream tigervnc. As I said, I think it needs to re-work it's runtime directory handling, and that is something that is best driven by upstream, as opposed to in Ubuntu.

Revision history for this message

Juha Aatrokoski (jha-kurp) wrote on 2024-11-19:

I guess upstream in this case would be Debian, since the use of /tmp/tigervnc.XXXXXX (and Wrapper.pm as a whole) is a Debian thing which does not exist in upstream TigerVNC.

Revision history for this message

Juha Aatrokoski (jha-kurp) wrote on 2024-11-20:

Reported to Debian here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087925

Revision history for this message

Nick Rosbrook (enr0n) wrote on 2024-11-22:

Ah, I did not realize this was from a Debian patch. Thanks for opening the bug in Debian!

Bug Watch Updater (bug-watch-updater) on 2024-11-23

Changed in tigervnc (Debian):
status:	Unknown → New

Marc Deslauriers (mdeslaur) on 2025-02-11

no longer affects:

systemd (Ubuntu)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2025-02-27:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in tigervnc (Ubuntu):
status:	New → Confirmed

Revision history for this message

Henrik Harmsen (henrik-harmsen) wrote on 2025-02-27:

I think what is missing is a config file for tmpfiles.d. I added this file:

/etc/tmpfiles.d# cat tigervnc.conf
x /tmp/tigervnc*

Hopefully that will leave the tigervnc files alone. I think the Debian or Ubuntu package should contain such a conf file as part of this package (which then would mean this conf file should live in /usr/lib/tmpfiles.d)