Merge branch 'users' into packages_and_multiuser_passwd

2021-02-25 22:10:40 +13:00
parent a5e3a47f48 28d19cd556
commit 9084409a20
21 changed files with 515 additions and 122 deletions
--- a/common/rfb/VNCSConnectionST.cxx
+++ b/common/rfb/VNCSConnectionST.cxx
@@ -38,6 +38,9 @@
 #include <ctype.h>
 #include <stdlib.h>
 #include <stdint.h>
+#include <wordexp.h>
+
+#include "kasmpasswd.h"

 using namespace rfb;

@@ -45,6 +48,8 @@ static LogWriter vlog("VNCSConnST");

 static Cursor emptyCursor(0, 0, Point(0, 0), NULL);

+extern rfb::StringParameter basicauth;
+
 VNCSConnectionST::VNCSConnectionST(VNCServerST* server_, network::Socket *s,
                                   bool reverse)
  : sock(s), reverseConnection(reverse),
@@ -54,7 +59,7 @@ VNCSConnectionST::VNCSConnectionST(VNCServerST* server_, network::Socket *s,
    losslessTimer(this), kbdLogTimer(this), server(server_), updates(false),
    updateRenderedCursor(false), removeRenderedCursor(false),
    continuousUpdates(false), encodeManager(this, &server_->encCache),
-    pointerEventTime(0),
+    needsPermCheck(false), pointerEventTime(0),
    clientHasCursor(false),
    accessRights(AccessDefault), startTime(time(0))
 {
@@ -65,6 +70,25 @@ VNCSConnectionST::VNCSConnectionST(VNCServerST* server_, network::Socket *s,
  memset(bstats_total, 0, sizeof(bstats_total));
  gettimeofday(&connStart, NULL);

+  // Check their permissions, if applicable
+  kasmpasswdpath[0] = '\0';
+  wordexp_t wexp;
+  if (!wordexp(rfb::Server::kasmPasswordFile, &wexp, WRDE_NOCMD))
+    strncpy(kasmpasswdpath, wexp.we_wordv[0], 4096);
+  kasmpasswdpath[4095] = '\0';
+  wordfree(&wexp);
+
+  user[0] = '\0';
+  const char *at = strchr(peerEndpoint.buf, '@');
+  if (at && at - peerEndpoint.buf > 1 && at - peerEndpoint.buf < 32) {
+    memcpy(user, peerEndpoint.buf, at - peerEndpoint.buf);
+    user[at - peerEndpoint.buf] = '\0';
+  }
+
+  bool write, owner;
+  if (!getPerms(write, owner) || !write)
+    accessRights = (accessRights & ~(AccessPtrEvents | AccessKeyEvents | AccessSetDesktopSize));
+
  // Configure the socket
  setSocketTimeouts();
  lastEventTime = time(0);
@@ -1001,6 +1025,34 @@ bool VNCSConnectionST::isShiftPressed()
  return false;
 }

+bool VNCSConnectionST::getPerms(bool &write, bool &owner) const
+{
+  bool found = false;
+  const char *colon = strchr(basicauth, ':');
+  if (!colon || colon[1]) {
+    // We're running without basicauth, or with both user:pass on the command line
+    write = true;
+    return true;
+  }
+  if (colon && !colon[1] && user[0]) {
+    struct kasmpasswd_t *set = readkasmpasswd(kasmpasswdpath);
+    unsigned i;
+    for (i = 0; i < set->num; i++) {
+      if (!strcmp(set->entries[i].user, user)) {
+        write = set->entries[i].write;
+        owner = set->entries[i].owner;
+        found = true;
+        break;
+      }
+    }
+
+    free(set->entries);
+    free(set);
+  }
+
+  return found;
+}
+
 void VNCSConnectionST::writeRTTPing()
 {
  char type;
@@ -1081,6 +1133,22 @@ void VNCSConnectionST::writeFramebufferUpdate()
  if (isCongested())
    return;

+  // Check for permission changes?
+  if (needsPermCheck) {
+    needsPermCheck = false;
+
+    bool write, owner, ret;
+    ret = getPerms(write, owner);
+    if (!ret) {
+      close("User was deleted");
+      return;
+    } else if (!write) {
+      accessRights = (accessRights & ~(AccessPtrEvents | AccessKeyEvents | AccessSetDesktopSize));
+    } else {
+      accessRights |= AccessPtrEvents | AccessKeyEvents | AccessSetDesktopSize;
+    }
+  }
+
  // Updates often consists of many small writes, and in continuous
  // mode, we will also have small fence messages around the update. We
  // need to aggregate these in order to not clog up TCP's congestion