ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-03-03 18:52:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

If running as non-root only allow that user to log in

Browse Source
This commit is contained in:
Matt Johnston 2013-04-17 22:29:18 +08:00
parent 154a65fc31
commit 54a76342f5
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
loginrec.c
View File

@ -329,8 +329,6 @@ login_write (struct logininfo *li)
{ {
#ifndef HAVE_CYGWIN #ifndef HAVE_CYGWIN
if ((int)geteuid() != 0) { if ((int)geteuid() != 0) {
dropbear_log(LOG_WARNING,
"Attempt to write login records by non-root user (aborting)");
return 1; return 1;
} }
#endif #endif

13
svr-auth.c
View File

@ -226,6 +226,7 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
char* listshell = NULL; char* listshell = NULL;
char* usershell = NULL; char* usershell = NULL;
int uid;
TRACE(("enter checkusername")) TRACE(("enter checkusername"))
if (userlen > MAX_USERNAME_LEN) { if (userlen > MAX_USERNAME_LEN) {
return DROPBEAR_FAILURE; return DROPBEAR_FAILURE;
@ -255,6 +256,18 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
return DROPBEAR_FAILURE; return DROPBEAR_FAILURE;
} }
/* check if we are running as non-root, and login user is different from the server */
uid = geteuid();
if (uid != 0 && uid != ses.authstate.pw_uid) {
TRACE(("running as nonroot, only server uid is allowed"))
dropbear_log(LOG_WARNING,
"Login attempt with wrong user %s from %s",
ses.authstate.pw_name,
svr_ses.addrstring);
send_msg_userauth_failure(0, 1);
return DROPBEAR_FAILURE;
}
/* check for non-root if desired */ /* check for non-root if desired */
if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) { if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) {
TRACE(("leave checkusername: root login disabled")) TRACE(("leave checkusername: root login disabled"))