mkj
Non-privileged users can‘t login via dropbear
I have a issue, please help me!
I use the dropbear-DROBEAR_2024.86 library.
This is the account information in my system. The adm account can be logged in through dropbear, but both the sheyj and wumj accounts fail to execute
chown (tty_name, (uid_t) 0, (gid_t) 0)
in the pty_release function of sshpty. c when logging in due to lack of permission. From the log, it can be seen that PAM verification has been successful.
My dropbear is running as the root user:
May I ask how to solve this problem?
I understand the reason now. It was because after generating the pseudo terminal, Dropbear changed its permissions, so I deleted these codes。
diff --git a/router/dropbear-DROPBEAR_2024.86/src/svr-agentfwd.c b/router/dropbear-DROPBEAR_2024.86/src/svr-agentfwd.c
index a8941ea64..eb15c8cde 100644
--- a/router/dropbear-DROPBEAR_2024.86/src/svr-agentfwd.c
+++ b/router/dropbear-DROPBEAR_2024.86/src/svr-agentfwd.c
@@ -154,12 +154,14 @@ void svr_agentcleanup(struct ChanSess * chansess) {
#if DROPBEAR_SVR_MULTIUSER
/* Remove the dir as the user. That way they can't cause problems except
* for themselves */
+#if 0
uid = getuid();
gid = getgid();
if ((setegid(ses.authstate.pw_gid)) < 0 ||
(seteuid(ses.authstate.pw_uid)) < 0) {
dropbear_exit("Failed to set euid");
}
+#endif
#endif
/* 2 for "/" and "\0" */
@@ -173,10 +175,12 @@ void svr_agentcleanup(struct ChanSess * chansess) {
rmdir(chansess->agentdir);
#if DROPBEAR_SVR_MULTIUSER
+#if 0
if ((seteuid(uid)) < 0 ||
(setegid(gid)) < 0) {
dropbear_exit("Failed to revert euid");
}
+#endif
#endif
m_free(chansess->agentfile);
@@ -221,12 +225,14 @@ static int bindagent(int fd, struct ChanSess * chansess) {
#if DROPBEAR_SVR_MULTIUSER
/* drop to user privs to make the dir/file */
+#if 0
uid = getuid();
gid = getgid();
if ((setegid(ses.authstate.pw_gid)) < 0 ||
(seteuid(ses.authstate.pw_uid)) < 0) {
dropbear_exit("Failed to set euid");
}
+#endif
#endif
memset((void*)&addr, 0x0, sizeof(addr));
@@ -268,10 +274,12 @@ bindsocket:
out:
#if DROPBEAR_SVR_MULTIUSER
+#if 0
if ((seteuid(uid)) < 0 ||
(setegid(gid)) < 0) {
dropbear_exit("Failed to revert euid");
}
+#endif
#endif
return ret;
}
diff --git a/router/dropbear-DROPBEAR_2024.86/src/svr-authpubkey.c b/router/dropbear-DROPBEAR_2024.86/src/svr-authpubkey.c
index 5d298cb71..926cfff5a 100644
--- a/router/dropbear-DROPBEAR_2024.86/src/svr-authpubkey.c
+++ b/router/dropbear-DROPBEAR_2024.86/src/svr-authpubkey.c
@@ -451,12 +451,14 @@ static int checkpubkey(const char* keyalgo, unsigned int keyalgolen,
#if DROPBEAR_SVR_MULTIUSER
/* access the file as the authenticating user. */
+#if 0
origuid = getuid();
origgid = getgid();
if ((setegid(ses.authstate.pw_gid)) < 0 ||
(seteuid(ses.authstate.pw_uid)) < 0) {
dropbear_exit("Failed to set euid");
}
+#endif
#endif
/* check file permissions, also whether file exists */
if (checkpubkeyperms() == DROPBEAR_FAILURE) {
@@ -477,10 +479,12 @@ static int checkpubkey(const char* keyalgo, unsigned int keyalgolen,
}
}
#if DROPBEAR_SVR_MULTIUSER
+#if 0
if ((seteuid(origuid)) < 0 ||
(setegid(origgid)) < 0) {
dropbear_exit("Failed to revert euid");
}
+#endif
#endif
if (authfile == NULL) {
diff --git a/router/dropbear-DROPBEAR_2024.86/src/svr-chansession.c b/router/dropbear-DROPBEAR_2024.86/src/svr-chansession.c
index 2ca6fc141..fcbc39704 100644
--- a/router/dropbear-DROPBEAR_2024.86/src/svr-chansession.c
+++ b/router/dropbear-DROPBEAR_2024.86/src/svr-chansession.c
@@ -983,7 +983,8 @@ static void execchild(const void *user_data) {
#if DROPBEAR_SVR_MULTIUSER
/* We can only change uid/gid as root ... */
if (getuid() == 0) {
-
+#if 0
+ /* Don't change uid/gid as root ... */
if ((setgid(ses.authstate.pw_gid) < 0) ||
(initgroups(ses.authstate.pw_name,
ses.authstate.pw_gid) < 0)) {
@@ -992,6 +993,7 @@ static void execchild(const void *user_data) {
if (setuid(ses.authstate.pw_uid) < 0) {
dropbear_exit("Error changing user");
}
+#endif
} else {
/* ... but if the daemon is the same uid as the requested uid, we don't
* need to */
If dropbear is running as root then I'm surprised it can't chown - could there be selinux or apparmor or something similar blocking it? What OS is it running on?
On a Linux system with /dev/pts then usually I'd expect the tty file to be deleted before that pty_release chown attempt anyway so it'll return ENOENT which gets ignored. Though it's possible that if there are background programs still running on logout that they might have the tty open - I'm not certain when it is removed in that case.
