From d6306b634e4a044e3380ed984dc7f5e5d67e69ac Mon Sep 17 00:00:00 2001
From: Nicholas Marriott <nicholas.marriott@gmail.com>
Date: Wed, 6 Apr 2022 14:28:50 +0100
Subject: Add an ACL list for users connecting to the tmux socket. Users may be
 forbidden from attaching, forced to attach read-only, or allowed to attach
 read-write. A new command, server-access, configures the list. tmux gets the
 user using getpeereid(3) of the client socket. Users must still configure
 file system permissions manually.

---
 server.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

(limited to 'server.c')

diff --git a/server.c b/server.c
index 5b70dcd0..05bc50f4 100644
--- a/server.c
+++ b/server.c
@@ -245,6 +245,8 @@ server_start(struct tmuxproc *client, int flags, struct event_base *base,
 	evtimer_set(&server_ev_tidy, server_tidy_event, NULL);
 	evtimer_add(&server_ev_tidy, &tv);
 
+	server_acl_init();
+
 	server_add_accept(0);
 	proc_loop(server_proc, server_loop);
 
@@ -361,9 +363,10 @@ server_update_socket(void)
 static void
 server_accept(int fd, short events, __unused void *data)
 {
-	struct sockaddr_storage	sa;
-	socklen_t		slen = sizeof sa;
-	int			newfd;
+	struct sockaddr_storage	 sa;
+	socklen_t		 slen = sizeof sa;
+	int			 newfd;
+	struct client		*c;
 
 	server_add_accept(0);
 	if (!(events & EV_READ))
@@ -380,11 +383,16 @@ server_accept(int fd, short events, __unused void *data)
 		}
 		fatal("accept failed");
 	}
+
 	if (server_exit) {
 		close(newfd);
 		return;
 	}
-	server_client_create(newfd);
+	c = server_client_create(newfd);
+	if (!server_acl_join(c)) {
+		c->exit_message = xstrdup("access not allowed");
+		c->flags |= CLIENT_EXIT;
+	}
 }
 
 /*
-- 
cgit