From 0a6eb70b28271baf784616ecac53037a8de49340 Mon Sep 17 00:00:00 2001
From: Marisa Giancarla <fstltna@me.com>
Date: Sat, 7 Dec 2013 16:43:13 +0100
Subject: [PATCH] client: New option -r for restricted mode

Redirections and the execute command let the user read and write files
and run programs on the local system.

Restricted mode prevents such access.  This is useful when you want to
grant somebody access to just Empire, but not to the host system's
user account that runs the client.

Signed-off-by: Marisa Giancarla <fstltna@me.com>
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
---
 man/empire.6         | 5 ++++-
 src/client/main.c    | 6 +++++-
 src/client/misc.h    | 1 +
 src/client/servcmd.c | 6 ++++++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/man/empire.6 b/man/empire.6
index 837b1349..efb87060 100644
--- a/man/empire.6
+++ b/man/empire.6
@@ -4,7 +4,7 @@ empire \- Empire client
 .SH SYNOPSIS
 .B empire
 [
-.B \-hkuv
+.B \-hkruv
 ]
 [
 .BI \-2 " outfile"
@@ -37,6 +37,9 @@ Help.  Print brief usage information and exit.
 .B \-k
 If someone else is connected to your country, kill their connection.
 .TP
+.B \-r
+Restricted mode: disable redirections and execute command.
+.TP
 .BI \-s " [host:]port"
 Specify server \fIhost\fR and \fIport\fR.
 .TP
diff --git a/src/client/main.c b/src/client/main.c
index 8e178170..74ab4271 100644
--- a/src/client/main.c
+++ b/src/client/main.c
@@ -69,6 +69,7 @@ print_usage(char *program_name)
     printf("Usage: %s [OPTION]...[COUNTRY [PASSWORD]]\n"
 	   "  -2 FILE         Append log of session to FILE\n"
 	   "  -k              Kill connection\n"
+	   "  -r              Restricted mode, no redirections\n"
 	   "  -s [HOST:]PORT  Specify server HOST and PORT\n"
 	   "  -u              Use UTF-8\n"
 	   "  -h              display this help and exit\n"
@@ -92,7 +93,7 @@ main(int argc, char **argv)
     char *colon;
     int sock;
 
-    while ((opt = getopt(argc, argv, "2:ks:uhv")) != EOF) {
+    while ((opt = getopt(argc, argv, "2:krs:uhv")) != EOF) {
 	switch (opt) {
 	case '2':
 	    auxfname = optarg;
@@ -100,6 +101,9 @@ main(int argc, char **argv)
 	case 'k':
 	    send_kill = 1;
 	    break;
+	case 'r':
+	    restricted = 1;
+	    break;
 	case 's':
 	    port = strdup(optarg);
 	    colon = strrchr(port, ':');
diff --git a/src/client/misc.h b/src/client/misc.h
index 69a86aa6..1fd9f9bd 100644
--- a/src/client/misc.h
+++ b/src/client/misc.h
@@ -44,6 +44,7 @@ extern int eight_bit_clean;
 extern int input_fd;
 extern int send_eof;
 extern FILE *auxfp;
+extern int restricted;
 
 #ifdef HAVE_CURSES_TERMINFO
 void getsose(void);
diff --git a/src/client/servcmd.c b/src/client/servcmd.c
index 2c4ac6e4..0c33758f 100644
--- a/src/client/servcmd.c
+++ b/src/client/servcmd.c
@@ -47,6 +47,7 @@
 
 int eight_bit_clean;
 FILE *auxfp;
+int restricted;
 
 static FILE *redir_fp;
 static int redir_is_pipe;
@@ -161,6 +162,11 @@ redir_authorized(char *arg, char *attempt, int expected)
 {
     size_t seen = seen_input(arg);
 
+    if (restricted) {
+	fprintf(stderr, "Can't %s in restricted mode\n", attempt);
+	return 0;
+    }
+
     if (executing) {
 	fprintf(stderr, "Can't %s in a batch file\n", attempt);
 	return 0;