Uh-oh, bad news: I just tested it, and looks like Xtigervnc does not check the owner/permissions of the password file at runtime, so if/when the /tmp/tigervnc.XXXXXX directory is removed, an attacker can hijack the VNC session by recreating the directory and password file (I did not test with other credential files, but presumably they work the same). So this is then also a security vulnerability.
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/2088433 Title: Problems with tigervncserver copying credential files to /tmp Status in systemd package in Ubuntu: Won't Fix Status in tigervnc package in Ubuntu: New Bug description: (Ubuntu 24.04.1, TigerVNC 1.13.1+dfsg-2build2) On startup, tigervncserver (via Wrapper.pm) copies ~/.vnc/passwd (and other credential files) into /tmp/tigervnc.XXXXXX directory and tells Xtigervnc to use those instead. There are at least two problems with this: 1: On Ubuntu, automatic age-based cleaning of /tmp is enabled by default. This is problematic in general (see bug #2088268), but specifically the /tmp/tigervnc.XXXXXX directory can get removed. If /tmp has the noatime mount option, the removal always happens 30 days after the VNC server is started. Without noatime, the removal happens if there is a 30 day period without any new connections to the VNC server. When the directory is removed, the VNC server becomes inaccessible. 2: If the credential files (e.g. password) in ~/.vnc/ are changed, the running VNC server will not pick this up and will continue to use the old cached credential files. I think there should at least be a mechanism to enable/disable this caching behavior via a configuration file (or a command line argument). Also, if such caching is done, I think the proper location would be under $XDG_RUNTIME_DIR instead of /tmp. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2088433/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
