ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-03-13 07:08:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Check authorized_keys permissions as the user

Browse Source 
This is necessary on NFS with squash root.
Based on work from Chris Dragan
This commit also tidies some trailing whitespace.

Fixes github pull #107
This commit is contained in:
Matt Johnston 2022-03-30 12:56:09 +08:00
parent 6f793d42d0
commit 2f68f6693f
1 changed files with 38 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
svr-authpubkey.c
View File

@ -213,7 +213,6 @@ void svr_auth_pubkey(int valid_user) {
svr_ses.plugin_instance->auth_success(ses.plugin_session); svr_ses.plugin_instance->auth_success(ses.plugin_session);
} }
#endif #endif
} else { } else {
dropbear_log(LOG_WARNING, dropbear_log(LOG_WARNING,
"Pubkey auth bad signature for '%s' with key %s from %s", "Pubkey auth bad signature for '%s' with key %s from %s",
@ -427,12 +426,19 @@ static int checkpubkey(const char* keyalgo, unsigned int keyalgolen,
TRACE(("enter checkpubkey")) TRACE(("enter checkpubkey"))
#if DROPBEAR_SVR_MULTIUSER
/* access the file as the authenticating user. */
origuid = getuid();
origgid = getgid();
if ((setegid(ses.authstate.pw_gid)) < 0 ||
(seteuid(ses.authstate.pw_uid)) < 0) {
dropbear_exit("Failed to set euid");
}
#endif
/* check file permissions, also whether file exists */ /* check file permissions, also whether file exists */
if (checkpubkeyperms() == DROPBEAR_FAILURE) { if (checkpubkeyperms() == DROPBEAR_FAILURE) {
TRACE(("bad authorized_keys permissions, or file doesn't exist")) TRACE(("bad authorized_keys permissions, or file doesn't exist"))
goto out; } else {
}
/* we don't need to check pw and pw_dir for validity, since /* we don't need to check pw and pw_dir for validity, since
* its been done in checkpubkeyperms. */ * its been done in checkpubkeyperms. */
len = strlen(ses.authstate.pw_dir); len = strlen(ses.authstate.pw_dir);
@ -442,18 +448,11 @@ static int checkpubkey(const char* keyalgo, unsigned int keyalgolen,
snprintf(filename, len + 22, "%s/.ssh/authorized_keys", snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
ses.authstate.pw_dir); ses.authstate.pw_dir);
#if DROPBEAR_SVR_MULTIUSER
/* open the file as the authenticating user. */
origuid = getuid();
origgid = getgid();
if ((setegid(ses.authstate.pw_gid)) < 0 ||
(seteuid(ses.authstate.pw_uid)) < 0) {
dropbear_exit("Failed to set euid");
}
#endif
authfile = fopen(filename, "r"); authfile = fopen(filename, "r");
if (!authfile) {
TRACE(("checkpubkey: failed opening %s: %s", filename, strerror(errno)))
}
}
#if DROPBEAR_SVR_MULTIUSER #if DROPBEAR_SVR_MULTIUSER
if ((seteuid(origuid)) < 0 || if ((seteuid(origuid)) < 0 ||
(setegid(origgid)) < 0) { (setegid(origgid)) < 0) {
@ -485,7 +484,6 @@ static int checkpubkey(const char* keyalgo, unsigned int keyalgolen,
} }
/* We continue to the next line otherwise */ /* We continue to the next line otherwise */
} while (1); } while (1);
out: out: