ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-03-09 21:41:07 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Support servers without multiple user support (#76)

Browse Source
This commit is contained in:
Patrick Stewart 2019-03-20 14:44:49 +00:00 committed by Matt Johnston
parent 2fd3b9f560
commit 0af22aa8e4
5 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
default_options.h
View File

@ -196,6 +196,9 @@ group1 in Dropbear server too */
* authorized_keys file into account */
#define DROPBEAR_SVR_PUBKEY_OPTIONS 1
/* Disable if your kernel does not have multiple user support */
#define DROPBEAR_SVR_MULTIUSER 1
/* Client authentication options */
#define DROPBEAR_CLI_PASSWORD_AUTH 1
#define DROPBEAR_CLI_PUBKEY_AUTH 1

8
svr-agentfwd.c
View File

@ -151,6 +151,7 @@ void svr_agentcleanup(struct ChanSess * chansess) {
if (chansess->agentfile != NULL && chansess->agentdir != NULL) {
#if DROPBEAR_SVR_MULTIUSER
/* Remove the dir as the user. That way they can't cause problems except
* for themselves */
uid = getuid();
@ -159,6 +160,7 @@ void svr_agentcleanup(struct ChanSess * chansess) {
(seteuid(ses.authstate.pw_uid)) < 0) {
dropbear_exit("Failed to set euid");
}
#endif
/* 2 for "/" and "\0" */
len = strlen(chansess->agentdir) + strlen(chansess->agentfile) + 2;
@ -170,10 +172,12 @@ void svr_agentcleanup(struct ChanSess * chansess) {
rmdir(chansess->agentdir);
#if DROPBEAR_SVR_MULTIUSER
if ((seteuid(uid)) < 0 ||
(setegid(gid)) < 0) {
dropbear_exit("Failed to revert euid");
}
#endif
m_free(chansess->agentfile);
m_free(chansess->agentdir);
@ -216,6 +220,7 @@ static int bindagent(int fd, struct ChanSess * chansess) {
gid_t gid;
int ret = DROPBEAR_FAILURE;
#if DROPBEAR_SVR_MULTIUSER
/* drop to user privs to make the dir/file */
uid = getuid();
gid = getgid();
@ -223,6 +228,7 @@ static int bindagent(int fd, struct ChanSess * chansess) {
(seteuid(ses.authstate.pw_uid)) < 0) {
dropbear_exit("Failed to set euid");
}
#endif
memset((void*)&addr, 0x0, sizeof(addr));
addr.sun_family = AF_UNIX;
@ -262,10 +268,12 @@ bindsocket:
out:
#if DROPBEAR_SVR_MULTIUSER
if ((seteuid(uid)) < 0 ||
(setegid(gid)) < 0) {
dropbear_exit("Failed to revert euid");
}
#endif
return ret;
}

2
svr-auth.c
View File

@ -276,7 +276,7 @@ static int checkusername(const char *username, unsigned int userlen) {
/* check if we are running as non-root, and login user is different from the server */
uid = geteuid();
if (uid != 0 && uid != ses.authstate.pw_uid) {
if (!(DROPBEAR_SVR_MULTIUSER && uid == 0) && uid != ses.authstate.pw_uid) {
TRACE(("running as nonroot, only server uid is allowed"))
dropbear_log(LOG_WARNING,
"Login attempt with wrong user %s from %s",

4
svr-authpubkey.c
View File

@ -347,6 +347,7 @@ static int checkpubkey(const char* algo, unsigned int algolen,
snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
ses.authstate.pw_dir);
#if DROPBEAR_SVR_MULTIUSER
/* open the file as the authenticating user. */
origuid = getuid();
origgid = getgid();
@ -354,13 +355,16 @@ static int checkpubkey(const char* algo, unsigned int algolen,
(seteuid(ses.authstate.pw_uid)) < 0) {
dropbear_exit("Failed to set euid");
}
#endif
authfile = fopen(filename, "r");
#if DROPBEAR_SVR_MULTIUSER
if ((seteuid(origuid)) < 0 ||
(setegid(origgid)) < 0) {
dropbear_exit("Failed to revert euid");
}
#endif
if (authfile == NULL) {
goto out;

2
svr-chansession.c
View File

@ -949,6 +949,7 @@ static void execchild(const void *user_data) {
#endif /* HAVE_CLEARENV */
#endif /* DEBUG_VALGRIND */
#if DROPBEAR_SVR_MULTIUSER
/* We can only change uid/gid as root ... */
if (getuid() == 0) {
@ -972,6 +973,7 @@ static void execchild(const void *user_data) {
dropbear_exit("Couldn't change user as non-root");
}
}
#endif
/* set env vars */
addnewvar("USER", ses.authstate.pw_name);