diff options
Diffstat (limited to 'cmd-server-access.c')
-rw-r--r-- | cmd-server-access.c | 147 |
1 files changed, 147 insertions, 0 deletions
diff --git a/cmd-server-access.c b/cmd-server-access.c new file mode 100644 index 0000000..b2b718b --- /dev/null +++ b/cmd-server-access.c @@ -0,0 +1,147 @@ +/* $OpenBSD$ */ + +/* + * Copyright (c) 2021 Dallas Lyons <dallasdlyons@gmail.com> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER + * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include <sys/stat.h> +#include <sys/types.h> + +#include <pwd.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <unistd.h> + +#include "tmux.h" + +/* + * Controls access to session. + */ + +static enum cmd_retval cmd_server_access_exec(struct cmd *, struct cmdq_item *); + +const struct cmd_entry cmd_server_access_entry = { + .name = "server-access", + .alias = NULL, + + .args = { "adlrw", 0, 1, NULL }, + .usage = "[-adlrw] " CMD_TARGET_PANE_USAGE " [user]", + + .flags = CMD_CLIENT_CANFAIL, + .exec = cmd_server_access_exec +}; + +static enum cmd_retval +cmd_server_access_deny(struct cmdq_item *item, struct passwd *pw) +{ + struct client *loop; + struct server_acl_user *user; + uid_t uid; + + if ((user = server_acl_user_find(pw->pw_uid)) == NULL) { + cmdq_error(item, "user %s not found", pw->pw_name); + return (CMD_RETURN_ERROR); + } + TAILQ_FOREACH(loop, &clients, entry) { + uid = proc_get_peer_uid(loop->peer); + if (uid == server_acl_get_uid(user)) { + loop->exit_message = xstrdup("access not allowed"); + loop->flags |= CLIENT_EXIT; + } + } + server_acl_user_deny(pw->pw_uid); + + return (CMD_RETURN_NORMAL); +} + +static enum cmd_retval +cmd_server_access_exec(struct cmd *self, struct cmdq_item *item) +{ + + struct args *args = cmd_get_args(self); + struct client *c = cmdq_get_target_client(item); + char *name; + struct passwd *pw = NULL; + + if (args_has(args, 'l')) { + server_acl_display(item); + return (CMD_RETURN_NORMAL); + } + if (args_count(args) == 0) { + cmdq_error(item, "missing user argument"); + return (CMD_RETURN_ERROR); + } + + name = format_single(item, args_string(args, 0), c, NULL, NULL, NULL); + if (*name != '\0') + pw = getpwnam(name); + if (pw == NULL) { + cmdq_error(item, "unknown user: %s", name); + return (CMD_RETURN_ERROR); + } + free(name); + + if (pw->pw_uid == 0 || pw->pw_uid == getuid()) { + cmdq_error(item, "%s owns the server, can't change access", + pw->pw_name); + return (CMD_RETURN_ERROR); + } + + if (args_has(args, 'a') && args_has(args, 'd')) { + cmdq_error(item, "-a and -d cannot be used together"); + return (CMD_RETURN_ERROR); + } + if (args_has(args, 'w') && args_has(args, 'r')) { + cmdq_error(item, "-r and -w cannot be used together"); + return (CMD_RETURN_ERROR); + } + + if (args_has(args, 'd')) + return (cmd_server_access_deny(item, pw)); + if (args_has(args, 'a')) { + if (server_acl_user_find(pw->pw_uid) != NULL) { + cmdq_error(item, "user %s is already added", + pw->pw_name); + return (CMD_RETURN_ERROR); + } + server_acl_user_allow(pw->pw_uid); + /* Do not return - allow -r or -w with -a. */ + } else if (args_has(args, 'r') || args_has(args, 'w')) { + /* -r or -w implies -a if user does not exist. */ + if (server_acl_user_find(pw->pw_uid) == NULL) + server_acl_user_allow(pw->pw_uid); + } + + if (args_has(args, 'w')) { + if (server_acl_user_find(pw->pw_uid) == NULL) { + cmdq_error(item, "user %s not found", pw->pw_name); + return (CMD_RETURN_ERROR); + } + server_acl_user_allow_write(pw->pw_uid); + return (CMD_RETURN_NORMAL); + } + + if (args_has(args, 'r')) { + if (server_acl_user_find(pw->pw_uid) == NULL) { + cmdq_error(item, "user %s not found", pw->pw_name); + return (CMD_RETURN_ERROR); + } + server_acl_user_deny_write(pw->pw_uid); + return (CMD_RETURN_NORMAL); + } + + return (CMD_RETURN_NORMAL); +} |