1/* $OpenBSD: cmd-server-access.c,v 1.3 2022/05/31 16:13:43 nicm Exp $ */ 2 3/* 4 * Copyright (c) 2021 Dallas Lyons <dallasdlyons@gmail.com> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER 15 * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 16 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#include <sys/stat.h> 20#include <sys/types.h> 21 22#include <pwd.h> 23#include <stdio.h> 24#include <string.h> 25#include <stdlib.h> 26#include <unistd.h> 27 28#include "tmux.h" 29 30/* 31 * Controls access to session. 32 */ 33 34static enum cmd_retval cmd_server_access_exec(struct cmd *, struct cmdq_item *); 35 36const struct cmd_entry cmd_server_access_entry = { 37 .name = "server-access", 38 .alias = NULL, 39 40 .args = { "adlrw", 0, 1, NULL }, 41 .usage = "[-adlrw] " CMD_TARGET_PANE_USAGE " [user]", 42 43 .flags = CMD_CLIENT_CANFAIL, 44 .exec = cmd_server_access_exec 45}; 46 47static enum cmd_retval 48cmd_server_access_deny(struct cmdq_item *item, struct passwd *pw) 49{ 50 struct client *loop; 51 struct server_acl_user *user; 52 uid_t uid; 53 54 if ((user = server_acl_user_find(pw->pw_uid)) == NULL) { 55 cmdq_error(item, "user %s not found", pw->pw_name); 56 return (CMD_RETURN_ERROR); 57 } 58 TAILQ_FOREACH(loop, &clients, entry) { 59 uid = proc_get_peer_uid(loop->peer); 60 if (uid == server_acl_get_uid(user)) { 61 loop->exit_message = xstrdup("access not allowed"); 62 loop->flags |= CLIENT_EXIT; 63 } 64 } 65 server_acl_user_deny(pw->pw_uid); 66 67 return (CMD_RETURN_NORMAL); 68} 69 70static enum cmd_retval 71cmd_server_access_exec(struct cmd *self, struct cmdq_item *item) 72{ 73 74 struct args *args = cmd_get_args(self); 75 struct client *c = cmdq_get_target_client(item); 76 char *name; 77 struct passwd *pw = NULL; 78 79 if (args_has(args, 'l')) { 80 server_acl_display(item); 81 return (CMD_RETURN_NORMAL); 82 } 83 if (args_count(args) == 0) { 84 cmdq_error(item, "missing user argument"); 85 return (CMD_RETURN_ERROR); 86 } 87 88 name = format_single(item, args_string(args, 0), c, NULL, NULL, NULL); 89 if (*name != '\0') 90 pw = getpwnam(name); 91 if (pw == NULL) { 92 cmdq_error(item, "unknown user: %s", name); 93 return (CMD_RETURN_ERROR); 94 } 95 free(name); 96 97 if (pw->pw_uid == 0 || pw->pw_uid == getuid()) { 98 cmdq_error(item, "%s owns the server, can't change access", 99 pw->pw_name); 100 return (CMD_RETURN_ERROR); 101 } 102 103 if (args_has(args, 'a') && args_has(args, 'd')) { 104 cmdq_error(item, "-a and -d cannot be used together"); 105 return (CMD_RETURN_ERROR); 106 } 107 if (args_has(args, 'w') && args_has(args, 'r')) { 108 cmdq_error(item, "-r and -w cannot be used together"); 109 return (CMD_RETURN_ERROR); 110 } 111 112 if (args_has(args, 'd')) 113 return (cmd_server_access_deny(item, pw)); 114 if (args_has(args, 'a')) { 115 if (server_acl_user_find(pw->pw_uid) != NULL) { 116 cmdq_error(item, "user %s is already added", 117 pw->pw_name); 118 return (CMD_RETURN_ERROR); 119 } 120 server_acl_user_allow(pw->pw_uid); 121 /* Do not return - allow -r or -w with -a. */ 122 } else if (args_has(args, 'r') || args_has(args, 'w')) { 123 /* -r or -w implies -a if user does not exist. */ 124 if (server_acl_user_find(pw->pw_uid) == NULL) 125 server_acl_user_allow(pw->pw_uid); 126 } 127 128 if (args_has(args, 'w')) { 129 if (server_acl_user_find(pw->pw_uid) == NULL) { 130 cmdq_error(item, "user %s not found", pw->pw_name); 131 return (CMD_RETURN_ERROR); 132 } 133 server_acl_user_allow_write(pw->pw_uid); 134 return (CMD_RETURN_NORMAL); 135 } 136 137 if (args_has(args, 'r')) { 138 if (server_acl_user_find(pw->pw_uid) == NULL) { 139 cmdq_error(item, "user %s not found", pw->pw_name); 140 return (CMD_RETURN_ERROR); 141 } 142 server_acl_user_deny_write(pw->pw_uid); 143 return (CMD_RETURN_NORMAL); 144 } 145 146 return (CMD_RETURN_NORMAL); 147} 148