Restrict Users from creating Temporary VNC

[amitkumars1985]

Is there any way to restrict users from creating temporary VNC sessions. In our Env we provide VNC sessions to users to connect to server remotely. They can also stop/start/restart it as per their needs but it is also allowing them to create temporary VNC on other servers.
Is there any possibility to restrict it in Linux Env ?

[hildred]

On Thu, Jun 29, 2017 at 11:49 PM, amitkumars1985 ***@***.***> wrote: Is there any way to restrict users from creating temporary VNC sessions. In our Env we provide VNC sessions to users to connect to server remotely. They can also stop/start/restart it as per their needs but it is also allowing them to create temporary VNC on other servers. Is there any possibility to restrict it in Linux Env ?

Basic file permissions will probably do what you want. Probably something like: chmod 700 /usr/bin/Xturbovnc that will restrict it to the root user. For greater accessibility you can also allow access to a single group. for more information read the man pages for chmod, chrgp, chown, and mount. tme mount man page documents the noexec option which is useful to prevent installation of executables by users. use with care.

…

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#87>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFul9nfA8OqVcjEnbg-bVgoauP9A5oegks5sJIyFgaJpZM4OKLP9> .

-- -- Ben Hildred Automation Support Services 303 815 6721

[amitkumars1985]

but changing the permission will also restrict users from stopping/starting their configured VNC sessions. We want them to perform basic operation on their configured VNC sessions and restrict then only from creating temporary sessions.
For Example,
We have configured on user VNC in /etc/sysconfig/tvncservers. Now I want user to perform basic stop/start operation for configured VNC but can't create temporary VNC on different port or other users who don't have VNC on particular server should not be able to start temporary VNC sessions.

[dcommander]

@amitkumars1985 As near as I can understand, what you want is to restrict users only to the TurboVNC sessions specified in /etc/sysconfig/tvncservers and to prevent them from starting any other TurboVNC sessions (?)

If you want to allow TurboVNC sessions only on specific machines, then that can be accomplished by including the following in /etc/turbovncserver-security.conf on the machine(s) where you want to disable it:

permitted-security-types =
no-remote-connections
no-reverse-connections
max-idle-timeout = 1
max-desktop-size = 1x1

Leaving permitted-security-types blank will ensure that the server won't start. Even if it did start, max-idle-timeout = 1 would ensure that it would only remain running for 1 second. Even if it didn't, then no-remote-connections and no-reverse-connections would ensure that the user wouldn't be able to connect without using SSH port forwarding (which you can also disable on a system-wide basis.) Even if they did, then max-desktop-size = 1x1 would ensure that the session wouldn't be unusable.

A user could still download the binary for another VNC product, such as TigerVNC or RealVNC, to their home directory and execute it, because those other products will not honor the TurboVNC security configuration file. They could also do a custom build of TurboVNC from source code in their home directory, thereby preventing TurboVNC from reading /etc/turbovncserver-security.conf.

There is no way of which I'm aware to limit users to specific TurboVNC sessions within the same machine. The init.d mechanism that you're using (/etc/sysconfig/tvncservers) is starting TurboVNC sessions in much the same way that those sessions would be started manually, so any attempt to limit users' ability to manually start TurboVNC sessions would also limit their ability to start sessions through the init.d mechanism. You could, of course, prevent SSH console access to that machine for the users in question-- that is, you could allow SSH console access on machines where TurboVNC has been disabled, per above, but disallow it on machines where TurboVNC is enabled. However, the users could still start a new TurboVNC session from within their existing TurboVNC session.

If the "sanctioned"/"official" TurboVNC sessions will always be started on a particular port for a particular user, then you might be able to use the owner module of iptables to disallow a particular user from accessing any ports in the range of 5900-6000 except for their sanctioned VNC port. However, I don't personally know how to do that, and I don't think it would prevent them from starting a new session. It would probably just prevent them from connecting to the new session.

If I'm correctly understanding what you want, it would not be possible without introducing a new security mechanism into the TurboVNC Server. Such a mechanism could be straightforward. The TurboVNC Server would look for a directive in the Security Configuration File instructing it to restrict users only to sessions specified in /etc/sysconfig/tvncservers, then it would parse /etc/sysconfig/tvncservers to determine whether the session being started is sanctioned or not. However, once again, this would be easy for a user to work around, by downloading another VNC package and running it out of their home directory.

In general, most large-scale TurboVNC deployments do not attempt to limit users to only one session or to a specific VNC port. Rather, they implement a portal that allows the users to manage any sessions they have created-- including ones that weren't started through the portal.

[amitkumars1985]

I agree with your statement in last paragraph but here in our organization, we have lot of servers running with VNC and users use them to connect and work. For this we usually allocate them VNC session on particular server and instruct them to use it. As per organization policy users are allowed to have only one VNC session but users are intelligent enough and they just connect to any server and create temporary session as per their convenience. Which sometime ends up crashing session of other users or conflict on ports.

[amitkumars1985]

In addition to that, if we keep permitted-security-types = as BLANK it will also impact other users on that server resulting users who has their VNC session on that server will also be disallowed to connect.

[dcommander]

It was extremely unclear what you were trying to accomplish, so I was attempting to explain what is possible using TurboVNC, as it is implemented now. Accomplishing what you want would require modifications to TurboVNC, as well as administrative policies to further lock down the systems. In general, if you are providing SSH console access to the systems, then there is no way to fully prevent a user from starting new VNC sessions. Even if you managed to prevent them from starting new TurboVNC sessions, they could easily download another VNC flavor and start a session that way. The best you will be able to do in that case is to make it more difficult-- but not impossible-- for users to start new VNC sessions. In general, the init.d mechanism in the TurboVNC Server is not meant to take the place of a comprehensive VNC session manager.

I am happy to implement the aforementioned feature-- a new security configuration file directive that limits users only to the TurboVNC sessions specified in /etc/sysconfig/tvncservers, but since that feature is not of broad interest to the TurboVNC community, I would need funding to pay for my labor to develop it.