Arch Linux

dakota

Member

Registered: 2016-05-20

Posts: 417

[SOLVED] Is a DM Required for Secure Remote GUI Access?

I've always run Arch as a single-user installation running fluxbox and starting from "startx", with no desktop environment or display manager.

Under this setup, XDG_SESSION_TYPE=tty

I now have a situation where I need a graphical environment, accessible remotely by other users. As I understand it, a session type of "tty" will not allow a graphical client to connect. The wiki equates a "Display Manager" with a "Login Manager" and suggests that part of its role is to manage security.

I tried to use vncviewer to connect remotely (to a tty session) but failed (as I expected). I then installed sddm and xinit-xsession. When I selected my "session" as xinit, I was able to connect. I have tested xdm, gdm, and ly. They all work okay, but I like the simplicity of not dealing with a DM.

Is there a way to select xinit as my session without using a DM?

(Currently I have uninstalled and/or disabled all the display managers, but I am still able to connect via vncviewer because the session type still identifies as xinit!)

SHELL=/bin/bash
WINDOWID=8388620
XTERM_VERSION=XTerm(390)
MEMORY_PRESSURE_WRITE=c29tZSAyMDAwMDAgMjAwMDAwMAA=
DESKTOP_SESSION=xinitrc
PIDFILE=/run/vncsession-:2.pid
XTERM_SHELL=/bin/bash
PWD=/home/ops
XDG_SESSION_DESKTOP=xinitrc
LOGNAME=ops
XDG_SESSION_TYPE=x11
SYSTEMD_EXEC_PID=1189
XAUTHORITY=/home/ops/.Xauthority
HOME=/home/ops
USERNAME=ops
LANG=en_US.UTF-8
MEMORY_PRESSURE_WATCH=/sys/fs/cgroup/system.slice/system-vncserver.slice/vncserver@:2.service/memory.pressure
INVOCATION_ID=b53c48f665224bf4b22edacb6531c1a2
XTERM_LOCALE=en_US.UTF-8
XDG_SESSION_CLASS=user
TERM=xterm-256color
USER=ops
DISPLAY=:2.0
SHLVL=1
XDG_SESSION_ID=19
XDG_RUNTIME_DIR=/run/user/1001
DEBUGINFOD_URLS=https://debuginfod.archlinux.org 
JOURNAL_STREAM=8:20851
PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl
GDMSESSION=xinitrc
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
_=/usr/bin/printenv

Edit #1 - And in fact, now I have uninstalled ly and xinit-xsession and I can still connect because DESKTOP_SESSION=fluxbox and XDG_SESSION_TYPE=x11.

So, I guess my questions are:

1. Do I need a Display Manager to secure remote GUI access?
2. How do I manage "sessions" without a Display Manager?

Cheers,

==================================================

Edit # 2 - I think the answer to #1 is almost certainly: No. Late Userspace and getty seem to take care of security.

I'm still trying to get my head around "sessions" (still reading), but it seems likely that this is handled by systemd and all I need to do is set the environment variable.

Last edited by dakota (2024-02-29 16:58:54)

---

"Before Enlightenment chop wood, carry water. After Enlightenment chop wood, carry water." -- Zen proverb

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 76,030

Re: [SOLVED] Is a DM Required for Secure Remote GUI Access?

1. tigervnc or xnvnc?
2. do you mean to share a local session of auto-spawn a remote session on remote login?

You have seen https://wiki.archlinux.org/title/X11vnc and https://wiki.archlinux.org/title/TigerVNC ?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

ewaller

Administrator

From: Pasadena, CA

Registered: 2009-07-13

Posts: 20,642

Re: [SOLVED] Is a DM Required for Secure Remote GUI Access?

My suggestion would be a headless sway session along with wayvnc configured for connection only through ssh.

---

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
The shortest way to ruin a country is to give power to demagogues.— Dionysius of Halicarnassus
---
How to Ask Questions the Smart Way

dakota

Member

Registered: 2016-05-20

Posts: 417

Re: [SOLVED] Is a DM Required for Secure Remote GUI Access?

@seth - I was thinking of tigervnc because I need remote users to be able to interact with the computer without changing the local display. So, yeah, I'm thinking about auto-spawning a remote session on remote login. Yes, I saw both of those links and I've been working through the tigervnc page.

@ewaller - oh great. Another 2 weeks' worth of reading. LOL. jk. I will definitely look into this.

I'm going to open a separate thread to discuss design recommendations (which can get pushed to Topics Going Nowhere).

In the meantime, whatever problem I had is now solved and I can't duplicate it.

1. With fluxbox installed, there is a fluxbox.desktop file located at /usr/share/xsessions.
2. Installing xint-xsession adds an xinit.desktop file to that same location, but this is not necessary for vncviewer to work.
3. When vncviewer is configured correctly, it will connect through either type of session, but if the desired session is not found, it will fail-over to a session that will work.

My earlier failure to connect was *not* due to lack of a display manager or lack of an xinit session. Most likely, the service failed for some other, unrelated, reason and I assumed it was because of a lack of DM.

In any event, I tested this on a different computer. Under fluxbox, without a DM, the XDG_SESSION_TYPE=tty, but vncserver/vncviewer change the connection type to XDG_SESSION_TYPE=fluxbox when they connect.

Cheers,

---

"Before Enlightenment chop wood, carry water. After Enlightenment chop wood, carry water." -- Zen proverb