X-Git-Url: https://git.rohieb.name/openwrt.git/blobdiff_plain/bcfd578c6d587a7512d4edb16791cd51804817bd..a70dfa855078da8c1447e7cf934fe2f67c9d31c7:/package/dropbear/patches/100-pubkey_path.patch diff --git a/package/dropbear/patches/100-pubkey_path.patch b/package/dropbear/patches/100-pubkey_path.patch index 4adda38b2..c1802f51e 100644 --- a/package/dropbear/patches/100-pubkey_path.patch +++ b/package/dropbear/patches/100-pubkey_path.patch @@ -1,64 +1,46 @@ -diff -urN dropbear.old/svr-authpubkey.c dropbear.dev/svr-authpubkey.c ---- dropbear.old/svr-authpubkey.c 2005-12-09 06:42:33.000000000 +0100 -+++ dropbear.dev/svr-authpubkey.c 2005-12-12 01:35:32.139358750 +0100 -@@ -155,7 +155,6 @@ - unsigned char* keyblob, unsigned int keybloblen) { - - FILE * authfile = NULL; -- char * filename = NULL; - int ret = DROPBEAR_FAILURE; - buffer * line = NULL; - unsigned int len, pos; -@@ -176,17 +175,8 @@ +--- a/svr-authpubkey.c ++++ b/svr-authpubkey.c +@@ -209,17 +209,21 @@ static int checkpubkey(unsigned char* al goto out; } - /* we don't need to check pw and pw_dir for validity, since - * its been done in checkpubkeyperms. */ -- len = strlen(ses.authstate.pw->pw_dir); +- len = strlen(ses.authstate.pw_dir); - /* allocate max required pathname storage, - * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ - filename = m_malloc(len + 22); - snprintf(filename, len + 22, "%s/.ssh/authorized_keys", -- ses.authstate.pw->pw_dir); +- ses.authstate.pw_dir); - - /* open the file */ +- /* open the file */ - authfile = fopen(filename, "r"); -+ authfile = fopen("/etc/dropbear/authorized_keys", "r"); ++ if (ses.authstate.pw_uid != 0) { ++ /* we don't need to check pw and pw_dir for validity, since ++ * its been done in checkpubkeyperms. */ ++ len = strlen(ses.authstate.pw_dir); ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ snprintf(filename, len + 22, "%s/.ssh/authorized_keys", ++ ses.authstate.pw_dir); ++ ++ /* open the file */ ++ authfile = fopen(filename, "r"); ++ } else { ++ authfile = fopen("/etc/dropbear/authorized_keys","r"); ++ } if (authfile == NULL) { goto out; } -@@ -247,7 +237,6 @@ - if (line) { - buf_free(line); - } -- m_free(filename); - TRACE(("leave checkpubkey: ret=%d", ret)) - return ret; - } -@@ -255,12 +244,11 @@ - - /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok, - * DROPBEAR_FAILURE otherwise. -- * Checks that the user's homedir, ~/.ssh, and -- * ~/.ssh/authorized_keys are all owned by either root or the user, and are -+ * Checks that /etc/dropbear and /etc/dropbear/authorized_keys -+ * are all owned by either root or the user, and are - * g-w, o-w */ - static int checkpubkeyperms() { - -- char* filename = NULL; - int ret = DROPBEAR_FAILURE; - unsigned int len; - -@@ -274,25 +262,11 @@ +@@ -372,26 +376,35 @@ static int checkpubkeyperms() { goto out; } - /* allocate max required pathname storage, - * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ - filename = m_malloc(len + 22); -- strncpy(filename, ses.authstate.pw->pw_dir, len+1); +- strncpy(filename, ses.authstate.pw_dir, len+1); - - /* check ~ */ - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { @@ -68,22 +50,42 @@ diff -urN dropbear.old/svr-authpubkey.c dropbear.dev/svr-authpubkey.c - /* check ~/.ssh */ - strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -+ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { - goto out; - } - +- goto out; +- } +- - /* now check ~/.ssh/authorized_keys */ - strncat(filename, "/authorized_keys", 16); - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -+ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) { - goto out; +- goto out; ++ if (ses.authstate.pw_uid == 0) { ++ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ } else { ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ strncpy(filename, ses.authstate.pw_dir, len+1); ++ ++ /* check ~ */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* check ~/.ssh */ ++ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* now check ~/.ssh/authorized_keys */ ++ strncat(filename, "/authorized_keys", 16); ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } } -@@ -300,7 +274,6 @@ - ret = DROPBEAR_SUCCESS; - - out: -- m_free(filename); - - TRACE(("leave checkpubkeyperms")) - return ret; + /* file looks ok, return success */