Allow user space file locations (rootless support)

Why: Running dropbear as a user (rootless) is aided if files and programs can be saved/removed without needing sudo. What: Use the same convention as DROPBEAR_DEFAULT_CLI_AUTHKEY; if not starting with '/', then is relative to hedge's /home/hedge: *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH default_options.h commentary added. Changes kept to a minimum, so log entry in svr_kex.c#163 is refactored. From: Generated hostkey is <path> ... <finger-print> to: Generated hostkey path is <path> Generated hostkey fingerprint is <fp> Otherwise the unexpanded path was reported. Patch modified by Matt Johnston Signed-off-by: Begley Brothers Inc <begleybrothers@gmail.com>
author: Begley Brothers Inc <begleybrothers@gmail.com> 2020-07-09 17:47:58 +1000
committer: Begley Brothers Inc <begleybrothers@gmail.com> 2020-07-09 17:47:58 +1000
commit: 8fc548ade2b33db631d11177d23f81d12e18b443 (patch)
tree: 1725b195f5abd6f5982c29dcce960a35f12c1b16
parent: 9ec651ee0c6b79efe3e53df7c390bb6f7f7e9c71 (diff)
download: dropbear-8fc548ade2b33db631d11177d23f81d12e18b443.tar.gz
5 files changed, 42 insertions, 19 deletions
diff --git a/CHANGES b/CHANGES
index 42095c8..397a653 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+- The following config paths are now relative to a home directory if
+  starting with "~". Thanks to Begley Brothers Inc
+  *_PRIV_FILENAME
+  DROPBEAR_PIDFILE
+  SFTPSERVER_PATH
+  MOTD_FILENAME
+
 2020.81 - 29 October 2020
 
 - Fix regression in 2020.79 which prevented connecting with some SSH 
diff --git a/default_options.h b/default_options.h
index 131811f..b01c159 100644
--- a/default_options.h
+++ b/default_options.h
@@ -18,7 +18,9 @@ IMPORTANT: Some options will require "make clean" after changes */
 /* Listen on all interfaces */
 #define DROPBEAR_DEFADDRESS ""
 
-/* Default hostkey paths - these can be specified on the command line */
+/* Default hostkey paths - these can be specified on the command line.
+ * Homedir is prepended if path begins with ~
+ */
 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
 #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
@@ -231,9 +233,10 @@ group1 in Dropbear server too */
 #define DROPBEAR_CLI_PASSWORD_AUTH 1
 #define DROPBEAR_CLI_PUBKEY_AUTH 1
 
-/* A default argument for dbclient -i <privatekey>. 
-Homedir is prepended unless path begins with / */
-#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
+/* A default argument for dbclient -i <privatekey>.
+ * Homedir is prepended if path begins with ~
+ */
+#define DROPBEAR_DEFAULT_CLI_AUTHKEY "~/.ssh/id_dropbear"
 
 /* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
  * environment variable. */
@@ -275,7 +278,9 @@ Homedir is prepended unless path begins with / */
 #define UNAUTH_CLOSE_DELAY 0
 
 /* The default file to store the daemon's process ID, for shutdown
-   scripts etc. This can be overridden with the -P flag */
+ * scripts etc. This can be overridden with the -P flag.
+ * Homedir is prepended if path begins with ~
+ */
 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
 
 /* The command to invoke for xauth when using X11 forwarding.
@@ -283,9 +288,11 @@ Homedir is prepended unless path begins with / */
 #define XAUTH_COMMAND "/usr/bin/xauth -q"
 
 
-/* if you want to enable running an sftp server (such as the one included with
+/* If you want to enable running an sftp server (such as the one included with
  * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. 
- * The sftp-server program is not provided by Dropbear itself */
+ * The sftp-server program is not provided by Dropbear itself.
+ * Homedir is prepended if path begins with ~
+ */
 #define DROPBEAR_SFTPSERVER 1
 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
 
diff --git a/svr-chansession.c b/svr-chansession.c
index 71e0e46..0e86fb4 100644
--- a/svr-chansession.c
+++ b/svr-chansession.c
@@ -685,8 +685,10 @@ static int sessioncommand(struct Channel *channel, struct ChanSess *chansess,
 		if (issubsys) {
 #if DROPBEAR_SFTPSERVER
 			if ((cmdlen == 4) && strncmp(chansess->cmd, "sftp", 4) == 0) {
+				char *expand_path = expand_homedir_path(SFTPSERVER_PATH);
 				m_free(chansess->cmd);
-				chansess->cmd = m_strdup(SFTPSERVER_PATH);
+				chansess->cmd = m_strdup(expand_path);
+				m_free(expand_path);
 			} else 
 #endif
 			{
diff --git a/svr-kex.c b/svr-kex.c
index df1008b..7d0f12c 100644
--- a/svr-kex.c
+++ b/svr-kex.c
@@ -106,6 +106,7 @@ void recv_msg_kexdh_init() {
 static void svr_ensure_hostkey() {
 
 	const char* fn = NULL;
+	char *expand_fn = NULL;
 	enum signkey_type type = ses.newkeys->algo_hostkey;
 	void **hostkey = signkey_key_ptr(svr_opts.hostkey, type);
 	int ret = DROPBEAR_FAILURE;
@@ -142,15 +143,19 @@ static void svr_ensure_hostkey() {
 			dropbear_assert(0);
 	}
 
-	if (readhostkey(fn, svr_opts.hostkey, &type) == DROPBEAR_SUCCESS) {
-		return;
+	expand_fn = expand_homedir_path(fn);
+
+	ret = readhostkey(expand_fn, svr_opts.hostkey, &type);
+	if (ret == DROPBEAR_SUCCESS) {
+		goto out;
 	}
 
-	if (signkey_generate(type, 0, fn, 1) == DROPBEAR_FAILURE) {
+	if (signkey_generate(type, 0, expand_fn, 1) == DROPBEAR_FAILURE) {
 		goto out;
 	}
 	
-	ret = readhostkey(fn, svr_opts.hostkey, &type);
+	/* Read what we just generated (or another process raced us) */
+	ret = readhostkey(expand_fn, svr_opts.hostkey, &type);
 
 	if (ret == DROPBEAR_SUCCESS) {
 		char *fp = NULL;
@@ -161,16 +166,16 @@ static void svr_ensure_hostkey() {
 		len = key_buf->len - key_buf->pos;
 		fp = sign_key_fingerprint(buf_getptr(key_buf, len), len);
 		dropbear_log(LOG_INFO, "Generated hostkey %s, fingerprint is %s",
-			fn, fp);
+			expand_fn, fp);
 		m_free(fp);
 		buf_free(key_buf);
 	}
 
 out:
-	if (ret == DROPBEAR_FAILURE)
-	{
-		dropbear_exit("Couldn't read or generate hostkey %s", fn);
+	if (ret == DROPBEAR_FAILURE) {
+		dropbear_exit("Couldn't read or generate hostkey %s", expand_fn);
 	}
+    m_free(expand_fn);
 }
 #endif
 	
diff --git a/svr-runopts.c b/svr-runopts.c
index 301d68c..dbb24b3 100644
--- a/svr-runopts.c
+++ b/svr-runopts.c
@@ -163,7 +163,7 @@ void svr_getopts(int argc, char ** argv) {
 	svr_opts.portcount = 0;
 	svr_opts.hostkey = NULL;
 	svr_opts.delay_hostkey = 0;
-	svr_opts.pidfile = DROPBEAR_PIDFILE;
+	svr_opts.pidfile = expand_homedir_path(DROPBEAR_PIDFILE);
 #if DROPBEAR_SVR_LOCALTCPFWD
 	svr_opts.nolocaltcp = 0;
 #endif
@@ -530,12 +530,14 @@ static void loadhostkey_helper(const char *name, void** src, void** dst, int fat
 /* Must be called after syslog/etc is working */
 static void loadhostkey(const char *keyfile, int fatal_duplicate) {
 	sign_key * read_key = new_sign_key();
+	char *expand_path = expand_homedir_path(keyfile);
 	enum signkey_type type = DROPBEAR_SIGNKEY_ANY;
-	if (readhostkey(keyfile, read_key, &type) == DROPBEAR_FAILURE) {
+	if (readhostkey(expand_path, read_key, &type) == DROPBEAR_FAILURE) {
 		if (!svr_opts.delay_hostkey) {
-			dropbear_log(LOG_WARNING, "Failed loading %s", keyfile);
+			dropbear_log(LOG_WARNING, "Failed loading %s", expand_path);
 		}
 	}
+	m_free(expand_path);
 
 #if DROPBEAR_RSA
 	if (type == DROPBEAR_SIGNKEY_RSA) {
author	Begley Brothers Inc <begleybrothers@gmail.com>	2020-07-09 17:47:58 +1000
committer	Begley Brothers Inc <begleybrothers@gmail.com>	2020-07-09 17:47:58 +1000
commit	8fc548ade2b33db631d11177d23f81d12e18b443 (patch)
tree	1725b195f5abd6f5982c29dcce960a35f12c1b16
parent	9ec651ee0c6b79efe3e53df7c390bb6f7f7e9c71 (diff)
download	dropbear-8fc548ade2b33db631d11177d23f81d12e18b443.tar.gz