empire/empserver
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

client: New option -r for restricted mode

Browse source 
Redirections and the execute command let the user read and write files
and run programs on the local system.

Restricted mode prevents such access.  This is useful when you want to
grant somebody access to just Empire, but not to the host system's
user account that runs the client.

Signed-off-by: Marisa Giancarla <fstltna@me.com>
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
This commit is contained in:
Marisa Giancarla 2013-12-07 16:43:13 +01:00 committed by Markus Armbruster
parent 89b76644b2
commit 0a6eb70b28
4 changed files with 16 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
man/empire.6
View file

@ -4,7 +4,7 @@ empire \- Empire client
.SH SYNOPSIS .SH SYNOPSIS
.B empire .B empire
[ [
.B \-hkuv .B \-hkruv
] ]
[ [
.BI \-2 " outfile" .BI \-2 " outfile"
@ -37,6 +37,9 @@ Help. Print brief usage information and exit.
.B \-k .B \-k
If someone else is connected to your country, kill their connection. If someone else is connected to your country, kill their connection.
.TP .TP
.B \-r
Restricted mode: disable redirections and execute command.
.TP
.BI \-s " [host:]port" .BI \-s " [host:]port"
Specify server \fIhost\fR and \fIport\fR. Specify server \fIhost\fR and \fIport\fR.
.TP .TP

6
src/client/main.c
View file

@ -69,6 +69,7 @@ print_usage(char *program_name)
printf("Usage: %s [OPTION]...[COUNTRY [PASSWORD]]\n" printf("Usage: %s [OPTION]...[COUNTRY [PASSWORD]]\n"
" -2 FILE Append log of session to FILE\n" " -2 FILE Append log of session to FILE\n"
" -k Kill connection\n" " -k Kill connection\n"
" -r Restricted mode, no redirections\n"
" -s [HOST:]PORT Specify server HOST and PORT\n" " -s [HOST:]PORT Specify server HOST and PORT\n"
" -u Use UTF-8\n" " -u Use UTF-8\n"
" -h display this help and exit\n" " -h display this help and exit\n"
@ -92,7 +93,7 @@ main(int argc, char **argv)
char *colon; char *colon;
int sock; int sock;
while ((opt = getopt(argc, argv, "2:ks:uhv")) != EOF) { while ((opt = getopt(argc, argv, "2:krs:uhv")) != EOF) {
switch (opt) { switch (opt) {
case '2': case '2':
auxfname = optarg; auxfname = optarg;
@ -100,6 +101,9 @@ main(int argc, char **argv)
case 'k': case 'k':
send_kill = 1; send_kill = 1;
break; break;
case 'r':
restricted = 1;
break;
case 's': case 's':
port = strdup(optarg); port = strdup(optarg);
colon = strrchr(port, ':'); colon = strrchr(port, ':');

1
src/client/misc.h
View file

@ -44,6 +44,7 @@ extern int eight_bit_clean;
extern int input_fd; extern int input_fd;
extern int send_eof; extern int send_eof;
extern FILE *auxfp; extern FILE *auxfp;
extern int restricted;
#ifdef HAVE_CURSES_TERMINFO #ifdef HAVE_CURSES_TERMINFO
void getsose(void); void getsose(void);

6
src/client/servcmd.c
View file

@ -47,6 +47,7 @@
int eight_bit_clean; int eight_bit_clean;
FILE *auxfp; FILE *auxfp;
int restricted;
static FILE *redir_fp; static FILE *redir_fp;
static int redir_is_pipe; static int redir_is_pipe;
@ -161,6 +162,11 @@ redir_authorized(char *arg, char *attempt, int expected)
{ {
size_t seen = seen_input(arg); size_t seen = seen_input(arg);
if (restricted) {
fprintf(stderr, "Can't %s in restricted mode\n", attempt);
return 0;
}
if (executing) { if (executing) {
fprintf(stderr, "Can't %s in a batch file\n", attempt); fprintf(stderr, "Can't %s in a batch file\n", attempt);
return 0; return 0;