Allow ACLs to use groups as well as users, GitHub issue 4917.

cmd-server-access.c

@@ -19,6 +19,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 
+#include <grp.h>
 #include <pwd.h>
 #include <stdio.h>
 #include <string.h>
@@ -37,67 +38,71 @@ const struct cmd_entry cmd_server_access_entry = {
 	.name = "server-access",
 	.alias = NULL,
 
-	.args = { "adlrw", 0, 1, NULL },
+	.args = { "adglrw", 0, 1, NULL },
-	.usage = "[-adlrw] " CMD_TARGET_PANE_USAGE " [user]",
+	.usage = "[-adglrw] " CMD_TARGET_PANE_USAGE " [user|group]",
 
 	.flags = CMD_CLIENT_CANFAIL,
 	.exec = cmd_server_access_exec
 };
 
 static enum cmd_retval
-cmd_server_access_deny(struct cmdq_item *item, struct passwd *pw)
+cmd_server_access_deny(struct cmdq_item *item, id_t id, int flags,
+    const char *type, const char *name)
 {
-	struct client		*loop;
+	if (!server_acl_find(id, flags)) {
-	struct server_acl_user	*user;
+		cmdq_error(item, "%s %s not found", type, name);
-	uid_t			 uid;
-
-	if ((user = server_acl_user_find(pw->pw_uid)) == NULL) {
-		cmdq_error(item, "user %s not found", pw->pw_name);
 		return (CMD_RETURN_ERROR);
 	}
-	TAILQ_FOREACH(loop, &clients, entry) {
+	server_acl_deny(id, flags);
-		uid = proc_get_peer_uid(loop->peer);
-		if (uid == server_acl_get_uid(user)) {
-			loop->exit_message = xstrdup("access not allowed");
-			loop->flags |= CLIENT_EXIT;
-		}
-	}
-	server_acl_user_deny(pw->pw_uid);
-
 	return (CMD_RETURN_NORMAL);
 }
 
 static enum cmd_retval
 cmd_server_access_exec(struct cmd *self, struct cmdq_item *item)
 {
-
 	struct args	*args = cmd_get_args(self);
 	struct client	*c = cmdq_get_target_client(item);
-	char		*name;
+	char		*arg;
-	struct passwd	*pw = NULL;
+	const char	*name, *type = NULL;
+	struct passwd	*pw;
+	struct group	*gr;
+	id_t		 id;
+	int		 flags = 0;
 
 	if (args_has(args, 'l')) {
 		server_acl_display(item);
 		return (CMD_RETURN_NORMAL);
 	}
 	if (args_count(args) == 0) {
-		cmdq_error(item, "missing user argument");
+		cmdq_error(item, "missing user or group argument");
 		return (CMD_RETURN_ERROR);
 	}
 
-	name = format_single(item, args_string(args, 0), c, NULL, NULL, NULL);
+	arg = format_single(item, args_string(args, 0), c, NULL, NULL, NULL);
-	if (*name != '\0')
+	if (args_has(args, 'g')) {
-		pw = getpwnam(name);
+		if ((gr = getgrnam(arg)) != NULL) {
-	if (pw == NULL) {
+			type = "group";
-		cmdq_error(item, "unknown user: %s", name);
+			id = gr->gr_gid;
-		free(name);
+			name = gr->gr_name;
+			flags |= SERVER_ACL_IS_GROUP;
+		}
+	} else {
+		if ((pw = getpwnam(arg)) != NULL) {
+			type = "user";
+			id = pw->pw_uid;
+			name = pw->pw_name;
+		}
+	}
+	if (type == NULL) {
+		cmdq_error(item, "unknown %s: %s", type, arg);
+		free(arg);
 		return (CMD_RETURN_ERROR);
 	}
-	free(name);
+	free(arg);
 
-	if (pw->pw_uid == 0 || pw->pw_uid == getuid()) {
+	if ((~flags & SERVER_ACL_IS_GROUP) && (id == 0 || id == getuid())) {
 		cmdq_error(item, "%s owns the server, can't change access",
-		    pw->pw_name);
+		    name);
 		return (CMD_RETURN_ERROR);
 	}
 
@@ -111,36 +116,35 @@ cmd_server_access_exec(struct cmd *self, struct cmdq_item *item)
 	}
 
 	if (args_has(args, 'd'))
-		return (cmd_server_access_deny(item, pw));
+		return (cmd_server_access_deny(item, id, flags, type, name));
 	if (args_has(args, 'a')) {
-		if (server_acl_user_find(pw->pw_uid) != NULL) {
+		if (server_acl_find(id, flags)) {
-			cmdq_error(item, "user %s is already added",
+			cmdq_error(item, "%s %s is already added", type, name);
-			    pw->pw_name);
 			return (CMD_RETURN_ERROR);
 		}
-		server_acl_user_allow(pw->pw_uid);
+		server_acl_allow(id, flags);
 		/* Do not return - allow -r or -w with -a. */
 	} else if (args_has(args, 'r') || args_has(args, 'w')) {
-		/* -r or -w implies -a if user does not exist. */
+		/* -r or -w implies -a if the entry does not exist. */
-		if (server_acl_user_find(pw->pw_uid) == NULL)
+		if (!server_acl_find(id, flags))
-			server_acl_user_allow(pw->pw_uid);
+			server_acl_allow(id, flags);
 	}
 
 	if (args_has(args, 'w')) {
-		if (server_acl_user_find(pw->pw_uid) == NULL) {
+		if (!server_acl_find(id, flags)) {
-			cmdq_error(item, "user %s not found", pw->pw_name);
+			cmdq_error(item, "%s %s not found", type, name);
 			return (CMD_RETURN_ERROR);
 		}
-		server_acl_user_allow_write(pw->pw_uid);
+		server_acl_allow_write(id, flags);
 		return (CMD_RETURN_NORMAL);
 	}
 
 	if (args_has(args, 'r')) {
-		if (server_acl_user_find(pw->pw_uid) == NULL) {
+		if (!server_acl_find(id, flags)) {
-			cmdq_error(item, "user %s not found", pw->pw_name);
+			cmdq_error(item, "%s %s not found", type, name);
 			return (CMD_RETURN_ERROR);
 		}
-		server_acl_user_deny_write(pw->pw_uid);
+		server_acl_deny_write(id, flags);
 		return (CMD_RETURN_NORMAL);
 	}
 

proc.c

@@ -56,6 +56,7 @@ struct tmuxpeer {
 	struct imsgbuf	 ibuf;
 	struct event	 event;
 	uid_t		 uid;
+	gid_t		 gid;
 
 	int		 flags;
 #define PEER_BAD 0x1
@@ -297,7 +298,6 @@ proc_add_peer(struct tmuxproc *tp, int fd,
     void (*dispatchcb)(struct imsg *, void *), void *arg)
 {
 	struct tmuxpeer	*peer;
-	gid_t		 gid;
 
 	peer = xcalloc(1, sizeof *peer);
 	peer->parent = tp;
@@ -310,8 +310,10 @@ proc_add_peer(struct tmuxproc *tp, int fd,
 	imsgbuf_allow_fdpass(&peer->ibuf);
 	event_set(&peer->event, fd, EV_READ, proc_event_cb, peer);
 
-	if (getpeereid(fd, &peer->uid, &gid) != 0)
+	if (getpeereid(fd, &peer->uid, &peer->gid) != 0) {
 		peer->uid = (uid_t)-1;
+		peer->gid = (gid_t)-1;
+	}
 
 	log_debug("add peer %p: %d (%p)", peer, fd, arg);
 	TAILQ_INSERT_TAIL(&tp->peers, peer, entry);
@@ -380,3 +382,9 @@ proc_get_peer_uid(struct tmuxpeer *peer)
 {
 	return (peer->uid);
 }
+
+gid_t
+proc_get_peer_gid(struct tmuxpeer *peer)
+{
+	return (peer->gid);
+}

server-acl.c

@@ -22,6 +22,7 @@
 #include <sys/socket.h>
 
 #include <ctype.h>
+#include <grp.h>
 #include <pwd.h>
 #include <stdlib.h>
 #include <string.h>
@@ -29,158 +30,203 @@
 
 #include "tmux.h"
 
-struct server_acl_user {
+struct server_acl_entry {
-	uid_t				uid;
+	id_t				 id;
 
-	int				flags;
+	int				 flags;
-#define SERVER_ACL_READONLY 0x1
 
-	RB_ENTRY(server_acl_user)	entry;
+	RB_ENTRY(server_acl_entry)	 entry;
 };
 
 static int
-server_acl_cmp(struct server_acl_user *user1, struct server_acl_user *user2)
+server_acl_cmp(struct server_acl_entry *entry1,
+    struct server_acl_entry *entry2)
 {
-	if (user1->uid < user2->uid)
+	if ((entry1->flags ^ entry2->flags) & SERVER_ACL_IS_GROUP) {
+		if (entry1->flags & SERVER_ACL_IS_GROUP)
+			return (1);
 		return (-1);
-	return (user1->uid > user2->uid);
+	}
+
+	if (entry1->id < entry2->id)
+		return (-1);
+	return (entry1->id > entry2->id);
 }
 
-RB_HEAD(server_acl_entries, server_acl_user) server_acl_entries;
+RB_HEAD(server_acl_entries, server_acl_entry) server_acl_entries;
-RB_GENERATE_STATIC(server_acl_entries, server_acl_user, entry, server_acl_cmp);
+RB_GENERATE_STATIC(server_acl_entries, server_acl_entry, entry, server_acl_cmp);
 
-/* Initialize server_acl tree. */
+static struct server_acl_entry *
+server_acl_entry_find(id_t id, int flags)
+{
+	struct server_acl_entry	find = {
+		.id = id,
+		.flags = flags & SERVER_ACL_IS_GROUP
+	};
+
+	return (RB_FIND(server_acl_entries, &server_acl_entries, &find));
+}
+
+static struct server_acl_entry *
+server_acl_check(struct client *c)
+{
+	struct server_acl_entry	*entry;
+	uid_t			 uid;
+	gid_t			 gid;
+
+	uid = proc_get_peer_uid(c->peer);
+	if (uid == (uid_t)-1)
+		return (NULL);
+
+	entry = server_acl_entry_find(uid, 0);
+	if (entry != NULL)
+		return (entry);
+
+	gid = proc_get_peer_gid(c->peer);
+	if (gid == (gid_t)-1)
+		return (NULL);
+
+	return (server_acl_entry_find(gid, SERVER_ACL_IS_GROUP));
+}
+
+static void
+server_acl_update(void)
+{
+	struct server_acl_entry	*entry;
+	struct client		*c;
+
+	TAILQ_FOREACH(c, &clients, entry) {
+		entry = server_acl_check(c);
+		if (entry == NULL) {
+			c->exit_message = xstrdup("access not allowed");
+			c->flags |= CLIENT_EXIT;
+		} else if (entry->flags & SERVER_ACL_READONLY)
+			c->flags |= CLIENT_READONLY;
+		else
+			c->flags &= ~CLIENT_READONLY;
+	}
+}
+
+/* Initialize ACL tree. */
 void
 server_acl_init(void)
 {
 	RB_INIT(&server_acl_entries);
 
 	if (getuid() != 0)
-		server_acl_user_allow(0);
+		server_acl_allow(0, 0);
-	server_acl_user_allow(getuid());
+	server_acl_allow(getuid(), 0);
 }
 
-/* Find user entry. */
+/* Check if an ACL entry exists. */
-struct server_acl_user*
+int
-server_acl_user_find(uid_t uid)
+server_acl_find(id_t id, int flags)
 {
-	struct server_acl_user	find = { .uid = uid };
+	return (server_acl_entry_find(id, flags) != NULL);
-
-	return (RB_FIND(server_acl_entries, &server_acl_entries, &find));
 }
 
 /* Display the tree. */
 void
 server_acl_display(struct cmdq_item *item)
 {
-	struct server_acl_user	*loop;
+	struct server_acl_entry	*loop;
 	struct passwd		*pw;
+	struct group		*gr;
 	const char		*name;
+	char			 type;
 
 	RB_FOREACH(loop, server_acl_entries, &server_acl_entries) {
-		if (loop->uid == 0)
+		if (~loop->flags & SERVER_ACL_IS_GROUP) {
-			continue;
+			if (loop->id == 0)
-		if ((pw = getpwuid(loop->uid)) != NULL)
+				continue;
-			name = pw->pw_name;
+			if ((pw = getpwuid(loop->id)) != NULL)
+				name = pw->pw_name;
+			else
+				name = "unknown";
+			type = 'U';
+		} else {
+			if ((gr = getgrgid(loop->id)) != NULL)
+				name = gr->gr_name;
+			else
+				name = "unknown";
+			type = 'G';
+		}
+		if (loop->flags & SERVER_ACL_READONLY)
+			cmdq_print(item, "%s (%c,R)", name, type);
 		else
-			name = "unknown";
+			cmdq_print(item, "%s (%c,W)", name, type);
-		if (loop->flags == SERVER_ACL_READONLY)
-			cmdq_print(item, "%s (R)", name);
-		else
-			cmdq_print(item, "%s (W)", name);
 	}
 }
 
-/* Allow a user. */
+/* Allow an ACL entry. */
 void
-server_acl_user_allow(uid_t uid)
+server_acl_allow(id_t id, int flags)
 {
-	struct server_acl_user	*user;
+	struct server_acl_entry	*entry;
 
-	user = server_acl_user_find(uid);
+	entry = server_acl_entry_find(id, flags);
-	if (user == NULL) {
+	if (entry == NULL) {
-		user = xcalloc(1, sizeof *user);
+		entry = xcalloc(1, sizeof *entry);
-		user->uid = uid;
+		entry->id = id;
-		RB_INSERT(server_acl_entries, &server_acl_entries, user);
+		entry->flags = flags & SERVER_ACL_IS_GROUP;
+		RB_INSERT(server_acl_entries, &server_acl_entries, entry);
 	}
 }
 
-/* Deny a user (remove from the tree). */
+/* Deny an ACL entry (remove it from the tree). */
 void
-server_acl_user_deny(uid_t uid)
+server_acl_deny(id_t id, int flags)
 {
-	struct server_acl_user	*user;
+	struct server_acl_entry	*entry;
 
-	user = server_acl_user_find(uid);
+	entry = server_acl_entry_find(id, flags);
-	if (user != NULL) {
+	if (entry != NULL) {
-		RB_REMOVE(server_acl_entries, &server_acl_entries, user);
+		RB_REMOVE(server_acl_entries, &server_acl_entries, entry);
-		free(user);
+		free(entry);
+		server_acl_update();
 	}
 }
 
-/* Allow this user write access. */
+/* Allow this ACL entry write access. */
 void
-server_acl_user_allow_write(uid_t uid)
+server_acl_allow_write(id_t id, int flags)
 {
-	struct server_acl_user	*user;
+	struct server_acl_entry	*entry;
-	struct client		*c;
 
-	user = server_acl_user_find(uid);
+	entry = server_acl_entry_find(id, flags);
-	if (user == NULL)
+	if (entry == NULL)
 		return;
-	user->flags &= ~SERVER_ACL_READONLY;
+	entry->flags &= ~SERVER_ACL_READONLY;
-
+	server_acl_update();
-	TAILQ_FOREACH(c, &clients, entry) {
-		uid = proc_get_peer_uid(c->peer);
-		if (uid != (uid_t)-1 && uid == user->uid)
-			c->flags &= ~CLIENT_READONLY;
-	}
 }
 
-/* Deny this user write access. */
+/* Deny this ACL entry write access. */
 void
-server_acl_user_deny_write(uid_t uid)
+server_acl_deny_write(id_t id, int flags)
 {
-	struct server_acl_user	*user;
+	struct server_acl_entry	*entry;
-	struct client		*c;
 
-	user = server_acl_user_find(uid);
+	entry = server_acl_entry_find(id, flags);
-	if (user == NULL)
+	if (entry == NULL)
 		return;
-	user->flags |= SERVER_ACL_READONLY;
+	entry->flags |= SERVER_ACL_READONLY;
-
+	server_acl_update();
-	TAILQ_FOREACH(c, &clients, entry) {
-		uid = proc_get_peer_uid(c->peer);
-		if (uid != (uid_t)-1 && uid == user->uid)
-			c->flags |= CLIENT_READONLY;
-	}
 }
 
 /*
- * Check if the client's UID exists in the ACL list and if so, set as read only
+ * Check if the client's UID or GID exists in the ACL list and if so, set as
- * if needed. Return false if the user does not exist.
+ * read only if needed. UID entries take precedence over GID entries. Return
+ * false if no entry exists.
  */
 int
 server_acl_join(struct client *c)
 {
-	struct server_acl_user	*user;
+	struct server_acl_entry	*entry;
-	uid_t			 uid;
 
-	uid = proc_get_peer_uid(c->peer);
+	entry = server_acl_check(c);
-	if (uid == (uid_t)-1)
+	if (entry == NULL)
 		return (0);
-
+	if (entry->flags & SERVER_ACL_READONLY)
-	user = server_acl_user_find(uid);
-	if (user == NULL)
-		return (0);
-	if (user->flags & SERVER_ACL_READONLY)
 		c->flags |= CLIENT_READONLY;
 	return (1);
 }
-
-/* Get UID for user entry. */
-uid_t
-server_acl_get_uid(struct server_acl_user *user)
-{
-	return (user->uid);
-}

tmux.1

@@ -1574,35 +1574,57 @@ option.
 Rename the session to
 .Ar new\-name .
 .It Xo Ic server\-access
-.Op Fl adlrw
+.Op Fl adglrw
-.Op Ar user
+.Op Ar user | group
 .Xc
 Change the access or read/write permission of
-.Ar user .
+.Ar user
+or
+.Ar group .
 The user running the
 .Nm
 server (its owner) and the root user cannot be changed and are always
 permitted access.
+.Fl g
+changes a group rather than a user.
 .Pp
 .Fl a
 and
 .Fl d
-are used to give or revoke access for the specified user.
+are used to give or revoke access for the specified user or group.
-If the user is already attached, the
+If a client is already attached, the
 .Fl d
-flag causes their clients to be detached.
+flag causes it to be detached unless it is still permitted by another entry.
 .Pp
 .Fl r
 and
 .Fl w
 change the permissions for
-.Ar user :
+.Ar user
+or
+.Ar group :
 .Fl r
-makes their clients read-only and
+makes matching clients read-only and
 .Fl w
 writable.
 .Fl l
 lists current access permissions.
+User entries are shown with
+.Ql U ,
+group entries with
+.Ql G ,
+and read-only or writable entries with
+.Ql R
+or
+.Ql W ,
+for example
+.Ql user1 (U,W)
+or
+.Ql testgroup (G,R) .
+If both a user and group entry match a client, the user entry takes
+precedence.
+Only the effective group ID of the client is used, not its supplementary
+groups.
 .Pp
 By default, the access list is empty and
 .Nm

tmux.h

@@ -2386,6 +2386,7 @@ void	proc_flush_peer(struct tmuxpeer *);
 void	proc_toggle_log(struct tmuxproc *);
 pid_t	proc_fork_and_daemon(int *);
 uid_t	proc_get_peer_uid(struct tmuxpeer *);
+gid_t	proc_get_peer_gid(struct tmuxpeer *);
 
 /* cfg.c */
 extern int cfg_finished;
@@ -3787,15 +3788,16 @@ struct window_pane *spawn_pane(struct spawn_context *, char **);
 char		*regsub(const char *, const char *, const char *, int);
 
 /* server-acl.c */
+#define SERVER_ACL_READONLY 0x1
+#define SERVER_ACL_IS_GROUP 0x2
 void			 server_acl_init(void);
-struct server_acl_user	*server_acl_user_find(uid_t);
+int			 server_acl_find(id_t, int);
 void 			 server_acl_display(struct cmdq_item *);
-void			 server_acl_user_allow(uid_t);
+void			 server_acl_allow(id_t, int);
-void			 server_acl_user_deny(uid_t);
+void			 server_acl_deny(id_t, int);
-void			 server_acl_user_allow_write(uid_t);
+void			 server_acl_allow_write(id_t, int);
-void			 server_acl_user_deny_write(uid_t);
+void			 server_acl_deny_write(id_t, int);
 int			 server_acl_join(struct client *);
-uid_t			 server_acl_get_uid(struct server_acl_user *);
 
 /* hyperlink.c */
 u_int	 		 hyperlinks_put(struct hyperlinks *, const char *,