vncconfig -list shows a pretty long list of runtime parameter. Unfortunately, vncconfig -set only works on a few of them, since we have this in vncExtInit.cc: /* * Allow to change only certain parameters. * Changing other parameters (for example PAM service name) * could have negative security impact. */ if (strncasecmp(param.buf, "desktop", 7) != 0 && strncasecmp(param.buf, "AcceptPointerEvents", 19) != 0 && (noclipboard || strncasecmp(param.buf, "SendCutText", 11) != 0) && (noclipboard || strncasecmp(param.buf, "AcceptCutText", 13) != 0)) goto deny; We should accept a lot of parameters, at least MaxIdleTime et al. However, I'd say that probably we could have blacklist instead, or, as an alternative, disallow "almost everything" when running setuid. If not setuid, there's no point of disallowing runtime configuration, since it can be changed with gdb anyway...
Upstream now has a bit more flexibility in the form of the "AllowOverride" setting, which controls what users can modify.
There are no clear use cases described here, only a suggestion for a technical solution. We can revisit this under a more specific bug once we know what problem we are trying to solve.
