apache · alailsonko · Jan 6, 2024 · mike-jumper · Jan 7, 2024 · alailsonko
diff --git a/src/libguac/guacamole/recording.h b/src/libguac/guacamole/recording.h
@@ -22,6 +22,8 @@
 
 #include <guacamole/client.h>
 
+#include <sys/types.h>
+
 /**
  * Provides functions and structures to be use for session recording.
  *
@@ -122,6 +124,14 @@ typedef struct guac_recording {
  *     written, or non-zero if the path should be created if it does not yet
  *     exist.
  *
+ * @param file_permissions
+ *     The permissions to apply for the recording file created within the specified
+ *     path.
+ *
+ * @param path_permissions
+ *     The permissions to apply for the recording path created within the specified
+ *     path.
+ *
  * @param include_output
  *     Non-zero if output which is broadcast to each connected client
  *     (graphics, streams, etc.) should be included in the session recording,
@@ -154,8 +164,8 @@ typedef struct guac_recording {
  *     recording will be written, NULL otherwise.
  */
 guac_recording* guac_recording_create(guac_client* client,
-        const char* path, const char* name, int create_path,
-        int include_output, int include_mouse, int include_touch,
+        const char* path, const char* name, int create_path, mode_t file_permissions,
+        mode_t path_permissions, int include_output, int include_mouse, int include_touch,
         int include_keys);
 
 /**

diff --git a/src/libguac/guacamole/user.h b/src/libguac/guacamole/user.h
@@ -42,6 +42,7 @@
 
 #include <pthread.h>
 #include <stdarg.h>
+#include <sys/types.h>
 
 struct guac_user_info {
 
@@ -1001,5 +1002,36 @@ int guac_user_parse_args_int(guac_user* user, const char** arg_names,
 int guac_user_parse_args_boolean(guac_user* user, const char** arg_names,
         const char** argv, int index, int default_value);
 
+/**
+ * Parses a string representation of file permissions (e.g., "rwxrwxrwx")
+ * and converts it to a mode_t value.
+ *
+ * @param user
+ *     The user joining the connection and providing the given arguments.
+ *
+ * @param arg_names
+ *     A NULL-terminated array of argument names, corresponding to the provided
+ *     array of argument values. This array must be exactly the same size as
+ *     the argument value array, with one additional entry for the NULL
+ *     terminator.
+ *
+ * @param argv
+ *     An array of all argument values, corresponding to the provided array of
+ *     argument names. This array must be exactly the same size as the argument
+ *     name array, with the exception of the NULL terminator.
+ *
+ * @param index
+ *     The index of the entry in both the arg_names and argv arrays which
+ *     corresponds to the argument being parsed.
+ *
+ * @param default_value
+ *     The value to return if the provided argument is blank or invalid.
+ *
+ * @return
+ *     The parsed mode_t value.
+ */
+mode_t guac_user_parse_args_mode(guac_user* user, const char** arg_names,
+        const char** argv, int index, mode_t default_value);
+
 #endif
 
diff --git a/src/libguac/recording.c b/src/libguac/recording.c
@@ -65,7 +65,7 @@
  *     failure.
  */
 static int guac_recording_open(const char* path,
-        const char* name, char* basename, int basename_size) {
+        const char* name, char* basename, int basename_size, mode_t file_permissions) {
 
     int i;
 
@@ -83,8 +83,7 @@ static int guac_recording_open(const char* path,
 
     /* Attempt to open recording */
     int fd = open(basename,
-            O_CREAT | O_EXCL | O_WRONLY,
-            S_IRUSR | S_IWUSR | S_IRGRP);
+            O_CREAT | O_EXCL | O_WRONLY, file_permissions);
 
     /* Continuously retry with alternate names on failure */
     if (fd == -1) {
@@ -102,8 +101,7 @@ static int guac_recording_open(const char* path,
 
             /* Retry with newly-suffixed filename */
             fd = open(basename,
-                    O_CREAT | O_EXCL | O_WRONLY,
-                    S_IRUSR | S_IWUSR | S_IRGRP);
+                    O_CREAT | O_EXCL | O_WRONLY, file_permissions);
 
         }
 
@@ -136,15 +134,15 @@ static int guac_recording_open(const char* path,
 }
 
 guac_recording* guac_recording_create(guac_client* client,
-        const char* path, const char* name, int create_path,
-        int include_output, int include_mouse, int include_touch,
+        const char* path, const char* name, int create_path, mode_t file_permissions,
+        mode_t path_permissions, int include_output, int include_mouse, int include_touch,
         int include_keys) {
 
     char filename[GUAC_COMMON_RECORDING_MAX_NAME_LENGTH];
 
     /* Create path if it does not exist, fail if impossible */
 #ifndef __MINGW32__
-    if (create_path && mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP)
+    if (create_path && mkdir(path, path_permissions)
             && errno != EEXIST) {
 #else
     if (create_path && _mkdir(path) && errno != EEXIST) {
@@ -155,7 +153,7 @@ guac_recording* guac_recording_create(guac_client* client,
     }
 
     /* Attempt to open recording file */
-    int fd = guac_recording_open(path, name, filename, sizeof(filename));
+    int fd = guac_recording_open(path, name, filename, sizeof(filename), file_permissions);
     if (fd == -1) {
         guac_client_log(client, GUAC_LOG_ERROR,
                 "Creation of recording failed: %s", strerror(errno));

diff --git a/src/libguac/user.c b/src/libguac/user.c
@@ -39,6 +39,8 @@
 #include <limits.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
 
 guac_user* guac_user_alloc() {
 
@@ -466,3 +468,67 @@ int guac_user_parse_args_boolean(guac_user* user, const char** arg_names,
 
 }
 
+mode_t guac_user_parse_args_mode(guac_user* user, const char** arg_names,
+        const char** argv, int index, mode_t default_value) {
+
+    /* Pull parameter value from argv */
+    const char* value = argv[index];
+
+    /* Use default value if blank */
+    if (value[0] == 0) {
+
+        /* Log use of default */
+        guac_user_log(user, GUAC_LOG_DEBUG, "Parameter \"%s\" omitted. Using "
+                "default value of %i.", arg_names[index], default_value);
+
+        return default_value;
+
+    }
+
+    mode_t result = 0;
+
+    /* Check if the provided value has the correct length */
+    if (strlen(value) != 9) {
+        /* Log a warning and return the default value if the length is incorrect */
+        guac_user_log(user, GUAC_LOG_WARNING, "Parameter \"%s\" must have length 9. Using default value.", arg_names[index]);
+        return default_value;
+    }
+
+    // Define the permission bits
+    const char *permissions = "rwxr-xr-x";
+
+    /* Iterate over each character in the permission string */
+    for (int i = 0; i < 3; i++) {
+        for (int j = 0; j < 3; j++) {
+            int permissionIndex = i * 3 + j;
+            /* If the character '-' is present in the permission string, no action needed */
+            if (value[permissionIndex] == '-') {
+                /* No action needed for '-' */
+            } else if (value[permissionIndex] == permissions[permissionIndex]) {
+                // Calculate the permission bit based on the position in the permission string:
+                // Example: For the first set of three characters ("rwx"):
+                // S_IRUSR is the constant representing the read permission for the owner.
+                // (S_IRUSR >> (i * 3 + j)) dynamically adjusts the permission bit based on the position.
+                // When i = 0 and j takes values 0, 1, 2:
+                //   - For j = 0, it gives (0400 >> 0), which is 0400 (read permission).
+                //   - For j = 1, it gives (0400 >> 1), which is 0200 (write permission).
+                //   - For j = 2, it gives (0400 >> 2), which is 0100 (execute permission).
+                // These values represent the read, write, and execute permission bits for the owner.
+                result |= (S_IRUSR >> (permissionIndex));
+            }
+            /* If the character is equal 'w' for groups and others log a warning and return the default value */
+            else if (value[permissionIndex] == 'w') {
+                guac_user_log(user, GUAC_LOG_WARNING, "Parameter \"%s\" with value \"%s\" has invalid permission character at position %d. Writing is locked for the current running process. Using default value %o.", arg_names[index], value, permissionIndex, default_value);
+                return default_value;
+            }
+            /* If the character is neither 'r', 'w', nor 'x', log a warning and return the default value */
+            else {
+                guac_user_log(user, GUAC_LOG_WARNING, "Parameter \"%s\" with value \"%s\" has invalid permission character at position %d. Only 'r', 'w', 'x' and '-' characthers are allowed. Using default value %o.", arg_names[index], value, permissionIndex, default_value);
+                return default_value;
+            }
+        }
+    }
+
+    /* Return the parsed mode_t value */
+    return result;
+}
diff --git a/src/protocols/kubernetes/kubernetes.c b/src/protocols/kubernetes/kubernetes.c
@@ -234,6 +234,8 @@ void* guac_kubernetes_client_thread(void* data) {
                 settings->recording_path,
                 settings->recording_name,
                 settings->create_recording_path,
+                settings->recording_file_permissions,
+                settings->recording_path_permissions,
                 !settings->recording_exclude_output,
                 !settings->recording_exclude_mouse,
                 0, /* Touch events not supported */

diff --git a/src/protocols/kubernetes/settings.c b/src/protocols/kubernetes/settings.c
@@ -51,6 +51,8 @@ const char* GUAC_KUBERNETES_CLIENT_ARGS[] = {
     "recording-exclude-mouse",
     "recording-include-keys",
     "create-recording-path",
+    "recording-file-permissions",
+    "recording-path-permissions",
     "read-only",
     "backspace",
     "scrollback",
@@ -210,6 +212,18 @@ enum KUBERNETES_ARGS_IDX {
      */
     IDX_CREATE_RECORDING_PATH,
 
+    /**
+     * The permissions that should be given to screen recording file which is written in
+     * the given path.
+     */
+    IDX_RECORDING_FILE_PERMISSIONS,
+
+    /**
+     * The permissions that should be given to screen recording path which is written in
+     * the given path.
+     */
+    IDX_RECORDING_PATH_PERMISSIONS,
+
     /**
      * "true" if this connection should be read-only (user input should be
      * dropped), "false" or blank otherwise.
@@ -389,6 +403,16 @@ guac_kubernetes_settings* guac_kubernetes_parse_args(guac_user* user,
         guac_user_parse_args_boolean(user, GUAC_KUBERNETES_CLIENT_ARGS, argv,
                 IDX_CREATE_RECORDING_PATH, false);
 
+    /* Parse file permissions flag */
+    settings->recording_file_permissions =
+        guac_user_parse_args_mode(user, GUAC_KUBERNETES_CLIENT_ARGS, argv,
+                IDX_RECORDING_FILE_PERMISSIONS, GUAC_KUBERNETES_DEFAULT_RECORDING_FILE_PERMISSIONS);
+
+    /* Parse path permissions flag */
+    settings->recording_path_permissions =
+        guac_user_parse_args_mode(user, GUAC_KUBERNETES_CLIENT_ARGS, argv,
+                IDX_RECORDING_PATH_PERMISSIONS, GUAC_KUBERNETES_DEFAULT_RECORDING_PATH_PERMISSIONS);
+
     /* Parse backspace key code */
     settings->backspace =
         guac_user_parse_args_int(user, GUAC_KUBERNETES_CLIENT_ARGS, argv,

diff --git a/src/protocols/kubernetes/settings.h b/src/protocols/kubernetes/settings.h
@@ -23,6 +23,8 @@
 #include <guacamole/user.h>
 
 #include <stdbool.h>
+#include <sys/stat.h>
+#include <sys/types.h>
 
 /**
  * The port to connect to when initiating any Kubernetes connection, if no
@@ -46,6 +48,16 @@
  */
 #define GUAC_KUBERNETES_DEFAULT_RECORDING_NAME "recording"
 
+/**
+ * The permissions to use for the screen recording file, if not specified.
+ */
+#define GUAC_KUBERNETES_DEFAULT_RECORDING_FILE_PERMISSIONS (S_IRUSR | S_IWUSR | S_IRGRP)
+
+/**
+ * The permissions to use for the screen recording path, if not specified.
+ */
+#define GUAC_KUBERNETES_DEFAULT_RECORDING_PATH_PERMISSIONS (S_IRWXU | S_IRGRP | S_IXGRP)
+
 /**
  * Settings for the Kubernetes connection. The values for this structure are
  * parsed from the arguments given during the Guacamole protocol handshake
@@ -208,6 +220,16 @@ typedef struct guac_kubernetes_settings {
      */
     bool create_recording_path;
 
+    /**
+     * The permissions to apply for the screen recording file.
+     */
+    mode_t recording_file_permissions;
+
+    /**
+     * The permissions to apply for the screen recording file.
+     */
+    mode_t recording_path_permissions;
+
     /**
      * Whether output which is broadcast to each connected client (graphics,
      * streams, etc.) should NOT be included in the session recording. Output

diff --git a/src/protocols/rdp/rdp.c b/src/protocols/rdp/rdp.c
@@ -821,6 +821,8 @@ void* guac_rdp_client_thread(void* data) {
                 settings->recording_path,
                 settings->recording_name,
                 settings->create_recording_path,
+                settings->recording_file_permissions,
+                settings->recording_path_permissions,
                 !settings->recording_exclude_output,
                 !settings->recording_exclude_mouse,
                 !settings->recording_exclude_touch,

diff --git a/src/protocols/rdp/settings.c b/src/protocols/rdp/settings.c
@@ -122,6 +122,8 @@ const char* GUAC_RDP_CLIENT_ARGS[] = {
     "recording-exclude-touch",
     "recording-include-keys",
     "create-recording-path",
+    "recording-file-permissions",
+    "recording-path-permissions",
     "resize-method",
     "enable-audio-input",
     "enable-touch",
@@ -564,6 +566,18 @@ enum RDP_ARGS_IDX {
      */
     IDX_CREATE_RECORDING_PATH,
 
+    /**
+     * The permissions that should be given to screen recording file which is written in
+     * the given path.
+     */
+    IDX_RECORDING_FILE_PERMISSIONS,
+
+    /**
+     * The permissions that should be given to screen recording path which is written in
+     * the given path.
+     */
+    IDX_RECORDING_PATH_PERMISSIONS,
+
     /**
      * The method to use to apply screen size changes requested by the user.
      * Valid values are blank, "display-update", and "reconnect".
@@ -1161,6 +1175,16 @@ guac_rdp_settings* guac_rdp_parse_args(guac_user* user,
         guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
                 IDX_CREATE_RECORDING_PATH, 0);
 
+    /* Parse file permissions flag */
+    settings->recording_file_permissions =
+        guac_user_parse_args_mode(user, GUAC_RDP_CLIENT_ARGS, argv,
+                IDX_RECORDING_FILE_PERMISSIONS, GUAC_RDP_DEFAULT_RECORDING_FILE_PERMISSIONS);
+
+    /* Parse path permissions flag */
+    settings->recording_path_permissions =
+        guac_user_parse_args_mode(user, GUAC_RDP_CLIENT_ARGS, argv,
+                IDX_RECORDING_PATH_PERMISSIONS, GUAC_RDP_DEFAULT_RECORDING_PATH_PERMISSIONS);
+
     /* No resize method */
     if (strcmp(argv[IDX_RESIZE_METHOD], "") == 0) {
         guac_user_log(user, GUAC_LOG_INFO, "Resize method: none");