Starting VNC server under unprivileged user as service.

kfmut

JuvenalUrbino Thanks a lot for such an elaborate answer! Was also thinking about using vncserver script in rc.d service but for some reason was thinking that using su isn't OK for that 🤔

JuvenalUrbino

kfmut Was also thinking about using vncserver script in rc.d service but for some reason was thinking that using su isn't OK for that 🤔

Why? Truthfully speaking, su is invoked by the rc.subr(8) script to change the process ownership to that of the unprivileged user optionally specified by the $name_user variable within the service script (providing $name_chroot hasn't been given at the same time, they're mutually exclusive); have a look at rc.subr sources.

The rationale behind using a su hook to start/stop the service in place of a standard $name_user variable is that $name_user defaults to su -m, as opposed to su -l. The latter simulates a full login, by discarding root's environment –which is why I recommended you to define TERM capabilities system-wide– changing the working directory to target's HOME and setting the PATH to that of target's login class, as defined in /etc/login.conf.

vncserver needs to be started from user's home in order to detect the ~/.vnc dir and create a session-specific process pid with proper ownership/permissions (for this reason I didn't define/check a process pid in my service script, normally one would have it set to /var/run/{name}.pid). It also requires xauth (which on NetBSD resides at /usr/X11R7/bin) to be found within the PATH. If started with su -m vncserver shall attempt (and fail) to create a .vnc dir at /.

kfmut

JuvenalUrbino didn't get that part with colon builtin command in parameters assignment but everything seems working fine. Thank you!

JuvenalUrbino

kfmut didn't get that part with colon builtin command in parameters assignment but everything seems working fine. Thank you!

passing a ${parameter=word} PE as an argument to the colon builtin command means that the default interpreter should expand and assign word to parameter if the latter was unset (not null), and is equivalent to:

if [ -z "${parameter}" ]; then
    parameter="word"
fi

In other words it assigns a default value when the parameter was unset:

$ unset VAR
$ : ${VAR=x}
$ echo $VAR 
x
$ VAR=y
$ : ${VAR=x}
$ echo $VAR 
y

kfmut

JuvenalUrbino so it's same as:
${parameter:=word}
???

JuvenalUrbino

kfmut ${parameter:=word}

slightly different, without the colon an empty string is an accepted value for the parameter (in our case the vncserver already provides default options); from sh(1):

 In the parameter expansions shown previously, use of the colon in the
 format results in a test for a parameter that is unset or null; omission
 of the colon results in a test for a parameter that is only unset.

kfmut

JuvenalUrbino oops missed that in man sh 🤔 Thank you for clarification!

kfmut

And a small question: are there any official publications about correct usage of /etc/rc.conf.d directory for rc.d scripts overrides?

JuvenalUrbino

kfmut are there any official publications about correct usage of /etc/rc.conf.d directory for rc.d scripts overrides?

the basics are covered inside The Design and Implementation of the NetBSD rc.d system; but really, it's as easy as putting the relevant service-specific overrides (e.g. $rcvar_flags="...") in a readable file at /etc/rc.conf.d and name it after the service name 😉

kfmut

JuvenalUrbino it's quite convenient, thank you! Looks like in those overrides I could also disable or enable services instead of rc.conf.

kc9udx

kfmut rc.d, rc.conf, and rcorder are genius and elegant; so much better than systemd! I will admit that it frustrated me when I first came from SysV.

JuvenalUrbino thanks for the rc.d script. I did write a much uglier version. It didn't work, so I replaced it with yours. Unfortunately that wasn't my solution; which is the only reason I'm posting this:

So that if anyone else spends an hour or a weekend pulling their hair out, know this: Xvnc will not work with depth=8. It must be 16 or higher.