--- /n/sources/plan9/sys/src/cmd/cpu.c Sun Apr 14 16:33:20 2019 +++ /sys/src/cmd/cpu.c Sun Jun 21 00:00:00 2026 @@ -27,6 +27,7 @@ void rmtnoteproc(void); int setam(char*); int setamalg(char*); +int localuser(char*); void usage(void); void writestr(int, char*, char*, int); @@ -42,6 +43,8 @@ char *origargs; char *keyspec = ""; int slow; +int localonly; +int rflag; char *srvname = "ncpu"; char *exportfs = "/bin/exportfs"; @@ -241,7 +244,7 @@ patternfile = EARGF(usage()); break; case 'R': /* From listen; must be last option */ - remoteside(); + rflag = 1; break; case 's': sslonly = 1; @@ -262,10 +265,16 @@ case 'v': conndbg = 1; break; + case 'L': + localonly = 1; + break; default: usage(); }ARGEND; + if(rflag) + remoteside(); + if(argc != 0) usage(); @@ -618,6 +627,31 @@ return -1; } +/* + * report whether u is a user of the local file server, so a key in + * the auth domain alone does not grant a whole-namespace session + */ +int +localuser(char *u) +{ + Biobuf *b; + char *l, *f[4]; + int ok; + + if((b = Bopen("/adm/users", OREAD)) == nil) + return 0; /* fail closed */ + ok = 0; + while((l = Brdline(b, '\n')) != nil){ + l[Blinelen(b)-1] = '\0'; + if(getfields(l, f, nelem(f), 0, ":") >= 2 && strcmp(f[1], u) == 0){ + ok = 1; + break; + } + } + Bterm(b); + return ok; +} + static int netkeysrvauth(int fd, char *user) { @@ -645,6 +679,11 @@ auth_freechal(ch); if(ai == nil) return -1; + if(localonly && !localuser(user)){ + werrstr("%s: not a local user", user); + auth_freeAI(ai); + return -1; + } writestr(fd, "", "challenge", 1); if(auth_chuid(ai, nil) < 0) fatal(1, "newns"); @@ -791,6 +830,11 @@ ai = auth_proxy(0, nil, "proto=%q role=server %s", p9authproto, keyspec); if(ai == nil) return -1; + if(localonly && !localuser(ai->cuid)){ + werrstr("%s: not a local user", ai->cuid); + auth_freeAI(ai); + return -1; + } if(auth_chuid(ai, nil) < 0) /* switch to user in keyspec */ return -1; strecpy(user, user+MaxStr, ai->cuid); --- /n/sources/plan9/sys/man/1/cpu Sun Feb 28 06:10:47 2016 +++ /sys/man/1/cpu Sun Jun 21 00:00:00 2026 @@ -34,6 +34,8 @@ .I cert ] [ .B -t +] [ +.B -L ] .B -R .SH DESCRIPTION @@ -188,6 +190,15 @@ environment variables reflect the server's architecture. .PP The +.B -L +flag, given to the server side +.RB ( -R ), +restricts logins to users listed in the local file server's +.B /adm/users +file, so that a key in the authentication domain alone does not +grant a session. +.PP +The .B -R option causes .I cpu