Added check that only the dropbear user is allowed to login if it is
running as non-root.
Removed the log message,
--- loginrec.c 2013-04-15 08:01:58.000000000 -0600
+++ loginrec.c 2013-04-17 06:01:57.000000000 -0600
@@ -329,8 +329,6 @@ login_write (struct logininfo *li)
{
#ifndef HAVE_CYGWIN
if ((int)geteuid() != 0) {
- dropbear_log(LOG_WARNING,
- "Attempt to write login records by non-root
user (aborting)");
return 1;
}
#endif
--- svr-auth.c 2013-04-15 08:01:58.000000000 -0600
+++ svr-auth.c 2013-04-17 06:00:22.000000000 -0600
@@ -226,6 +226,7 @@ static int checkusername(unsigned char *
char* listshell = NULL;
char* usershell = NULL;
+ int uid;
TRACE(("enter checkusername"))
if (userlen > MAX_USERNAME_LEN) {
return DROPBEAR_FAILURE;
@@ -255,6 +256,18 @@ static int checkusername(unsigned char *
return DROPBEAR_FAILURE;
}
+ /* check if we are running as non-root, and login user is
different from the server */
+ uid=geteuid();
+ if (uid != 0 && uid != ses.authstate.pw_uid) {
+ TRACE(("running as nonroot, only server uid is allowed"))
+ dropbear_log(LOG_WARNING,
+ "Login attempt with wrong user %s from %s",
+ ses.authstate.pw_name,
+ svr_ses.addrstring);
+ send_msg_userauth_failure(0, 1);
+ return DROPBEAR_FAILURE;
+ }
+
/* check for non-root if desired */
if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) {
TRACE(("leave checkusername: root login disabled"))
