Bug#1026827: xrdp: initially xrdp worked ok, but later it broke, and the problem was /etc/xrdp/startwm.sh that changed
Package: xrdp
Version: 0.9.12-1.1
Severity: critical
Justification: breaks the whole system
X-Debbugs-Cc: alexbodn@gmail.com
Dear Maintainer,
* What led up to the situation?
the remmina-rdp and android ms-rdesktop initially worked ok,
but after this change began to show a black screen and close it.
* What exactly did you do (or not do) that was effective (or
ineffective)?
upstream discussion led me to check /etc/xrdp/startwm.sh that not only seemed broken,
but the version that seemed ok (and later worked indeed) was renamed to /etc/xrdp/startwm.sh0.
the broken version was also in a file /etc/xrdp/startwm.sh1.
* What was the outcome of this action?
xrdp was initially working until the day before, when it showed a black window and disconnected.
* What outcome did you expect instead?
after i suspected this file was broken, and replaced it with /etc/xrdp/startwm.sh0 that was by it's side.
-- System Information:
Debian Release: 11.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-20-cloud-amd64 (SMP w/6 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages xrdp depends on:
ii adduser 3.118
ii init-system-helpers 1.60
ii libc6 2.31-13+deb11u5
ii libfuse2 2.9.9-5
ii libjpeg62-turbo 1:2.0.6-4
ii libopus0 1.3.1-0.1
ii libpam0g 1.4.0-9+deb11u1
ii libssl1.1 1.1.1n-0+deb11u3
ii libx11-6 2:1.7.2-1
ii libxfixes3 1:5.0.3-2
ii libxrandr2 2:1.5.1-1
ii lsb-base 11.1.0
ii ssl-cert 1.1.0+nmu1
Versions of packages xrdp recommends:
ii fuse3 [fuse] 3.10.3-2
ii xorgxrdp 1:0.2.12-1
Versions of packages xrdp suggests:
pn guacamole <none>
pn xrdp-pulseaudio-installer <none>
Versions of packages xorgxrdp depends on:
ii libc6 2.31-13+deb11u5
ii libepoxy0 1.5.5-1
pn xorg-input-abi-24 <none>
ii xserver-xorg-core [xorg-video-abi-24] 2:1.20.11-1+deb11u4
Versions of packages xorgxrdp recommends:
ii xorg 1:7.7+22
Versions of packages xrdp is related to:
pn vnc-server <none>
ii xserver-xorg-legacy 2:1.20.11-1+deb11u4
-- Configuration Files:
/etc/xrdp/startwm.sh changed:
if [ -r /etc/default/locale ]; then
. /etc/default/locale
export LANG LANGUAGE
fi
startxfce4
/etc/xrdp/xrdp.ini changed:
[Globals]
; xrdp.ini file version number
ini_version=1
; fork a new process for each incoming connection
fork=true
; ports to listen on, number alone means listen on all interfaces
; 0.0.0.0 or :: if ipv6 is configured
; space between multiple occurrences
;
; Examples:
; port=3389
; port=unix://./tmp/xrdp.socket
; port=tcp://.:3389 127.0.0.1:3389
; port=tcp://:3389 *:3389
; port=tcp://<any ipv4 format addr>:3389 192.168.1.1:3389
; port=tcp6://.:3389 ::1:3389
; port=tcp6://:3389 *:3389
; port=tcp6://{<any ipv6 format addr>}:3389 {FC00:0:0:0:0:0:0:1}:3389
; port=vsock://<cid>:<port>
port=3389
;port=tcp://.:3389
; 'port' above should be connected to with vsock instead of tcp
; use this only with number alone in port above
; prefer use vsock://<cid>:<port> above
use_vsock=false
; regulate if the listening socket use socket option tcp_nodelay
; no buffering will be performed in the TCP stack
tcp_nodelay=true
; regulate if the listening socket use socket option keepalive
; if the network connection disappear without close messages the connection will be closed
tcp_keepalive=true
; set tcp send/recv buffer (for experts)
; security layer can be 'tls', 'rdp' or 'negotiate'
; for client compatible layer
security_layer=negotiate
; minimum security level allowed for client for classic RDP encryption
; use tls_ciphers to configure TLS encryption
; can be 'none', 'low', 'medium', 'high', 'fips'
crypt_level=high
; X.509 certificate and private key
; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
; note this needs the user xrdp to be a member of the ssl-cert group, do with e.g.
;$ sudo adduser xrdp ssl-cert
certificate=
key_file=
; set SSL protocols
; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'
ssl_protocols=TLSv1.2, TLSv1.3
;ssl_protocols=TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
; set TLS cipher suites
; Section name to use for automatic login if the client sends username
; and password. If empty, the domain name sent by the client is used.
; If empty and no domain name is given, the first suitable section in
; this file will be used.
autorun=
allow_channels=true
allow_multimon=true
bitmap_cache=true
bitmap_compression=true
bulk_compression=true
max_bpp=32
new_cursors=true
; fastpath - can be 'input', 'output', 'both', 'none'
use_fastpath=both
; when true, userid/password *must* be passed on cmd line
; You can set the PAM error text in a gateway setup (MAX 256 chars)
;
; colors used by windows in RGB format
;
blue=009cb5
grey=dedede
;
; configure login screen
;
; Login Screen Window Title
; top level window background color in RGB format
ls_top_window_bg_color=009cb5
; width and height of login screen
ls_width=350
ls_height=430
; login screen background color in RGB format
ls_bg_color=dedede
; optional background image filename (bmp format).
; logo
; full path to bmp-file or file in shared folder
ls_logo_filename=
ls_logo_x_pos=55
ls_logo_y_pos=50
; for positioning labels such as username, password etc
ls_label_x_pos=30
ls_label_width=65
; for positioning text and combo boxes next to above labels
ls_input_x_pos=110
ls_input_width=210
; y pos for first label and combo box
ls_input_y_pos=220
; OK button
ls_btn_ok_x_pos=142
ls_btn_ok_y_pos=370
ls_btn_ok_width=85
ls_btn_ok_height=30
; Cancel button
ls_btn_cancel_x_pos=237
ls_btn_cancel_y_pos=370
ls_btn_cancel_width=85
ls_btn_cancel_height=30
[Logging]
LogFile=xrdp.log
LogLevel=DEBUG
EnableSyslog=true
SyslogLevel=DEBUG
; LogLevel and SysLogLevel could by any of: core, error, warning, info or debug
[Channels]
; Channel names not listed here will be blocked by XRDP.
; You can block any channel by setting its value to false.
; IMPORTANT! All channels are not supported in all use
; cases even if you set all values to true.
; You can override these settings on each session type
; These settings are only used if allow_channels=true
rdpdr=true
rdpsnd=true
drdynvc=true
cliprdr=true
rail=true
xrdpvr=true
tcutils=true
; for debugging xrdp, in section xrdp1, change port=-1 to this:
; for debugging xrdp, add following line to section xrdp1
;
; Session types
;
; Some session types such as Xorg, X11rdp and Xvnc start a display server.
; Startup command-line parameters for the display server are configured
; in sesman.ini. See and configure also sesman.ini.
[Xorg]
name=Xorg
lib=libxup.so
username=ask
password=ask
ip=127.0.0.1
port=-1
code=20
[Xvnc]
name=Xvnc
lib=libvnc.so
username=ask
password=ask
ip=127.0.0.1
port=-1
[vnc-any]
name=vnc-any
lib=libvnc.so
ip=ask
port=ask5900
username=na
password=ask
[neutrinordp-any]
name=neutrinordp-any
lib=libxrdpneutrinordp.so
ip=ask
port=ask3389
username=ask
password=ask
; You can override the common channel settings for each session type
-- no debconf information
Reply to: