On Wed, 10 Mar 2021 at 12:14, Hans Harder <h...@atbas.org> wrote: > Indeed that is the correct question, because you can easily do > > #if DROPBEAR_SVR_MULTIUSER > if (getuid() != ses.authstate.pw_uid) { > setgid and setuid part > } > #endif
Well yes, if you're confident that setgid() and initgroups() won't need to be called when the root user logs in, then you could do that. Here's what I have; it seems to work for me, although I've not done any wide testing on it other than "it runs and lets me log in to my system running both the old (multiuser) and the new (non-multiuser) linux kernel". Geoff diff -U 3 -bB dropbear-2020.81/svr-agentfwd.c dropbear-2020.81_gw/svr-agentfwd.c --- dropbear-2020.81/svr-agentfwd.c 2020-10-29 13:35:50.000000000 +0000 +++ dropbear-2020.81_gw/svr-agentfwd.c 2021-03-10 13:28:20.303227469 +0000 @@ -154,12 +154,14 @@ #if DROPBEAR_SVR_MULTIUSER /* Remove the dir as the user. That way they can't cause problems except * for themselves */ + if (ses.authstate.pw_uid != 0) { uid = getuid(); gid = getgid(); if ((setegid(ses.authstate.pw_gid)) < 0 || (seteuid(ses.authstate.pw_uid)) < 0) { dropbear_exit("Failed to set euid"); } + } #endif /* 2 for "/" and "\0" */ @@ -173,10 +175,12 @@ rmdir(chansess->agentdir); #if DROPBEAR_SVR_MULTIUSER + if (ses.authstate.pw_uid != 0) { if ((seteuid(uid)) < 0 || (setegid(gid)) < 0) { dropbear_exit("Failed to revert euid"); } + } #endif m_free(chansess->agentfile); @@ -221,6 +225,7 @@ int ret = DROPBEAR_FAILURE; #if DROPBEAR_SVR_MULTIUSER + if (ses.authstate.pw_uid != 0) { /* drop to user privs to make the dir/file */ uid = getuid(); gid = getgid(); @@ -228,6 +233,7 @@ (seteuid(ses.authstate.pw_uid)) < 0) { dropbear_exit("Failed to set euid"); } + } #endif memset((void*)&addr, 0x0, sizeof(addr)); @@ -269,10 +275,12 @@ out: #if DROPBEAR_SVR_MULTIUSER + if (ses.authstate.pw_uid != 0) { if ((seteuid(uid)) < 0 || (setegid(gid)) < 0) { dropbear_exit("Failed to revert euid"); } + } #endif return ret; } diff -U 3 -bB dropbear-2020.81/svr-authpubkey.c dropbear-2020.81_gw/svr-authpubkey.c --- dropbear-2020.81/svr-authpubkey.c 2020-10-29 13:35:50.000000000 +0000 +++ dropbear-2020.81_gw/svr-authpubkey.c 2021-03-10 13:31:31.820807682 +0000 @@ -396,6 +396,7 @@ ses.authstate.pw_dir); #if DROPBEAR_SVR_MULTIUSER + if (ses.authstate.pw_uid != 0) { /* open the file as the authenticating user. */ origuid = getuid(); origgid = getgid(); @@ -403,15 +404,18 @@ (seteuid(ses.authstate.pw_uid)) < 0) { dropbear_exit("Failed to set euid"); } + } #endif authfile = fopen(filename, "r"); #if DROPBEAR_SVR_MULTIUSER + if (ses.authstate.pw_uid != 0) { if ((seteuid(origuid)) < 0 || (setegid(origgid)) < 0) { dropbear_exit("Failed to revert euid"); } + } #endif if (authfile == NULL) { diff -U 3 -bB dropbear-2020.81/svr-chansession.c dropbear-2020.81_gw/svr-chansession.c --- dropbear-2020.81/svr-chansession.c 2020-10-29 13:35:50.000000000 +0000 +++ dropbear-2020.81_gw/svr-chansession.c 2021-03-10 13:25:02.115592221 +0000 @@ -954,12 +954,14 @@ /* We can only change uid/gid as root ... */ if (getuid() == 0) { - if ((setgid(ses.authstate.pw_gid) < 0) || + if (((setgid(ses.authstate.pw_gid) < 0) || (initgroups(ses.authstate.pw_name, - ses.authstate.pw_gid) < 0)) { + ses.authstate.pw_gid) < 0)) + && (ses.authstate.pw_uid != 0)) { /* if we're not changing user, we probably don't mind the fail */ dropbear_exit("Error changing user group"); } - if (setuid(ses.authstate.pw_uid) < 0) { + if ((setuid(ses.authstate.pw_uid) < 0) + && (ses.authstate.pw_uid != 0)) { /* if we're not changing user, we probably don't mind the fail */ dropbear_exit("Error changing user"); } } else {