ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-03-13 07:08:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Check authorized_keys permissions as the user

Browse Source 
This is necessary on NFS with squash root.
Based on work from Chris Dragan
This commit also tidies some trailing whitespace.

Fixes github pull #107
This commit is contained in:
Matt Johnston 2022-03-30 12:56:09 +08:00
parent 6f793d42d0
commit 2f68f6693f
1 changed files with 38 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
svr-authpubkey.c
View File

@ -213,7 +213,6 @@ void svr_auth_pubkey(int valid_user) {
svr_ses.plugin_instance->auth_success(ses.plugin_session); svr_ses.plugin_instance->auth_success(ses.plugin_session);
} }
#endif #endif
} else { } else {
dropbear_log(LOG_WARNING, dropbear_log(LOG_WARNING,
"Pubkey auth bad signature for '%s' with key %s from %s", "Pubkey auth bad signature for '%s' with key %s from %s",
@ -427,23 +426,8 @@ static int checkpubkey(const char* keyalgo, unsigned int keyalgolen,
TRACE(("enter checkpubkey")) TRACE(("enter checkpubkey"))
/* check file permissions, also whether file exists */
if (checkpubkeyperms() == DROPBEAR_FAILURE) {
TRACE(("bad authorized_keys permissions, or file doesn't exist"))
goto out;
}
/* we don't need to check pw and pw_dir for validity, since
* its been done in checkpubkeyperms. */
len = strlen(ses.authstate.pw_dir);
/* allocate max required pathname storage,
* = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
filename = m_malloc(len + 22);
snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
ses.authstate.pw_dir);
#if DROPBEAR_SVR_MULTIUSER #if DROPBEAR_SVR_MULTIUSER
/* open the file as the authenticating user. */ /* access the file as the authenticating user. */
origuid = getuid(); origuid = getuid();
origgid = getgid(); origgid = getgid();
if ((setegid(ses.authstate.pw_gid)) < 0 || if ((setegid(ses.authstate.pw_gid)) < 0 ||
@ -451,9 +435,24 @@ static int checkpubkey(const char* keyalgo, unsigned int keyalgolen,
dropbear_exit("Failed to set euid"); dropbear_exit("Failed to set euid");
} }
#endif #endif
/* check file permissions, also whether file exists */
if (checkpubkeyperms() == DROPBEAR_FAILURE) {
TRACE(("bad authorized_keys permissions, or file doesn't exist"))
} else {
/* we don't need to check pw and pw_dir for validity, since
* its been done in checkpubkeyperms. */
len = strlen(ses.authstate.pw_dir);
/* allocate max required pathname storage,
* = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
filename = m_malloc(len + 22);
snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
ses.authstate.pw_dir);
authfile = fopen(filename, "r"); authfile = fopen(filename, "r");
if (!authfile) {
TRACE(("checkpubkey: failed opening %s: %s", filename, strerror(errno)))
}
}
#if DROPBEAR_SVR_MULTIUSER #if DROPBEAR_SVR_MULTIUSER
if ((seteuid(origuid)) < 0 || if ((seteuid(origuid)) < 0 ||
(setegid(origgid)) < 0) { (setegid(origgid)) < 0) {
@ -485,7 +484,6 @@ static int checkpubkey(const char* keyalgo, unsigned int keyalgolen,
} }
/* We continue to the next line otherwise */ /* We continue to the next line otherwise */
} while (1); } while (1);
out: out: