On Wed, 10 Mar 2021 at 12:14, Hans Harder <h...@atbas.org> wrote:
> Indeed that is the correct question, because you can easily do
>
> #if DROPBEAR_SVR_MULTIUSER
> if (getuid() != ses.authstate.pw_uid) {
> setgid and setuid part
> }
> #endif
Well yes, if you're confident that setgid() and initgroups() won't
need to be called when the root user logs in, then you could do that.
Here's what I have; it seems to work for me, although I've not done
any wide testing on it other than "it runs and lets me log in to my
system running both the old (multiuser) and the new (non-multiuser)
linux kernel".
Geoff
diff -U 3 -bB dropbear-2020.81/svr-agentfwd.c dropbear-2020.81_gw/svr-agentfwd.c
--- dropbear-2020.81/svr-agentfwd.c 2020-10-29 13:35:50.000000000 +0000
+++ dropbear-2020.81_gw/svr-agentfwd.c 2021-03-10 13:28:20.303227469 +0000
@@ -154,12 +154,14 @@
#if DROPBEAR_SVR_MULTIUSER
/* Remove the dir as the user. That way they can't
cause problems except
* for themselves */
+ if (ses.authstate.pw_uid != 0) {
uid = getuid();
gid = getgid();
if ((setegid(ses.authstate.pw_gid)) < 0 ||
(seteuid(ses.authstate.pw_uid)) < 0) {
dropbear_exit("Failed to set euid");
}
+ }
#endif
/* 2 for "/" and "\0" */
@@ -173,10 +175,12 @@
rmdir(chansess->agentdir);
#if DROPBEAR_SVR_MULTIUSER
+ if (ses.authstate.pw_uid != 0) {
if ((seteuid(uid)) < 0 ||
(setegid(gid)) < 0) {
dropbear_exit("Failed to revert euid");
}
+ }
#endif
m_free(chansess->agentfile);
@@ -221,6 +225,7 @@
int ret = DROPBEAR_FAILURE;
#if DROPBEAR_SVR_MULTIUSER
+ if (ses.authstate.pw_uid != 0) {
/* drop to user privs to make the dir/file */
uid = getuid();
gid = getgid();
@@ -228,6 +233,7 @@
(seteuid(ses.authstate.pw_uid)) < 0) {
dropbear_exit("Failed to set euid");
}
+ }
#endif
memset((void*)&addr, 0x0, sizeof(addr));
@@ -269,10 +275,12 @@
out:
#if DROPBEAR_SVR_MULTIUSER
+ if (ses.authstate.pw_uid != 0) {
if ((seteuid(uid)) < 0 ||
(setegid(gid)) < 0) {
dropbear_exit("Failed to revert euid");
}
+ }
#endif
return ret;
}
diff -U 3 -bB dropbear-2020.81/svr-authpubkey.c
dropbear-2020.81_gw/svr-authpubkey.c
--- dropbear-2020.81/svr-authpubkey.c 2020-10-29 13:35:50.000000000 +0000
+++ dropbear-2020.81_gw/svr-authpubkey.c 2021-03-10
13:31:31.820807682 +0000
@@ -396,6 +396,7 @@
ses.authstate.pw_dir);
#if DROPBEAR_SVR_MULTIUSER
+ if (ses.authstate.pw_uid != 0) {
/* open the file as the authenticating user. */
origuid = getuid();
origgid = getgid();
@@ -403,15 +404,18 @@
(seteuid(ses.authstate.pw_uid)) < 0) {
dropbear_exit("Failed to set euid");
}
+ }
#endif
authfile = fopen(filename, "r");
#if DROPBEAR_SVR_MULTIUSER
+ if (ses.authstate.pw_uid != 0) {
if ((seteuid(origuid)) < 0 ||
(setegid(origgid)) < 0) {
dropbear_exit("Failed to revert euid");
}
+ }
#endif
if (authfile == NULL) {
diff -U 3 -bB dropbear-2020.81/svr-chansession.c
dropbear-2020.81_gw/svr-chansession.c
--- dropbear-2020.81/svr-chansession.c 2020-10-29 13:35:50.000000000 +0000
+++ dropbear-2020.81_gw/svr-chansession.c 2021-03-10
13:25:02.115592221 +0000
@@ -954,12 +954,14 @@
/* We can only change uid/gid as root ... */
if (getuid() == 0) {
- if ((setgid(ses.authstate.pw_gid) < 0) ||
+ if (((setgid(ses.authstate.pw_gid) < 0) ||
(initgroups(ses.authstate.pw_name,
- ses.authstate.pw_gid) < 0)) {
+ ses.authstate.pw_gid) < 0))
+ && (ses.authstate.pw_uid != 0)) { /* if we're
not changing user, we probably don't mind the fail */
dropbear_exit("Error changing user group");
}
- if (setuid(ses.authstate.pw_uid) < 0) {
+ if ((setuid(ses.authstate.pw_uid) < 0)
+ && (ses.authstate.pw_uid != 0)) { /* if we're
not changing user, we probably don't mind the fail */
dropbear_exit("Error changing user");
}
} else {
