Knowledge base

Knowledge base: UNIX
Can I prevent the Xvnc process from running as root?

This article applies to the following product(s):

VNC
VNC Enterprise Edition
VNC Personal Edition


VNC

The Xvnc binary (VNC Server in Virtual Mode) is installed as setuid root because root access is required for certain features. For security reasons, it relinquishes root permissions as soon as possible, but retains a co-process running as root for features that require root access. This allows these features to work correctly while minimising the amount of code that runs as root. More information about Xvnc.

You can prevent the second process from running by removing the setuid permission from the Xvnc binary. However, if you do this, then the following features will not work:

  • You will not be able to authenticate as any user other than the desktop owner
  • Single sign-on will be disabled
  • Remote printing will not work.

For these reasons, we recommend leaving the setuid permission intact on the Xvnc binary.

The above also applies to the vncserver-x11 and /Library/vnc/vncserver-root under Mac OS X.

VNC Enterprise/Personal Edition

In 4.6.x, to run without the root helper, just remove the Xvnc (root helper) binary and rename the Xvnc-core binary to Xvnc. The /var/run/vncserver-auth directory is only necessary for the root helper, so you should be able to remove it completely.


×