From 79d441ed17d19942b03cac2f1e4ac730f34c3b82 Mon Sep 17 00:00:00 2001
From: Carlos Santos <casantos@redhat.com>
Date: Tue, 3 Oct 2023 15:00:02 -0300
Subject: [PATCH] Support the "%u" username alias in PlainUsers

This permits to enable PAM for the effective user of the Xvnc process by
adding this to ~/.vnc/config or /etc/tigervnc/vncserver-config-defaults:

   SecurityTypes=TLSPlain
   PlainUsers=%u

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2233204
Signed-off-by: Carlos Santos <casantos@redhat.com>
---
 common/rfb/SSecurityPlain.cxx    | 9 +++++++++
 unix/x0vncserver/x0vncserver.man | 5 +++--
 unix/xserver/hw/vnc/Xvnc.man     | 5 +++--
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx
index 42f5009b2d..a100a7570b 100644
--- a/common/rfb/SSecurityPlain.cxx
+++ b/common/rfb/SSecurityPlain.cxx
@@ -28,6 +28,8 @@
 #include <rdr/InStream.h>
 #if !defined(WIN32) && !defined(__APPLE__)
 #include <rfb/UnixPasswordValidator.h>
+#include <unistd.h>
+#include <pwd.h>
 #endif
 #ifdef WIN32
 #include <rfb/WinPasswdValidator.h>
@@ -53,6 +55,13 @@ bool PasswordValidator::validUser(const char* username)
   for (size_t i = 0; i < users.size(); i++) {
     if (users[i] == "*")
       return true;
+#if !defined(WIN32) && !defined(__APPLE__)
+    if (users[i] == "%u") {
+      struct passwd *pw = getpwnam(username);
+      if (pw && pw->pw_uid == getuid())
+        return true;
+    }
+#endif
     if (users[i] == username)
       return true;
   }
diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man
index c36ae34e2f..122efa73a4 100644
--- a/unix/x0vncserver/x0vncserver.man
+++ b/unix/x0vncserver/x0vncserver.man
@@ -125,8 +125,9 @@ parameter instead.
 .B \-PlainUsers \fIuser-list\fP
 A comma separated list of user names that are allowed to authenticate via
 any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
-to allow any user to authenticate using this security type. Default is to
-deny all users.
+to allow any user to authenticate using this security type. Specify \fB%u\fP
+to allow the effective user of the server process. Default is to deny all
+users.
 .
 .TP
 .B \-pam_service \fIname\fP, \-PAMService \fIname\fP
diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
index ea87deaf11..ff5dbfd540 100644
--- a/unix/xserver/hw/vnc/Xvnc.man
+++ b/unix/xserver/hw/vnc/Xvnc.man
@@ -200,8 +200,9 @@ parameter instead.
 .B \-PlainUsers \fIuser-list\fP
 A comma separated list of user names that are allowed to authenticate via
 any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
-to allow any user to authenticate using this security type. Default is to
-deny all users.
+to allow any user to authenticate using this security type. Specify \fB%u\fP
+to allow the effective user of the server process. Default is to deny all
+users.
 .
 .TP
 .B \-pam_service \fIname\fP, \-PAMService \fIname\fP