Apply read-only perms upon connecting

common/rfb/CMakeLists.txt

@@ -1,4 +1,5 @@
-include_directories(${CMAKE_SOURCE_DIR}/common ${JPEG_INCLUDE_DIR})
+include_directories(${CMAKE_SOURCE_DIR}/common ${JPEG_INCLUDE_DIR}
+                    ${CMAKE_SOURCE_DIR}/unix/kasmvncpasswd)
 
 set(RFB_SOURCES
   Blacklist.cxx

common/rfb/VNCSConnectionST.cxx

@@ -38,6 +38,9 @@
 #include <ctype.h>
 #include <stdlib.h>
 #include <stdint.h>
+#include <wordexp.h>
+
+#include "kasmpasswd.h"
 
 using namespace rfb;
 
@@ -45,6 +48,8 @@ static LogWriter vlog("VNCSConnST");
 
 static Cursor emptyCursor(0, 0, Point(0, 0), NULL);
 
+extern rfb::StringParameter basicauth;
+
 VNCSConnectionST::VNCSConnectionST(VNCServerST* server_, network::Socket *s,
                                    bool reverse)
   : sock(s), reverseConnection(reverse),
@@ -65,6 +70,25 @@ VNCSConnectionST::VNCSConnectionST(VNCServerST* server_, network::Socket *s,
   memset(bstats_total, 0, sizeof(bstats_total));
   gettimeofday(&connStart, NULL);
 
+  // Check their permissions, if applicable
+  kasmpasswdpath[0] = '\0';
+  wordexp_t wexp;
+  if (!wordexp(rfb::Server::kasmPasswordFile, &wexp, WRDE_NOCMD))
+    strncpy(kasmpasswdpath, wexp.we_wordv[0], 4096);
+  kasmpasswdpath[4095] = '\0';
+  wordfree(&wexp);
+
+  user[0] = '\0';
+  const char *at = strchr(peerEndpoint.buf, '@');
+  if (at && at - peerEndpoint.buf > 1 && at - peerEndpoint.buf < 32) {
+    memcpy(user, peerEndpoint.buf, at - peerEndpoint.buf);
+    user[at - peerEndpoint.buf] = '\0';
+  }
+
+  bool write, owner;
+  if (!getPerms(write, owner) || !write)
+    accessRights = (accessRights & ~(AccessPtrEvents | AccessKeyEvents));
+
   // Configure the socket
   setSocketTimeouts();
   lastEventTime = time(0);
@@ -999,6 +1023,29 @@ bool VNCSConnectionST::isShiftPressed()
   return false;
 }
 
+bool VNCSConnectionST::getPerms(bool &write, bool &owner) const
+{
+  bool found = false;
+  const char *colon = strchr(basicauth, ':');
+  if (colon && !colon[1] && user[0]) {
+    struct kasmpasswd_t *set = readkasmpasswd(kasmpasswdpath);
+    unsigned i;
+    for (i = 0; i < set->num; i++) {
+      if (!strcmp(set->entries[i].user, user)) {
+        write = set->entries[i].write;
+        owner = set->entries[i].owner;
+        found = true;
+        break;
+      }
+    }
+
+    free(set->entries);
+    free(set);
+  }
+
+  return found;
+}
+
 void VNCSConnectionST::writeRTTPing()
 {
   char type;

common/rfb/VNCSConnectionST.h

@@ -184,7 +184,13 @@ namespace rfb {
     // of a VNCSConnectioST to the server.  These access rights are applied
     // such that the actual rights granted are the minimum of the server's
     // default access settings and the connection's access settings.
-    virtual void setAccessRights(AccessRights ar) {accessRights=ar;}
+    virtual void setAccessRights(AccessRights ar) {
+        accessRights = ar;
+
+        bool write, owner;
+        if (!getPerms(write, owner) || !write)
+            accessRights = (accessRights & ~(AccessPtrEvents | AccessKeyEvents));
+    }
 
     // Timer callbacks
     virtual bool handleTimeout(Timer* t);
@@ -193,6 +199,8 @@ namespace rfb {
 
     bool isShiftPressed();
 
+    bool getPerms(bool &write, bool &owner) const;
+
     // Congestion control
     void writeRTTPing();
     bool isCongested();
@@ -249,6 +257,9 @@ namespace rfb {
     rdr::U64 bstats_total[BS_NUM];
     struct timeval connStart;
 
+    char user[32];
+    char kasmpasswdpath[4096];
+
     time_t lastEventTime;
     time_t pointerEventTime;
     Point pointerEventPos;