changeset 1921:284c3837891c

Allow user space file locations (rootless support) Why: Running dropbear as a user (rootless) is aided if files and programs can be saved/removed without needing sudo. What: Use the same convention as DROPBEAR_DEFAULT_CLI_AUTHKEY; if not starting with '/', then is relative to hedge's /home/hedge: *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH default_options.h commentary added. Changes kept to a minimum, so log entry in svr_kex.c#163 is refactored. From: Generated hostkey is <path> ... <finger-print> to: Generated hostkey path is <path> Generated hostkey fingerprint is <fp> Otherwise the unexpanded path was reported. Patch modified by Matt Johnston Signed-off-by: Begley Brothers Inc <[email protected]>
author Begley Brothers Inc <begleybrothers@gmail.com>
date Thu, 09 Jul 2020 17:47:58 +1000
parents 1489449eceb1
children 70f05f7d4d11
files CHANGES default_options.h svr-chansession.c svr-kex.c svr-runopts.c
diffstat 5 files changed, 42 insertions(+), 19 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES	Wed Mar 30 12:56:09 2022 +0800
+++ b/CHANGES	Thu Jul 09 17:47:58 2020 +1000
@@ -1,3 +1,10 @@
+- The following config paths are now relative to a home directory if
+  starting with "~". Thanks to Begley Brothers Inc
+  *_PRIV_FILENAME
+  DROPBEAR_PIDFILE
+  SFTPSERVER_PATH
+  MOTD_FILENAME
+
 2020.81 - 29 October 2020
 
 - Fix regression in 2020.79 which prevented connecting with some SSH 
--- a/default_options.h	Wed Mar 30 12:56:09 2022 +0800
+++ b/default_options.h	Thu Jul 09 17:47:58 2020 +1000
@@ -18,7 +18,9 @@
 /* Listen on all interfaces */
 #define DROPBEAR_DEFADDRESS ""
 
-/* Default hostkey paths - these can be specified on the command line */
+/* Default hostkey paths - these can be specified on the command line.
+ * Homedir is prepended if path begins with ~
+ */
 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
 #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
@@ -231,9 +233,10 @@
 #define DROPBEAR_CLI_PASSWORD_AUTH 1
 #define DROPBEAR_CLI_PUBKEY_AUTH 1
 
-/* A default argument for dbclient -i <privatekey>. 
-Homedir is prepended unless path begins with / */
-#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
+/* A default argument for dbclient -i <privatekey>.
+ * Homedir is prepended if path begins with ~
+ */
+#define DROPBEAR_DEFAULT_CLI_AUTHKEY "~/.ssh/id_dropbear"
 
 /* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
  * environment variable. */
@@ -275,7 +278,9 @@
 #define UNAUTH_CLOSE_DELAY 0
 
 /* The default file to store the daemon's process ID, for shutdown
-   scripts etc. This can be overridden with the -P flag */
+ * scripts etc. This can be overridden with the -P flag.
+ * Homedir is prepended if path begins with ~
+ */
 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
 
 /* The command to invoke for xauth when using X11 forwarding.
@@ -283,9 +288,11 @@
 #define XAUTH_COMMAND "/usr/bin/xauth -q"
 
 
-/* if you want to enable running an sftp server (such as the one included with
+/* If you want to enable running an sftp server (such as the one included with
  * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. 
- * The sftp-server program is not provided by Dropbear itself */
+ * The sftp-server program is not provided by Dropbear itself.
+ * Homedir is prepended if path begins with ~
+ */
 #define DROPBEAR_SFTPSERVER 1
 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
 
--- a/svr-chansession.c	Wed Mar 30 12:56:09 2022 +0800
+++ b/svr-chansession.c	Thu Jul 09 17:47:58 2020 +1000
@@ -685,8 +685,10 @@
 		if (issubsys) {
 #if DROPBEAR_SFTPSERVER
 			if ((cmdlen == 4) && strncmp(chansess->cmd, "sftp", 4) == 0) {
+				char *expand_path = expand_homedir_path(SFTPSERVER_PATH);
 				m_free(chansess->cmd);
-				chansess->cmd = m_strdup(SFTPSERVER_PATH);
+				chansess->cmd = m_strdup(expand_path);
+				m_free(expand_path);
 			} else 
 #endif
 			{
--- a/svr-kex.c	Wed Mar 30 12:56:09 2022 +0800
+++ b/svr-kex.c	Thu Jul 09 17:47:58 2020 +1000
@@ -106,6 +106,7 @@
 static void svr_ensure_hostkey() {
 
 	const char* fn = NULL;
+	char *expand_fn = NULL;
 	enum signkey_type type = ses.newkeys->algo_hostkey;
 	void **hostkey = signkey_key_ptr(svr_opts.hostkey, type);
 	int ret = DROPBEAR_FAILURE;
@@ -142,15 +143,19 @@
 			dropbear_assert(0);
 	}
 
-	if (readhostkey(fn, svr_opts.hostkey, &type) == DROPBEAR_SUCCESS) {
-		return;
+	expand_fn = expand_homedir_path(fn);
+
+	ret = readhostkey(expand_fn, svr_opts.hostkey, &type);
+	if (ret == DROPBEAR_SUCCESS) {
+		goto out;
 	}
 
-	if (signkey_generate(type, 0, fn, 1) == DROPBEAR_FAILURE) {
+	if (signkey_generate(type, 0, expand_fn, 1) == DROPBEAR_FAILURE) {
 		goto out;
 	}
 	
-	ret = readhostkey(fn, svr_opts.hostkey, &type);
+	/* Read what we just generated (or another process raced us) */
+	ret = readhostkey(expand_fn, svr_opts.hostkey, &type);
 
 	if (ret == DROPBEAR_SUCCESS) {
 		char *fp = NULL;
@@ -161,16 +166,16 @@
 		len = key_buf->len - key_buf->pos;
 		fp = sign_key_fingerprint(buf_getptr(key_buf, len), len);
 		dropbear_log(LOG_INFO, "Generated hostkey %s, fingerprint is %s",
-			fn, fp);
+			expand_fn, fp);
 		m_free(fp);
 		buf_free(key_buf);
 	}
 
 out:
-	if (ret == DROPBEAR_FAILURE)
-	{
-		dropbear_exit("Couldn't read or generate hostkey %s", fn);
+	if (ret == DROPBEAR_FAILURE) {
+		dropbear_exit("Couldn't read or generate hostkey %s", expand_fn);
 	}
+    m_free(expand_fn);
 }
 #endif
 	
--- a/svr-runopts.c	Wed Mar 30 12:56:09 2022 +0800
+++ b/svr-runopts.c	Thu Jul 09 17:47:58 2020 +1000
@@ -163,7 +163,7 @@
 	svr_opts.portcount = 0;
 	svr_opts.hostkey = NULL;
 	svr_opts.delay_hostkey = 0;
-	svr_opts.pidfile = DROPBEAR_PIDFILE;
+	svr_opts.pidfile = expand_homedir_path(DROPBEAR_PIDFILE);
 #if DROPBEAR_SVR_LOCALTCPFWD
 	svr_opts.nolocaltcp = 0;
 #endif
@@ -530,12 +530,14 @@
 /* Must be called after syslog/etc is working */
 static void loadhostkey(const char *keyfile, int fatal_duplicate) {
 	sign_key * read_key = new_sign_key();
+	char *expand_path = expand_homedir_path(keyfile);
 	enum signkey_type type = DROPBEAR_SIGNKEY_ANY;
-	if (readhostkey(keyfile, read_key, &type) == DROPBEAR_FAILURE) {
+	if (readhostkey(expand_path, read_key, &type) == DROPBEAR_FAILURE) {
 		if (!svr_opts.delay_hostkey) {
-			dropbear_log(LOG_WARNING, "Failed loading %s", keyfile);
+			dropbear_log(LOG_WARNING, "Failed loading %s", expand_path);
 		}
 	}
+	m_free(expand_path);
 
 #if DROPBEAR_RSA
 	if (type == DROPBEAR_SIGNKEY_RSA) {