1 /* $OpenBSD$ */
2
3 /*
4 * Copyright (c) 2021 Holland Schutte, Jayson Morberg
5 * Copyright (c) 2021 Dallas Lyons <dallasdlyons@gmail.com>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
16 * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
17 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20 #include <sys/types.h>
21 #include <sys/stat.h>
22 #include <sys/socket.h>
23
24 #include <ctype.h>
25 #include <pwd.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <unistd.h>
29
30 #include "tmux.h"
31
32 struct server_acl_user {
33 uid_t uid;
34
35 int flags;
36 #define SERVER_ACL_READONLY 0x1
37
38 RB_ENTRY(server_acl_user) entry;
39 };
40
41 static int
server_acl_cmp(struct server_acl_user * user1,struct server_acl_user * user2)42 server_acl_cmp(struct server_acl_user *user1, struct server_acl_user *user2)
43 {
44 if (user1->uid < user2->uid)
45 return (-1);
46 return (user1->uid > user2->uid);
47 }
48
49 RB_HEAD(server_acl_entries, server_acl_user) server_acl_entries;
50 RB_GENERATE_STATIC(server_acl_entries, server_acl_user, entry, server_acl_cmp);
51
52 /* Initialize server_acl tree. */
53 void
server_acl_init(void)54 server_acl_init(void)
55 {
56 RB_INIT(&server_acl_entries);
57
58 if (getuid() != 0)
59 server_acl_user_allow(0);
60 server_acl_user_allow(getuid());
61 }
62
63 /* Find user entry. */
64 struct server_acl_user*
server_acl_user_find(uid_t uid)65 server_acl_user_find(uid_t uid)
66 {
67 struct server_acl_user find = { .uid = uid };
68
69 return (RB_FIND(server_acl_entries, &server_acl_entries, &find));
70 }
71
72 /* Display the tree. */
73 void
server_acl_display(struct cmdq_item * item)74 server_acl_display(struct cmdq_item *item)
75 {
76 struct server_acl_user *loop;
77 struct passwd *pw;
78 const char *name;
79
80 RB_FOREACH(loop, server_acl_entries, &server_acl_entries) {
81 if (loop->uid == 0)
82 continue;
83 if ((pw = getpwuid(loop->uid)) != NULL)
84 name = pw->pw_name;
85 else
86 name = "unknown";
87 if (loop->flags == SERVER_ACL_READONLY)
88 cmdq_print(item, "%s (R)", name);
89 else
90 cmdq_print(item, "%s (W)", name);
91 }
92 }
93
94 /* Allow a user. */
95 void
server_acl_user_allow(uid_t uid)96 server_acl_user_allow(uid_t uid)
97 {
98 struct server_acl_user *user;
99
100 user = server_acl_user_find(uid);
101 if (user == NULL) {
102 user = xcalloc(1, sizeof *user);
103 user->uid = uid;
104 RB_INSERT(server_acl_entries, &server_acl_entries, user);
105 }
106 }
107
108 /* Deny a user (remove from the tree). */
109 void
server_acl_user_deny(uid_t uid)110 server_acl_user_deny(uid_t uid)
111 {
112 struct server_acl_user *user;
113
114 user = server_acl_user_find(uid);
115 if (user != NULL) {
116 RB_REMOVE(server_acl_entries, &server_acl_entries, user);
117 free(user);
118 }
119 }
120
121 /* Allow this user write access. */
122 void
server_acl_user_allow_write(uid_t uid)123 server_acl_user_allow_write(uid_t uid)
124 {
125 struct server_acl_user *user;
126 struct client *c;
127
128 user = server_acl_user_find(uid);
129 if (user == NULL)
130 return;
131 user->flags &= ~SERVER_ACL_READONLY;
132
133 TAILQ_FOREACH(c, &clients, entry) {
134 uid = proc_get_peer_uid(c->peer);
135 if (uid != (uid_t)-1 && uid == user->uid)
136 c->flags &= ~CLIENT_READONLY;
137 }
138 }
139
140 /* Deny this user write access. */
141 void
server_acl_user_deny_write(uid_t uid)142 server_acl_user_deny_write(uid_t uid)
143 {
144 struct server_acl_user *user;
145 struct client *c;
146
147 user = server_acl_user_find(uid);
148 if (user == NULL)
149 return;
150 user->flags |= SERVER_ACL_READONLY;
151
152 TAILQ_FOREACH(c, &clients, entry) {
153 uid = proc_get_peer_uid(c->peer);
154 if (uid != (uid_t)-1 && uid == user->uid)
155 c->flags |= CLIENT_READONLY;
156 }
157 }
158
159 /*
160 * Check if the client's UID exists in the ACL list and if so, set as read only
161 * if needed. Return false if the user does not exist.
162 */
163 int
server_acl_join(struct client * c)164 server_acl_join(struct client *c)
165 {
166 struct server_acl_user *user;
167 uid_t uid;
168
169 uid = proc_get_peer_uid(c->peer);
170 if (uid == (uid_t)-1)
171 return (0);
172
173 user = server_acl_user_find(uid);
174 if (user == NULL)
175 return (0);
176 if (user->flags & SERVER_ACL_READONLY)
177 c->flags |= CLIENT_READONLY;
178 return (1);
179 }
180
181 /* Get UID for user entry. */
182 uid_t
server_acl_get_uid(struct server_acl_user * user)183 server_acl_get_uid(struct server_acl_user *user)
184 {
185 return (user->uid);
186 }
187