# HG changeset patch
# User Matt Johnston <matt@ucc.asn.au>
# Date 1366208958 -28800
# Node ID e0084f136cb88f8530928d85378b1d344d41f789
# Parent  f110d321fe7abb8864a1ab3268984f7cb02ac285
If running as non-root only allow that user to log in

diff -r f110d321fe7a -r e0084f136cb8 loginrec.c
--- a/loginrec.c	Tue Apr 16 22:16:32 2013 +0800
+++ b/loginrec.c	Wed Apr 17 22:29:18 2013 +0800
@@ -329,8 +329,6 @@
 {
 #ifndef HAVE_CYGWIN
 	if ((int)geteuid() != 0) {
-	  dropbear_log(LOG_WARNING,
-			  "Attempt to write login records by non-root user (aborting)");
 	  return 1;
 	}
 #endif
diff -r f110d321fe7a -r e0084f136cb8 svr-auth.c
--- a/svr-auth.c	Tue Apr 16 22:16:32 2013 +0800
+++ b/svr-auth.c	Wed Apr 17 22:29:18 2013 +0800
@@ -226,6 +226,7 @@
 
 	char* listshell = NULL;
 	char* usershell = NULL;
+	int   uid;
 	TRACE(("enter checkusername"))
 	if (userlen > MAX_USERNAME_LEN) {
 		return DROPBEAR_FAILURE;
@@ -255,6 +256,18 @@
 		return DROPBEAR_FAILURE;
 	}
 
+	/* check if we are running as non-root, and login user is different from the server */
+	uid = geteuid();
+	if (uid != 0 && uid != ses.authstate.pw_uid) {
+		TRACE(("running as nonroot, only server uid is allowed"))
+		dropbear_log(LOG_WARNING,
+				"Login attempt with wrong user %s from %s",
+				ses.authstate.pw_name,
+				svr_ses.addrstring);
+		send_msg_userauth_failure(0, 1);
+		return DROPBEAR_FAILURE;
+	}
+
 	/* check for non-root if desired */
 	if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) {
 		TRACE(("leave checkusername: root login disabled"))