dropbear: svr-runopts.c comparison

comparison svr-runopts.c @ 1861:2b3a8026a6ce

Add re-exec for server This allows ASLR to re-randomize the address space for every connection, preventing some vulnerabilities from being exploitable by repeated probing. Overhead (memory and time) is yet to be confirmed. At present this is only enabled on Linux. Other BSD platforms with fexecve() would probably also work though have not been tested.

author	Matt Johnston <matt@ucc.asn.au>
date	Sun, 30 Jan 2022 10:14:56 +0800
parents	8f28519e34b0
children	4a6725ac957c

comparison

equal deleted inserted replaced

-:5001e9c5641f
+:2b3a8026a6ce
 #if INETD_MODE
 				case 'i':
 					svr_opts.inetdmode = 1;
 					break;
 #endif
+#if DROPBEAR_DO_REEXEC && NON_INETD_MODE
+				/* For internal use by re-exec */
+				case '2':
+					svr_opts.reexec_child = 1;
+					break;
+#endif
 				case 'p':
 				  nextisport = 1;
 				  break;
 				case 'P':
 					next = &svr_opts.pidfile;
 	}
 	if (svr_opts.forced_command) {
 		dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command);
 	}
+#if INETD_MODE
+	if (svr_opts.inetdmode && (
+		opts.usingsyslog == 0
+#if DEBUG_TRACE
+		|| debug_trace
+#endif
+		)) {
+		/* log output goes to stderr which would get sent over the inetd network socket */
+		dropbear_exit("Dropbear inetd mode is incompatible with debug -v or non-syslog");
+	}
+#endif
 #if DROPBEAR_PLUGIN
 if (pubkey_plugin) {
 char *args = strchr(pubkey_plugin, ',');
 if (args) {
 *args='\0';

Mercurial > dropbear

comparison svr-runopts.c @ 1861:2b3a8026a6ce