/src/dropbear/src/svr-auth.c
Line | Count | Source |
1 | | /* |
2 | | * Dropbear - a SSH2 server |
3 | | * |
4 | | * Copyright (c) 2002,2003 Matt Johnston |
5 | | * All rights reserved. |
6 | | * |
7 | | * Permission is hereby granted, free of charge, to any person obtaining a copy |
8 | | * of this software and associated documentation files (the "Software"), to deal |
9 | | * in the Software without restriction, including without limitation the rights |
10 | | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
11 | | * copies of the Software, and to permit persons to whom the Software is |
12 | | * furnished to do so, subject to the following conditions: |
13 | | * |
14 | | * The above copyright notice and this permission notice shall be included in |
15 | | * all copies or substantial portions of the Software. |
16 | | * |
17 | | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
18 | | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
19 | | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
20 | | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
21 | | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
22 | | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
23 | | * SOFTWARE. */ |
24 | | |
25 | | /* This file (auth.c) handles authentication requests, passing it to the |
26 | | * particular type (auth-passwd, auth-pubkey). */ |
27 | | |
28 | | |
29 | | #include "includes.h" |
30 | | #include "dbutil.h" |
31 | | #include "session.h" |
32 | | #include "buffer.h" |
33 | | #include "ssh.h" |
34 | | #include "packet.h" |
35 | | #include "auth.h" |
36 | | #include "runopts.h" |
37 | | #include "dbrandom.h" |
38 | | |
39 | | static int checkusername(const char *username, unsigned int userlen); |
40 | | |
41 | | /* initialise the first time for a session, resetting all parameters */ |
42 | 0 | void svr_authinitialise() { |
43 | 0 | memset(&ses.authstate, 0, sizeof(ses.authstate)); |
44 | 0 | #if DROPBEAR_SVR_PUBKEY_AUTH |
45 | 0 | ses.authstate.authtypes |= AUTH_TYPE_PUBKEY; |
46 | 0 | #endif |
47 | 0 | #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH |
48 | 0 | if (!svr_opts.noauthpass) { |
49 | 0 | ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; |
50 | 0 | } |
51 | 0 | #endif |
52 | 0 | } |
53 | | |
54 | | /* Send a banner message if specified to the client. The client might |
55 | | * ignore this, but possibly serves as a legal "no trespassing" sign */ |
56 | 0 | void send_msg_userauth_banner(const buffer *banner) { |
57 | |
|
58 | 0 | TRACE(("enter send_msg_userauth_banner")) |
59 | |
|
60 | 0 | CHECKCLEARTOWRITE(); |
61 | |
|
62 | 0 | buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER); |
63 | 0 | buf_putbufstring(ses.writepayload, banner); |
64 | 0 | buf_putstring(ses.writepayload, "en", 2); |
65 | |
|
66 | 0 | encrypt_packet(); |
67 | |
|
68 | 0 | TRACE(("leave send_msg_userauth_banner")) |
69 | 0 | } |
70 | | |
71 | | /* handle a userauth request, check validity, pass to password or pubkey |
72 | | * checking, and handle success or failure */ |
73 | 0 | void recv_msg_userauth_request() { |
74 | |
|
75 | 0 | char *username = NULL, *servicename = NULL, *methodname = NULL; |
76 | 0 | unsigned int userlen, servicelen, methodlen; |
77 | 0 | int valid_user = 0; |
78 | |
|
79 | 0 | TRACE(("enter recv_msg_userauth_request")) |
80 | | |
81 | | /* for compensating failure delay */ |
82 | 0 | gettime_wrapper(&ses.authstate.auth_starttime); |
83 | | |
84 | | /* ignore packets if auth is already done */ |
85 | 0 | if (ses.authstate.authdone == 1) { |
86 | 0 | TRACE(("leave recv_msg_userauth_request: authdone already")) |
87 | 0 | return; |
88 | 0 | } |
89 | | |
90 | | /* send the banner if it exists, it will only exist once */ |
91 | 0 | if (svr_opts.banner) { |
92 | 0 | send_msg_userauth_banner(svr_opts.banner); |
93 | 0 | buf_free(svr_opts.banner); |
94 | 0 | svr_opts.banner = NULL; |
95 | 0 | } |
96 | |
|
97 | 0 | username = buf_getstring(ses.payload, &userlen); |
98 | 0 | servicename = buf_getstring(ses.payload, &servicelen); |
99 | 0 | methodname = buf_getstring(ses.payload, &methodlen); |
100 | | |
101 | | /* only handle 'ssh-connection' currently */ |
102 | 0 | if (!(servicelen == SSH_SERVICE_CONNECTION_LEN |
103 | 0 | && (strncmp(servicename, SSH_SERVICE_CONNECTION, |
104 | 0 | SSH_SERVICE_CONNECTION_LEN) == 0))) { |
105 | 0 | m_free(username); |
106 | 0 | m_free(servicename); |
107 | 0 | m_free(methodname); |
108 | 0 | dropbear_exit("unknown service in auth"); |
109 | 0 | } |
110 | | |
111 | | /* check username is good before continuing. |
112 | | * the 'incrfail' varies depending on the auth method to |
113 | | * avoid giving away which users exist on the system through |
114 | | * the time delay. */ |
115 | 0 | if (checkusername(username, userlen) == DROPBEAR_SUCCESS) { |
116 | 0 | valid_user = 1; |
117 | 0 | } |
118 | | |
119 | | /* user wants to know what methods are supported */ |
120 | 0 | if (methodlen == AUTH_METHOD_NONE_LEN && |
121 | 0 | strncmp(methodname, AUTH_METHOD_NONE, |
122 | 0 | AUTH_METHOD_NONE_LEN) == 0) { |
123 | 0 | TRACE(("recv_msg_userauth_request: 'none' request")) |
124 | 0 | if (valid_user |
125 | 0 | && svr_opts.allowblankpass |
126 | 0 | && !svr_opts.noauthpass |
127 | 0 | && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) |
128 | 0 | && ses.authstate.pw_passwd[0] == '\0') |
129 | 0 | { |
130 | 0 | dropbear_log(LOG_NOTICE, |
131 | 0 | "Auth succeeded with blank password for '%s' from %s", |
132 | 0 | ses.authstate.pw_name, |
133 | 0 | svr_ses.addrstring); |
134 | 0 | send_msg_userauth_success(); |
135 | 0 | goto out; |
136 | 0 | } |
137 | 0 | else |
138 | 0 | { |
139 | | /* 'none' has no failure delay */ |
140 | 0 | send_msg_userauth_failure(0, 0); |
141 | 0 | goto out; |
142 | 0 | } |
143 | 0 | } |
144 | | |
145 | 0 | #if DROPBEAR_SVR_PASSWORD_AUTH |
146 | 0 | if (!svr_opts.noauthpass && |
147 | 0 | !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) { |
148 | | /* user wants to try password auth */ |
149 | 0 | if (methodlen == AUTH_METHOD_PASSWORD_LEN && |
150 | 0 | strncmp(methodname, AUTH_METHOD_PASSWORD, |
151 | 0 | AUTH_METHOD_PASSWORD_LEN) == 0) { |
152 | 0 | svr_auth_password(valid_user); |
153 | 0 | goto out; |
154 | 0 | } |
155 | 0 | } |
156 | 0 | #endif |
157 | | |
158 | | #if DROPBEAR_SVR_PAM_AUTH |
159 | | if (!svr_opts.noauthpass && |
160 | | !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) { |
161 | | /* user wants to try password auth */ |
162 | | if (methodlen == AUTH_METHOD_PASSWORD_LEN && |
163 | | strncmp(methodname, AUTH_METHOD_PASSWORD, |
164 | | AUTH_METHOD_PASSWORD_LEN) == 0) { |
165 | | svr_auth_pam(valid_user); |
166 | | goto out; |
167 | | } |
168 | | } |
169 | | #endif |
170 | | |
171 | 0 | #if DROPBEAR_SVR_PUBKEY_AUTH |
172 | | /* user wants to try pubkey auth */ |
173 | 0 | if (methodlen == AUTH_METHOD_PUBKEY_LEN && |
174 | 0 | strncmp(methodname, AUTH_METHOD_PUBKEY, |
175 | 0 | AUTH_METHOD_PUBKEY_LEN) == 0) { |
176 | 0 | svr_auth_pubkey(valid_user); |
177 | 0 | goto out; |
178 | 0 | } |
179 | 0 | #endif |
180 | | |
181 | | /* nothing matched, we just fail with a delay */ |
182 | 0 | send_msg_userauth_failure(0, 1); |
183 | |
|
184 | 0 | out: |
185 | |
|
186 | 0 | m_free(username); |
187 | 0 | m_free(servicename); |
188 | 0 | m_free(methodname); |
189 | 0 | } |
190 | | |
191 | | #ifdef HAVE_GETGROUPLIST |
192 | | /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ |
193 | 0 | static int check_group_membership(gid_t check_gid, const char* username, gid_t user_gid) { |
194 | 0 | int ngroups, i, ret; |
195 | 0 | gid_t *grouplist = NULL; |
196 | 0 | int match = DROPBEAR_FAILURE; |
197 | |
|
198 | 0 | for (ngroups = 32; ngroups <= DROPBEAR_NGROUP_MAX; ngroups *= 2) { |
199 | 0 | grouplist = m_malloc(sizeof(gid_t) * ngroups); |
200 | | |
201 | | /* BSD returns ret==0 on success. Linux returns ret==ngroups on success */ |
202 | 0 | ret = getgrouplist(username, user_gid, grouplist, &ngroups); |
203 | 0 | if (ret >= 0) { |
204 | 0 | break; |
205 | 0 | } |
206 | 0 | m_free(grouplist); |
207 | 0 | grouplist = NULL; |
208 | 0 | } |
209 | |
|
210 | 0 | if (!grouplist) { |
211 | 0 | dropbear_log(LOG_ERR, "Too many groups for user '%s'", username); |
212 | 0 | return DROPBEAR_FAILURE; |
213 | 0 | } |
214 | | |
215 | 0 | for (i = 0; i < ngroups; i++) { |
216 | 0 | if (grouplist[i] == check_gid) { |
217 | 0 | match = DROPBEAR_SUCCESS; |
218 | 0 | break; |
219 | 0 | } |
220 | 0 | } |
221 | 0 | m_free(grouplist); |
222 | |
|
223 | 0 | return match; |
224 | 0 | } |
225 | | #endif |
226 | | |
227 | | /* Check that the username exists and isn't disallowed (root), and has a valid shell. |
228 | | * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */ |
229 | 0 | static int checkusername(const char *username, unsigned int userlen) { |
230 | |
|
231 | 0 | char* listshell = NULL; |
232 | 0 | char* usershell = NULL; |
233 | 0 | uid_t uid; |
234 | |
|
235 | 0 | TRACE(("enter checkusername")) |
236 | 0 | if (userlen > MAX_USERNAME_LEN) { |
237 | 0 | return DROPBEAR_FAILURE; |
238 | 0 | } |
239 | | |
240 | 0 | if (strlen(username) != userlen) { |
241 | 0 | dropbear_exit("Attempted username with a null byte"); |
242 | 0 | } |
243 | | |
244 | 0 | if (ses.authstate.username == NULL) { |
245 | | /* first request */ |
246 | 0 | fill_passwd(username); |
247 | 0 | ses.authstate.username = m_strdup(username); |
248 | 0 | } else { |
249 | | /* check username hasn't changed */ |
250 | 0 | if (strcmp(username, ses.authstate.username) != 0) { |
251 | 0 | dropbear_exit("Client trying multiple usernames"); |
252 | 0 | } |
253 | 0 | } |
254 | | |
255 | | /* avoids cluttering logs with repeated failure messages from |
256 | | consecutive authentication requests in a sesssion */ |
257 | 0 | if (ses.authstate.checkusername_failed) { |
258 | 0 | TRACE(("checkusername: returning cached failure")) |
259 | 0 | return DROPBEAR_FAILURE; |
260 | 0 | } |
261 | | |
262 | | /* check that user exists */ |
263 | 0 | if (!ses.authstate.pw_name) { |
264 | 0 | TRACE(("leave checkusername: user '%s' doesn't exist", username)) |
265 | 0 | dropbear_log(LOG_WARNING, |
266 | 0 | "Login attempt for nonexistent user from %s", |
267 | 0 | svr_ses.addrstring); |
268 | 0 | ses.authstate.checkusername_failed = 1; |
269 | 0 | return DROPBEAR_FAILURE; |
270 | 0 | } |
271 | | |
272 | | /* check if we are running as non-root, and login user is different from the server */ |
273 | 0 | uid = geteuid(); |
274 | 0 | if (!(DROPBEAR_SVR_MULTIUSER && uid == 0) && uid != ses.authstate.pw_uid) { |
275 | 0 | TRACE(("running as nonroot, only server uid is allowed")) |
276 | 0 | dropbear_log(LOG_WARNING, |
277 | 0 | "Login attempt with wrong user %s from %s", |
278 | 0 | ses.authstate.pw_name, |
279 | 0 | svr_ses.addrstring); |
280 | 0 | ses.authstate.checkusername_failed = 1; |
281 | 0 | return DROPBEAR_FAILURE; |
282 | 0 | } |
283 | | |
284 | | /* check for non-root if desired */ |
285 | 0 | if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) { |
286 | 0 | TRACE(("leave checkusername: root login disabled")) |
287 | 0 | dropbear_log(LOG_WARNING, "root login rejected"); |
288 | 0 | ses.authstate.checkusername_failed = 1; |
289 | 0 | return DROPBEAR_FAILURE; |
290 | 0 | } |
291 | | |
292 | | /* check for login restricted to certain group if desired */ |
293 | 0 | #ifdef HAVE_GETGROUPLIST |
294 | 0 | if (svr_opts.restrict_group) { |
295 | 0 | if (check_group_membership(svr_opts.restrict_group_gid, |
296 | 0 | ses.authstate.pw_name, ses.authstate.pw_gid) == DROPBEAR_FAILURE) { |
297 | 0 | dropbear_log(LOG_WARNING, |
298 | 0 | "Logins are restricted to the group %s but user '%s' is not a member", |
299 | 0 | svr_opts.restrict_group, ses.authstate.pw_name); |
300 | 0 | ses.authstate.checkusername_failed = 1; |
301 | 0 | return DROPBEAR_FAILURE; |
302 | 0 | } |
303 | 0 | } |
304 | 0 | #endif /* HAVE_GETGROUPLIST */ |
305 | | |
306 | 0 | TRACE(("shell is %s", ses.authstate.pw_shell)) |
307 | | |
308 | | /* check that the shell is set */ |
309 | 0 | usershell = ses.authstate.pw_shell; |
310 | 0 | if (usershell[0] == '\0') { |
311 | | /* empty shell in /etc/passwd means /bin/sh according to passwd(5) */ |
312 | 0 | usershell = "/bin/sh"; |
313 | 0 | } |
314 | | |
315 | | /* check the shell is valid. If /etc/shells doesn't exist, getusershell() |
316 | | * should return some standard shells like "/bin/sh" and "/bin/csh" (this |
317 | | * is platform-specific) */ |
318 | 0 | setusershell(); |
319 | 0 | while ((listshell = getusershell()) != NULL) { |
320 | 0 | TRACE(("test shell is '%s'", listshell)) |
321 | 0 | if (strcmp(listshell, usershell) == 0) { |
322 | | /* have a match */ |
323 | 0 | goto goodshell; |
324 | 0 | } |
325 | 0 | } |
326 | | /* no matching shell */ |
327 | 0 | endusershell(); |
328 | 0 | TRACE(("no matching shell")) |
329 | 0 | ses.authstate.checkusername_failed = 1; |
330 | 0 | dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected", |
331 | 0 | ses.authstate.pw_name); |
332 | 0 | return DROPBEAR_FAILURE; |
333 | | |
334 | 0 | goodshell: |
335 | 0 | endusershell(); |
336 | 0 | TRACE(("matching shell")) |
337 | |
|
338 | 0 | TRACE(("uid = %d", ses.authstate.pw_uid)) |
339 | 0 | TRACE(("leave checkusername")) |
340 | 0 | return DROPBEAR_SUCCESS; |
341 | 0 | } |
342 | | |
343 | | /* Send a failure message to the client, in responds to a userauth_request. |
344 | | * Partial indicates whether to set the "partial success" flag, |
345 | | * incrfail is whether to count this failure in the failure count (which |
346 | | * is limited. This function also handles disconnection after too many |
347 | | * failures */ |
348 | 0 | void send_msg_userauth_failure(int partial, int incrfail) { |
349 | |
|
350 | 0 | buffer *typebuf = NULL; |
351 | |
|
352 | 0 | TRACE(("enter send_msg_userauth_failure")) |
353 | |
|
354 | 0 | CHECKCLEARTOWRITE(); |
355 | | |
356 | 0 | buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE); |
357 | | |
358 | | /* put a list of allowed types */ |
359 | 0 | typebuf = buf_new(30); /* long enough for PUBKEY and PASSWORD */ |
360 | |
|
361 | 0 | if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) { |
362 | 0 | buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN); |
363 | 0 | if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { |
364 | 0 | buf_putbyte(typebuf, ','); |
365 | 0 | } |
366 | 0 | } |
367 | | |
368 | 0 | if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { |
369 | 0 | buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN); |
370 | 0 | } |
371 | |
|
372 | 0 | buf_putbufstring(ses.writepayload, typebuf); |
373 | |
|
374 | 0 | TRACE(("auth fail: methods %d, '%.*s'", ses.authstate.authtypes, |
375 | 0 | typebuf->len, typebuf->data)) |
376 | |
|
377 | 0 | buf_free(typebuf); |
378 | |
|
379 | 0 | buf_putbyte(ses.writepayload, partial ? 1 : 0); |
380 | 0 | encrypt_packet(); |
381 | |
|
382 | 0 | if (incrfail) { |
383 | | /* The SSH_MSG_AUTH_FAILURE response is delayed to attempt to |
384 | | avoid user enumeration and slow brute force attempts. |
385 | | The delay is adjusted by the time already spent in processing |
386 | | authentication (ses.authstate.auth_starttime timestamp). */ |
387 | | |
388 | | /* Desired total delay 300ms +-50ms (in nanoseconds). |
389 | | Beware of integer overflow if increasing these values */ |
390 | 0 | const uint32_t mindelay = 250000000; |
391 | 0 | const uint32_t vardelay = 100000000; |
392 | 0 | uint32_t rand_delay; |
393 | 0 | struct timespec delay; |
394 | |
|
395 | 0 | gettime_wrapper(&delay); |
396 | 0 | delay.tv_sec -= ses.authstate.auth_starttime.tv_sec; |
397 | 0 | delay.tv_nsec -= ses.authstate.auth_starttime.tv_nsec; |
398 | | |
399 | | /* carry */ |
400 | 0 | if (delay.tv_nsec < 0) { |
401 | 0 | delay.tv_nsec += 1000000000; |
402 | 0 | delay.tv_sec -= 1; |
403 | 0 | } |
404 | |
|
405 | 0 | genrandom((unsigned char*)&rand_delay, sizeof(rand_delay)); |
406 | 0 | rand_delay = mindelay + (rand_delay % vardelay); |
407 | |
|
408 | 0 | if (delay.tv_sec == 0 && delay.tv_nsec <= rand_delay) { |
409 | | /* Compensate for elapsed time */ |
410 | 0 | delay.tv_nsec = rand_delay - delay.tv_nsec; |
411 | 0 | } else { |
412 | | /* No time left or time went backwards, just delay anyway */ |
413 | 0 | delay.tv_sec = 0; |
414 | 0 | delay.tv_nsec = rand_delay; |
415 | 0 | } |
416 | | |
417 | |
|
418 | 0 | #if DROPBEAR_FUZZ |
419 | 0 | if (!fuzz.fuzzing) |
420 | 0 | #endif |
421 | 0 | { |
422 | 0 | while (nanosleep(&delay, &delay) == -1 && errno == EINTR) { /* Go back to sleep */ } |
423 | 0 | } |
424 | |
|
425 | 0 | ses.authstate.failcount++; |
426 | 0 | } |
427 | |
|
428 | 0 | if (ses.authstate.failcount > svr_opts.maxauthtries) { |
429 | 0 | char * userstr; |
430 | | /* XXX - send disconnect ? */ |
431 | 0 | TRACE(("Max auth tries reached, exiting")) |
432 | |
|
433 | 0 | if (ses.authstate.pw_name == NULL) { |
434 | 0 | userstr = "is invalid"; |
435 | 0 | } else { |
436 | 0 | userstr = ses.authstate.pw_name; |
437 | 0 | } |
438 | 0 | dropbear_exit("Max auth tries reached - user '%s'", |
439 | 0 | userstr); |
440 | 0 | } |
441 | | |
442 | 0 | TRACE(("leave send_msg_userauth_failure")) |
443 | 0 | } |
444 | | |
445 | | /* Send a success message to the user, and set the "authdone" flag */ |
446 | 0 | void send_msg_userauth_success() { |
447 | |
|
448 | 0 | TRACE(("enter send_msg_userauth_success")) |
449 | |
|
450 | 0 | CHECKCLEARTOWRITE(); |
451 | |
|
452 | 0 | buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_SUCCESS); |
453 | 0 | encrypt_packet(); |
454 | | |
455 | | /* authdone must be set after encrypt_packet() for |
456 | | * delayed-zlib mode */ |
457 | 0 | ses.authstate.authdone = 1; |
458 | |
|
459 | 0 | #if DROPBEAR_SVR_DROP_PRIVS |
460 | | /* Drop privileges as soon as authentication has happened. */ |
461 | 0 | svr_switch_user(); |
462 | | |
463 | | /* If running as the user, we can rely on the OS |
464 | | * to limit allowed ports */ |
465 | 0 | ses.allowprivport = 1; |
466 | | #else |
467 | | if (ses.authstate.pw_uid == 0) { |
468 | | ses.allowprivport = 1; |
469 | | } |
470 | | #endif |
471 | | |
472 | | /* Remove from the list of pre-auth sockets. Should be m_close(), since if |
473 | | * we fail, we might end up leaking connection slots, and disallow new |
474 | | * logins - a nasty situation. */ |
475 | 0 | m_close(svr_ses.childpipe); |
476 | |
|
477 | 0 | TRACE(("leave send_msg_userauth_success")) |
478 | |
|
479 | 0 | } |
480 | | |
481 | | #if DROPBEAR_SVR_DROP_PRIVS |
482 | | /* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ |
483 | 0 | static int utmp_gid(gid_t *ret_gid) { |
484 | 0 | struct group *utmp_gr = getgrnam("utmp"); |
485 | 0 | if (!utmp_gr) { |
486 | 0 | TRACE(("No utmp group")); |
487 | 0 | return DROPBEAR_FAILURE; |
488 | 0 | } |
489 | | |
490 | 0 | *ret_gid = utmp_gr->gr_gid; |
491 | 0 | return DROPBEAR_SUCCESS; |
492 | 0 | } |
493 | | #endif |
494 | | |
495 | | /* Switch to the ses.authstate user. |
496 | | * Fails if not running as root and the user differs. |
497 | | * |
498 | | * This may be called either after authentication, or |
499 | | * after shell/command fork if DROPBEAR_SVR_DROP_PRIVS is unset. |
500 | | */ |
501 | 0 | void svr_switch_user(void) { |
502 | 0 | assert(ses.authstate.authdone); |
503 | | |
504 | | /* We can only change uid/gid as root ... */ |
505 | 0 | if (getuid() == 0) { |
506 | |
|
507 | 0 | if ((setgid(ses.authstate.pw_gid) < 0) || |
508 | 0 | (initgroups(ses.authstate.pw_name, |
509 | 0 | ses.authstate.pw_gid) < 0)) { |
510 | 0 | dropbear_exit("Error changing user group"); |
511 | 0 | } |
512 | | |
513 | 0 | #if DROPBEAR_SVR_DROP_PRIVS |
514 | | /* Retain utmp saved group so that wtmp/utmp can be written */ |
515 | 0 | int ret = utmp_gid(&svr_ses.utmp_gid); |
516 | 0 | if (ret == DROPBEAR_SUCCESS) { |
517 | | /* Set saved gid to utmp so that it can be |
518 | | * restored for login_logout() etc. This saved |
519 | | * group is cleared by the OS on execve() */ |
520 | 0 | int rc = setresgid(-1, -1, svr_ses.utmp_gid); |
521 | 0 | if (rc == 0) { |
522 | 0 | svr_ses.have_utmp_gid = 1; |
523 | 0 | } else { |
524 | | /* Will not attempt to switch to utmp gid. |
525 | | * login() etc may fail. */ |
526 | 0 | TRACE(("utmp setresgid failed")); |
527 | 0 | } |
528 | 0 | } |
529 | 0 | #endif |
530 | |
|
531 | 0 | if (setuid(ses.authstate.pw_uid) < 0) { |
532 | 0 | dropbear_exit("Error changing user"); |
533 | 0 | } |
534 | 0 | } else { |
535 | | /* ... but if the daemon is the same uid as the requested uid, we don't |
536 | | * need to */ |
537 | | |
538 | | /* XXX - there is a minor issue here, in that if there are multiple |
539 | | * usernames with the same uid, but differing groups, then the |
540 | | * differing groups won't be set (as with initgroups()). The solution |
541 | | * is for the sysadmin not to give out the UID twice */ |
542 | 0 | if (getuid() != ses.authstate.pw_uid) { |
543 | 0 | dropbear_exit("Couldn't change user as non-root"); |
544 | 0 | } |
545 | 0 | } |
546 | 0 | } |
547 | | |
548 | 0 | void svr_raise_gid_utmp(void) { |
549 | 0 | #if DROPBEAR_SVR_DROP_PRIVS |
550 | 0 | if (!svr_ses.have_utmp_gid) { |
551 | 0 | return; |
552 | 0 | } |
553 | | |
554 | 0 | if (setegid(svr_ses.utmp_gid) != 0) { |
555 | 0 | dropbear_log(LOG_WARNING, "failed setegid"); |
556 | 0 | } |
557 | 0 | #endif |
558 | 0 | } |
559 | | |
560 | 0 | void svr_restore_gid(void) { |
561 | 0 | #if DROPBEAR_SVR_DROP_PRIVS |
562 | 0 | if (!svr_ses.have_utmp_gid) { |
563 | 0 | return; |
564 | 0 | } |
565 | | |
566 | 0 | if (setegid(getgid()) != 0) { |
567 | | dropbear_log(LOG_WARNING, "failed setegid"); |
568 | 0 | } |
569 | 0 | #endif |
570 | 0 | } |