| /* $OpenBSD$ */ |
| |
| /* |
| * Copyright (c) 2021 Dallas Lyons <dallasdlyons@gmail.com> |
| * |
| * Permission to use, copy, modify, and distribute this software for any |
| * purpose with or without fee is hereby granted, provided that the above |
| * copyright notice and this permission notice appear in all copies. |
| * |
| * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER |
| * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING |
| * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| */ |
| |
| #include <sys/stat.h> |
| #include <sys/types.h> |
| |
| #include <pwd.h> |
| #include <stdio.h> |
| #include <string.h> |
| #include <stdlib.h> |
| #include <unistd.h> |
| |
| #include "tmux.h" |
| |
| /* |
| * Controls access to session. |
| */ |
| |
| static enum cmd_retval cmd_server_access_exec(struct cmd *, struct cmdq_item *); |
| |
| const struct cmd_entry cmd_server_access_entry = { |
| .name = "server-access", |
| .alias = NULL, |
| |
| .args = { "adlrw", 0, 1, NULL }, |
| .usage = "[-adlrw]" CMD_TARGET_PANE_USAGE " [user]", |
| |
| .flags = CMD_CLIENT_CANFAIL, |
| .exec = cmd_server_access_exec |
| }; |
| |
| static enum cmd_retval |
| cmd_server_access_deny(struct cmdq_item *item, struct passwd *pw) |
| { |
| struct client *loop; |
| struct server_acl_user *user; |
| uid_t uid; |
| |
| if ((user = server_acl_user_find(pw->pw_uid)) == NULL) { |
| cmdq_error(item, "user %s not found", pw->pw_name); |
| return (CMD_RETURN_ERROR); |
| } |
| TAILQ_FOREACH(loop, &clients, entry) { |
| uid = proc_get_peer_uid(loop->peer); |
| if (uid == server_acl_get_uid(user)) { |
| loop->exit_message = xstrdup("access not allowed"); |
| loop->flags |= CLIENT_EXIT; |
| } |
| } |
| server_acl_user_deny(pw->pw_uid); |
| |
| return (CMD_RETURN_NORMAL); |
| } |
| |
| static enum cmd_retval |
| cmd_server_access_exec(struct cmd *self, struct cmdq_item *item) |
| { |
| |
| struct args *args = cmd_get_args(self); |
| struct client *c = cmdq_get_target_client(item); |
| char *name; |
| struct passwd *pw = NULL; |
| |
| if (args_has(args, 'l')) { |
| server_acl_display(item); |
| return (CMD_RETURN_NORMAL); |
| } |
| if (args_count(args) == 0) { |
| cmdq_error(item, "missing user argument"); |
| return (CMD_RETURN_ERROR); |
| } |
| |
| name = format_single(item, args_string(args, 0), c, NULL, NULL, NULL); |
| if (*name != '\0') |
| pw = getpwnam(name); |
| if (pw == NULL) { |
| cmdq_error(item, "unknown user: %s", name); |
| return (CMD_RETURN_ERROR); |
| } |
| free(name); |
| |
| if (pw->pw_uid == 0 || pw->pw_uid == getuid()) { |
| cmdq_error(item, "%s owns the server, can't change access", |
| pw->pw_name); |
| return (CMD_RETURN_ERROR); |
| } |
| |
| if (args_has(args, 'a') && args_has(args, 'd')) { |
| cmdq_error(item, "-a and -d cannot be used together"); |
| return (CMD_RETURN_ERROR); |
| } |
| if (args_has(args, 'w') && args_has(args, 'r')) { |
| cmdq_error(item, "-r and -w cannot be used together"); |
| return (CMD_RETURN_ERROR); |
| } |
| |
| if (args_has(args, 'd')) |
| return (cmd_server_access_deny(item, pw)); |
| if (args_has(args, 'a')) { |
| if (server_acl_user_find(pw->pw_uid) != NULL) { |
| cmdq_error(item, "user %s is already added", |
| pw->pw_name); |
| return (CMD_RETURN_ERROR); |
| } |
| server_acl_user_allow(pw->pw_uid); |
| /* Do not return - allow -r or -w with -a. */ |
| } else if (args_has(args, 'r') || args_has(args, 'w')) { |
| /* -r or -w implies -a if user does not exist. */ |
| if (server_acl_user_find(pw->pw_uid) == NULL) |
| server_acl_user_allow(pw->pw_uid); |
| } |
| |
| if (args_has(args, 'w')) { |
| if (server_acl_user_find(pw->pw_uid) == NULL) { |
| cmdq_error(item, "user %s not found", pw->pw_name); |
| return (CMD_RETURN_ERROR); |
| } |
| server_acl_user_allow_write(pw->pw_uid); |
| return (CMD_RETURN_NORMAL); |
| } |
| |
| if (args_has(args, 'r')) { |
| if (server_acl_user_find(pw->pw_uid) == NULL) { |
| cmdq_error(item, "user %s not found", pw->pw_name); |
| return (CMD_RETURN_ERROR); |
| } |
| server_acl_user_deny_write(pw->pw_uid); |
| return (CMD_RETURN_NORMAL); |
| } |
| |
| return (CMD_RETURN_NORMAL); |
| } |