openclaw/crabbox
openclaw/crabbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 9 Wiki Activity

fix: harden macos vnc password bootstrap

Browse Source
This commit is contained in:
Peter Steinberger 2026-05-07 22:38:18 +01:00
parent fdef9df8af
commit edd5fae230
No known key found for this signature in database
5 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -18,6 +18,7 @@
- Fixed Islo provider sync so `crabbox run --provider islo` uploads the local workspace, uses the correct `/workspace/<workdir>`, and falls back to chunked exec upload while the archive API returns server errors.
- Fixed Code and WebVNC bridge websocket auth so upgraded brokers receive short-lived bridge tickets in the `Authorization` header instead of logging them in URL query strings, while preserving query fallback for older brokers.
- Fixed managed AWS macOS desktop leases so readiness and WebVNC use a writable `ec2-user` work root, call `crabbox-ready` by absolute path, and read the generated Screen Sharing password via sudo.
- Fixed managed AWS macOS bootstrap so VNC password generation does not abort under `pipefail` before Screen Sharing readiness is installed.
- Fixed coordinator-backed `crabbox list` so a stale admin token no longer blocks normal logged-in users; the CLI now falls back to active user-visible leases instead of failing with `401 unauthorized`.
- Fixed desktop, screenshot, VNC, and WebVNC SSH helpers so they retry live fallback ports when a coordinator lease advertises an SSH port that is not ready yet.

6
internal/cli/bootstrap.go
View File

@ -399,7 +399,13 @@ set -euxo pipefail
install -d -m 0755 ` + shellQuote(workRoot) + ` /var/db/crabbox
chown -R ` + shellQuote(cfg.SSHUser) + `:staff ` + shellQuote(workRoot) + `
if [ ! -s /var/db/crabbox/vnc.password ]; then
set +o pipefail
pw="$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 16)"
set -o pipefail
if [ "${#pw}" -ne 16 ]; then
echo "failed to generate vnc password" >&2
exit 1
fi
printf '%s\n' "$pw" >/var/db/crabbox/vnc.password
dscl . -passwd /Users/` + shellQuote(cfg.SSHUser) + ` "$pw"
fi

3
internal/cli/bootstrap_test.go
View File

@ -260,6 +260,9 @@ func TestAWSUserDataMacOSProfile(t *testing.T) {
"#!/bin/bash",
defaultMacOSWorkRoot,
"/var/db/crabbox/vnc.password",
"set +o pipefail",
"set -o pipefail",
"failed to generate vnc password",
"com.apple.screensharing",
"/usr/local/bin/crabbox-ready",
"nc -z 127.0.0.1 5900",

6
worker/src/bootstrap.ts
View File

@ -273,7 +273,13 @@ set -euxo pipefail
install -d -m 0755 ${shellQuote(config.workRoot)} /var/db/crabbox
chown -R ${shellQuote(config.sshUser)}:staff ${shellQuote(config.workRoot)}
if [ ! -s /var/db/crabbox/vnc.password ]; then
set +o pipefail
pw="$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 16)"
set -o pipefail
if [ "\${#pw}" -ne 16 ]; then
echo "failed to generate vnc password" >&2
exit 1
fi
printf '%s\\n' "$pw" >/var/db/crabbox/vnc.password
dscl . -passwd /Users/${shellQuote(config.sshUser)} "$pw"
fi

3
worker/test/bootstrap.test.ts
View File

@ -221,6 +221,9 @@ describe("cloud-init bootstrap", () => {
expect(got).toContain("#!/bin/bash");
expect(got).toContain("/Users/ec2-user/crabbox");
expect(got).toContain("/var/db/crabbox/vnc.password");
expect(got).toContain("set +o pipefail");
expect(got).toContain("set -o pipefail");
expect(got).toContain("failed to generate vnc password");
expect(got).toContain("com.apple.screensharing");
expect(got).toContain("/usr/local/bin/crabbox-ready");
});