Mercurial > dropbear
view SMALL @ 1930:299f4f19ba19
Add /usr/sbin and /sbin to default root PATH
When dropbear is used in a very restricted environment (such as in a
initrd), the default user shell is often also very restricted
and doesn't take care of setting the PATH so the user ends up
with the PATH set by dropbear. Unfortunately, dropbear always
sets "/usr/bin:/bin" as default PATH even for the root user
which should have /usr/sbin and /sbin too.
For a concrete instance of this problem, see the "Remote Unlocking"
section in this tutorial: https://paxswill.com/blog/2013/11/04/encrypted-raspberry-pi/
It speaks of a bug in the initramfs script because it's written "blkid"
instead of "/sbin/blkid"... this is just because the scripts from the
initramfs do not expect to have a PATH without the sbin directories and
because dropbear is not setting the PATH appropriately for the root user.
I'm thus suggesting to use the attached patch to fix this misbehaviour (I
did not test it, but it's easy enough). It might seem anecdotic but
multiple Kali users have been bitten by this.
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403
| author | Raphael Hertzog <hertzog@debian.org> |
|---|---|
| date | Mon, 09 Jul 2018 16:27:53 +0200 |
| parents | 13cb8cc1b0e4 |
| children |
line wrap: on
line source
Tips for a small system: If you only want server functionality (for example), compile with make PROGRAMS=dropbear rather than just make dropbear so that client functionality in shared portions of Dropbear won't be included. The same applies if you are compiling just a client. --- The following are set in localoptions.h: - If you're compiling statically, you can turn off host lookups - You can disable either password or public-key authentication, though note that the IETF draft states that pubkey authentication is required. - Similarly with DSS and RSA, you can disable one of these if you know that all clients will be able to support a particular one. The IETF draft states that DSS is required, however you may prefer to use RSA. DON'T disable either of these on systems where you aren't 100% sure about who will be connecting and what clients they will be using. - Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize - You can disable x11, tcp and agent forwarding as desired. None of these are essential, although agent-forwarding is often useful even on firewall boxes. --- If you are compiling statically, you may want to disable zlib, as it will use a few tens of kB of binary-size (./configure --disable-zlib). You can create a combined binary, see the file MULTI, which will put all the functions into one binary, avoiding repeated code. If you're compiling with gcc, you might want to look at gcc's options for stripping unused code. The relevant vars to set before configure are: LDFLAGS=-Wl,--gc-sections CFLAGS="-ffunction-sections -fdata-sections" You can also experiment with optimisation flags such as -Os, note that in some cases these flags actually seem to increase size, so experiment before deciding. Of course using small C libraries such as uClibc and dietlibc can also help. If you have any queries, mail me and I'll see if I can help.