TigerVNC server service (as unprivileged user) • RetroBSD Net

Title:: TigerVNC server service (as unprivileged user)
Authors:: Paolo Vincenzo Olivo
Date:: 15 Mar, 2022
Topics:: NetBSD, Self-hosting
Id:: c5b07d
Note:  this article assumes having net/tigervnc installed as a Xvnc binary provider*

For my  Rpi4, I wrote  a vncserver rc.d service script which starts a standard
Xvnc server for  a single, dedicated (with restricted class capabilities set
in login.conf),  unprivileged user upon boot:  

#!/bin/sh

# PROVIDE: vncserver
# REQUIRE: NETWORKING SERVERS DAEMON LOGIN
# KEYWORD: shutdown

$_rc_subr_loaded . /etc/rc.subr
 
name=vncserver
rcvar=$name

VNCSERVER=/usr/pkg/bin/vncserver

load_rc_config $name
vncdir="/home/vnc/.vnc"
required_files="${vncdir}/passwd ${vncdir}/xstartup"
start_cmd="vncserver_start"
stop_cmd="vncserver_stop"

: ${vncserver_user="vnc"}
: ${vncserver_display="1"}
: ${vncserver_depth="24"}
: ${vncserver_geometry="1024x768"}

vncserver_start()
{
  CMD="$VNCSERVER -depth ${vncserver_depth} -geometry ${vncserver_geometry} :${vncserver_display}"
  su -l ${vncserver_user} -c "${CMD}"
}

vncserver_stop()
{
  CMD="$VNCSERVER -kill :${vncserver_display}"
  su -l ${vncserver_user} -c "${CMD}"
}

run_rc_command "$1"

Put it in */etc/rc.d*, change its permissions to 555 and have it started:

$ echo vncserver=YES >> /etc/rc.conf
$ service vncserver start

Make sure a suitable TERM definition is set system-wide in */etc/profile*,
otherwise tset shall prompt you to interactively provide one. Also, the
service requires *~/.vnc/passwd* and *~/.vnc/xstartup* to be present and
readable; my ~/.vnc/xstartup:  

PATH=/bin:/usr/bin:/usr/X11R7/bin:/usr/pkg/sbin:/usr/local/bin
unset SESSION_MANAGER.
unset DBUS_SESSION_BUS_ADDRESS
LC_LANG="en_US.UTF-8"; export LC_LANG
LC_CTYPE="en_US.UTF-8"; export LC_CTYPE
setxkpmap it
xsetroot -grey
xset m 55/20 4
xset r rate 250 40
xset +fp /usr/pkg/share/fonts/X11/artwiz-aleczapka/
xset +fp /usr/pkg/share/fonts/X11/Dina/
xrdb ${HOME}/.Xresources
xmodmap ${HOME}/.xmodmap
xclock &
xload &
ctwm -W &

For LAN session, you may want to additionally configure a
(https://man.netbsd.org/npf.7) firewall to allow incoming  VNC  connections on
local network only and reject everything else. 

$NIC = ifaddrs(your network interface here)
$LAN = { 192.168.1.1/24 }
alg "icmp"

group default {
    pass final on lo0 all
    pass stateful out final all
    pass stateful in final proto tcp from $LAN to $NIC port 5901 
    block return in final all
}