I've discovered what I think is a bit of a security hole in the VNC implementation in Raspberry Pi OS Trixie, tested using nightly build 2025-08-29 brought up to date using apt. Looking at the changelog for the wayvnc package, version 0.9.1-1+rpt2 dated 2025-07-04 "Block users from other user's active session" seems to be the fix that prevents one user from VNCing in and attaching to another user's session that is running locally. That fix does seem to work - the user logging in via VNC must be the locally logged in user. However, this can be bypassed in the case where the login desktop is running - here any valid user can VNC in. If a different user then logs in locally, the remote user attached via VNC is still logged in and has full access to the locally logged in user's graphical desktop. The fix is to simply terminate all VNC sessions when a user logs in to the graphical desktop.
I've tested this scenario on RPiOS Bookworm, and the VNC sessions DO get disconnected when another user logs in locally to the graphical desktop, however for some reason this is not the case on RPiOS Trixie - the VNC user session is not terminated. Maybe this has been done for testing purposes, but it should certainly be fixed before release.
I've tested this scenario on RPiOS Bookworm, and the VNC sessions DO get disconnected when another user logs in locally to the graphical desktop, however for some reason this is not the case on RPiOS Trixie - the VNC user session is not terminated. Maybe this has been done for testing purposes, but it should certainly be fixed before release.
Statistics: Posted by andrum99 — Wed Sep 03, 2025 2:50 am