Mercurial > dropbear
changeset 782:e0084f136cb8
If running as non-root only allow that user to log in
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Wed, 17 Apr 2013 22:29:18 +0800 |
| parents | f110d321fe7a |
| children | 34e69908b3f7 d7784616409a |
| files | loginrec.c svr-auth.c |
| diffstat | 2 files changed, 13 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/loginrec.c Tue Apr 16 22:16:32 2013 +0800 +++ b/loginrec.c Wed Apr 17 22:29:18 2013 +0800 @@ -329,8 +329,6 @@ { #ifndef HAVE_CYGWIN if ((int)geteuid() != 0) { - dropbear_log(LOG_WARNING, - "Attempt to write login records by non-root user (aborting)"); return 1; } #endif
--- a/svr-auth.c Tue Apr 16 22:16:32 2013 +0800 +++ b/svr-auth.c Wed Apr 17 22:29:18 2013 +0800 @@ -226,6 +226,7 @@ char* listshell = NULL; char* usershell = NULL; + int uid; TRACE(("enter checkusername")) if (userlen > MAX_USERNAME_LEN) { return DROPBEAR_FAILURE; @@ -255,6 +256,18 @@ return DROPBEAR_FAILURE; } + /* check if we are running as non-root, and login user is different from the server */ + uid = geteuid(); + if (uid != 0 && uid != ses.authstate.pw_uid) { + TRACE(("running as nonroot, only server uid is allowed")) + dropbear_log(LOG_WARNING, + "Login attempt with wrong user %s from %s", + ses.authstate.pw_name, + svr_ses.addrstring); + send_msg_userauth_failure(0, 1); + return DROPBEAR_FAILURE; + } + /* check for non-root if desired */ if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) { TRACE(("leave checkusername: root login disabled"))