From cd692b5a68be0eb95252380db97fbbec587d6350 Mon Sep 17 00:00:00 2001
From: nicm <nicm>
Date: Mon, 30 May 2022 12:48:57 +0000
Subject: Add an ACL list for users connecting to the tmux socket. Users may be
 forbidden from attaching, forced to attach read-only, or allowed to attach
 read-write. A new command, server-access, configures the list. tmux gets the
 user using getpeereid(3) of the client socket. Users must still configure
 file system permissions manually. From Dallas Lyons and others.

---
 cmd-server-access.c | 147 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 147 insertions(+)
 create mode 100644 cmd-server-access.c

(limited to 'cmd-server-access.c')

diff --git a/cmd-server-access.c b/cmd-server-access.c
new file mode 100644
index 00000000..4fd1dfbf
--- /dev/null
+++ b/cmd-server-access.c
@@ -0,0 +1,147 @@
+/* $OpenBSD$ */
+
+/*
+ * Copyright (c) 2021 Dallas Lyons <dallasdlyons@gmail.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
+ * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <pwd.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "tmux.h"
+
+/*
+ * Controls access to session.
+ */
+
+static enum cmd_retval cmd_server_access_exec(struct cmd *, struct cmdq_item *);
+
+const struct cmd_entry cmd_server_access_entry = {
+	.name = "server-access",
+	.alias = NULL,
+
+	.args = { "adlrw", 0, 1, NULL },
+	.usage = "[-adlrw]" CMD_TARGET_PANE_USAGE " [user]",
+
+	.flags = CMD_CLIENT_CANFAIL,
+	.exec = cmd_server_access_exec
+};
+
+static enum cmd_retval
+cmd_server_access_deny(struct cmdq_item *item, struct passwd *pw)
+{
+	struct client		*loop;
+	struct server_acl_user	*user;
+	uid_t			 uid;
+
+	if ((user = server_acl_user_find(pw->pw_uid)) == NULL) {
+		cmdq_error(item, "user %s not found", pw->pw_name);
+		return (CMD_RETURN_ERROR);
+	}
+	TAILQ_FOREACH(loop, &clients, entry) {
+		uid = proc_get_peer_uid(loop->peer);
+		if (uid == server_acl_get_uid(user)) {
+			loop->exit_message = xstrdup("access not allowed");
+			loop->flags |= CLIENT_EXIT;
+		}
+	}
+	server_acl_user_deny(pw->pw_uid);
+
+	return (CMD_RETURN_NORMAL);
+}
+
+static enum cmd_retval
+cmd_server_access_exec(struct cmd *self, struct cmdq_item *item)
+{
+
+	struct args	*args = cmd_get_args(self);
+	struct client	*c = cmdq_get_target_client(item);
+	char		*name;
+	struct passwd	*pw = NULL;
+
+	if (args_has(args, 'l')) {
+		server_acl_display(item);
+		return (CMD_RETURN_NORMAL);
+	}
+	if (args_count(args) == 0) {
+		cmdq_error(item, "missing user arguement");
+		return (CMD_RETURN_ERROR);
+	}
+
+	name = format_single(item, args_string(args, 0), c, NULL, NULL, NULL);
+	if (*name != '\0')
+		pw = getpwnam(name);
+	if (pw == NULL) {
+		cmdq_error(item, "unknown user: %s", name);
+		return (CMD_RETURN_ERROR);
+	}
+	free(name);
+
+	if (pw->pw_uid == 0 || pw->pw_uid == getuid()) {
+		cmdq_error(item, "%s owns the server, can't change access",
+		    pw->pw_name);
+		return (CMD_RETURN_ERROR);
+	}
+
+	if (args_has(args, 'a') && args_has(args, 'd')) {
+		cmdq_error(item, "-a and -d cannot be used together");
+		return (CMD_RETURN_ERROR);
+	}
+	if (args_has(args, 'w') && args_has(args, 'r')) {
+		cmdq_error(item, "-r and -w cannot be used together");
+		return (CMD_RETURN_ERROR);
+	}
+
+	if (args_has(args, 'd'))
+		return (cmd_server_access_deny(item, pw));
+	if (args_has(args, 'a')) {
+		if (server_acl_user_find(pw->pw_uid) != NULL) {
+			cmdq_error(item, "user %s is already added",
+			    pw->pw_name);
+			return (CMD_RETURN_ERROR);
+		}
+		server_acl_user_allow(pw->pw_uid);
+		/* Do not return - allow -r or -w with -a. */
+	} else if (args_has(args, 'r') || args_has(args, 'w')) {
+		/* -r or -w implies -a if user does not exist. */
+		if (server_acl_user_find(pw->pw_uid) == NULL)
+			server_acl_user_allow(pw->pw_uid);
+	}
+
+	if (args_has(args, 'w')) {
+		if (server_acl_user_find(pw->pw_uid) == NULL) {
+			cmdq_error(item, "user %s not found", pw->pw_name);
+			return (CMD_RETURN_ERROR);
+		}
+		server_acl_user_allow_write(pw->pw_uid);
+		return (CMD_RETURN_NORMAL);
+	}
+
+	if (args_has(args, 'r')) {
+		if (server_acl_user_find(pw->pw_uid) == NULL) {
+			cmdq_error(item, "user %s not found", pw->pw_name);
+			return (CMD_RETURN_ERROR);
+		}
+		server_acl_user_deny_write(pw->pw_uid);
+		return (CMD_RETURN_NORMAL);
+	}
+
+	return (CMD_RETURN_NORMAL);
+}
-- 
cgit v1.2.3