Indeed that is the correct question, because you can easily do #if DROPBEAR_SVR_MULTIUSER if (getuid() != ses.authstate.pw_uid) { setgid and setuid part } #endif
On Wed, Mar 10, 2021 at 11:41 AM Geoff Winkless <dropb...@ukku.uk> wrote: > > On Tue, 9 Mar 2021 at 15:43, Kazuo Kuroi <ka...@irixnet.org> wrote: > > That's a good suggestion. but I suggest that if your code can't run on > > UNIX platforms that it would need an include guard against it. > > I completely understand your concern. > > I would hope that the changes would be system-agnostic: the idea would > merely be that if the setgroups (or indeed setuid) call fails, it > checks if the current running user is the same as the login user and > ignores the failure if so. > > It could be simplified further by just skipping all the setuid and > setgroup code if the login user is the same as the running user, but > I'm not sure if that would always be acceptable (there may be some > systems where the group calls need to be made even if the users are > the same?) so I thought it would be best to add the check after > failure. > > Geoff