From 68e5f46899eb3e0faa78dca698a1ee60691412fe Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Thu, 31 Jul 2025 16:24:09 +0300 Subject: [PATCH] dropbear: relax path permission checks for authorized keys Check permissions of correct folder for certificates too. Fixes: bbe4d6ddb2a9 ("dropbear: bump to 2025.88") Signed-off-by: Konstantin Demin Link: https://github.com/openwrt/openwrt/pull/19611 Signed-off-by: Hauke Mehrtens --- package/network/services/dropbear/Makefile | 2 +- .../patches/050-dropbear-multihop-fix.patch | 17 ++-- .../dropbear/patches/100-pubkey_path.patch | 93 ++++++++++++++----- 3 files changed, 79 insertions(+), 33 deletions(-) diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index dcf67c8400d..87b1a2459f0 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear PKG_VERSION:=2025.88 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ diff --git a/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch b/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch index bde2dda066b..d8d6ff18c98 100644 --- a/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch +++ b/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch @@ -1,15 +1,16 @@ -Author: Konstantin Demin +From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001 +From: Konstantin Demin +Date: Fri, 9 May 2025 22:39:35 +0300 Subject: Fix proxycmd without netcat -Fixes commit e5a0ef27c227 "Execute multihop commands directly, no shell" +fixes e5a0ef27c2 "Execute multihop commands directly, no shell" +Signed-off-by: Konstantin Demin Forwarded: https://github.com/mkj/dropbear/pull/363 - +--- src/cli-main.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) -diff --git a/src/cli-main.c b/src/cli-main.c -index 2fafa88900..0a052a3512 100644 --- a/src/cli-main.c +++ b/src/cli-main.c @@ -77,7 +77,11 @@ int main(int argc, char ** argv) { @@ -25,7 +26,7 @@ index 2fafa88900..0a052a3512 100644 cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid); if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR || signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR || -@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *user_data_cmd) { +@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void * dropbear_exit("Failed to run '%s'\n", cmd); } @@ -39,7 +40,7 @@ index 2fafa88900..0a052a3512 100644 static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { char * cmd_arg = NULL; -@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { +@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, cmd_arg = m_malloc(shell_cmdlen); snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd); exec_fn = shell_proxy_cmd; @@ -51,7 +52,7 @@ index 2fafa88900..0a052a3512 100644 } ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out); -@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { +@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, cleanup: m_free(cli_opts.proxycmd); m_free(cmd_arg); diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch index 307762fec01..5aafdffe67b 100644 --- a/package/network/services/dropbear/patches/100-pubkey_path.patch +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -1,29 +1,55 @@ + src/svr-authpubkey.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 55 insertions(+), 4 deletions(-) + --- a/src/svr-authpubkey.c +++ b/src/svr-authpubkey.c -@@ -435,20 +435,45 @@ out: - /* Returns the full path to the user's authorized_keys file in an - * allocated string which caller must free. */ - static char *authorized_keys_filepath() { -+ static const char * const global_authkeys_dir = "/etc/dropbear"; -+ /* strlen(global_authkeys_dir) */ -+ #define n_global_authkeys_dir 13 -+ static const char * const authkeys_file = "authorized_keys"; -+ /* strlen(authkeys_file) */ -+ #define n_authkeys_file 15 +@@ -79,6 +79,39 @@ static void send_msg_userauth_pk_ok(cons + const unsigned char* keyblob, unsigned int keybloblen); + static int checkfileperm(char * filename); + ++static const char * const global_authkeys_dir = "/etc/dropbear"; ++/* strlen(global_authkeys_dir) */ ++#define n_global_authkeys_dir 13 ++static const char * const authkeys_file = "authorized_keys"; ++/* strlen(authkeys_file) */ ++#define n_authkeys_file 15 ++ ++/* OpenWrt-specific: ++ use OpenWrt' global authorized keys directory if: ++ 1. logging as uid 0 (typically root). ++ 2. "svr_opts.authorized_keys_dir" is set to default i.e. no "-D" option was specified ++ OR ++ "-D" option is specified as homedir-relative path ("~" or "~/...") ++ OR ++ "-D" option is specified as "/etc/dropbear". ++ */ ++static int is_openwrt_defaults(void) { ++ if (ses.authstate.pw_uid != 0) return 0; ++ switch (svr_opts.authorized_keys_dir[0]) { ++ case '~': ++ switch (svr_opts.authorized_keys_dir[1]) { ++ case 0: ++ return 1; ++ case '/': ++ return 1; ++ } ++ break; ++ case '/': ++ return (strcmp(svr_opts.authorized_keys_dir, global_authkeys_dir) == 0); ++ } ++ return 0; ++} + + /* process a pubkey auth request, sending success or failure message as + * appropriate */ + void svr_auth_pubkey(int valid_user) { +@@ -439,16 +472,22 @@ out: + static char *authorized_keys_filepath() { size_t len = 0; char *pathname = NULL, *dir = NULL; - const char *filename = "authorized_keys"; + -+ /* OpenWrt-specific: -+ use OpenWrt' global authorized keys directory if: -+ 1. logging as uid 0 (typically root) -+ 2. "svr_opts.authorized_keys_dir" is set to default i.e. no "-D" option was specified -+ */ -+ while (1) { -+ if (ses.authstate.pw_uid != 0) break; -+ if (svr_opts.authorized_keys_dir[0] == '/') break; -+ ++ if (is_openwrt_defaults()) { + len = n_global_authkeys_dir + n_authkeys_file + 2; + pathname = m_malloc(len); + snprintf(pathname, len, "%s/%s", global_authkeys_dir, authkeys_file); @@ -42,10 +68,29 @@ + snprintf(pathname, len, "%s/%s", dir, authkeys_file); m_free(dir); return pathname; -+ -+ /* not needed anymore */ -+ #undef n_global_authkeys_dir -+ #undef n_authkeys_file } +@@ -549,11 +588,23 @@ out: + * When this path is inside the user's home dir it checks up to and including + * the home dir, otherwise it checks every path component. */ + static int checkpubkeyperms() { +- char *path = authorized_keys_filepath(), *sep = NULL; ++ char *path = NULL, *sep = NULL; + int ret = DROPBEAR_SUCCESS; - /* Checks whether a specified publickey (and associated algorithm) is an ++ if (is_openwrt_defaults()) { ++ TRACE(("enter checkpubkeyperms/openwrt")) ++ if (checkfileperm(global_authkeys_dir) != DROPBEAR_SUCCESS) { ++ TRACE(("checkpubkeyperms: bad perm on %s", global_authkeys_dir)) ++ ret = DROPBEAR_FAILURE; ++ } ++ TRACE(("leave checkpubkeyperms/openwrt")) ++ return ret; ++ } ++ + TRACE(("enter checkpubkeyperms")) + ++ path = authorized_keys_filepath(); ++ + /* Walk back up path checking permissions, stopping at either homedir, + * or root if the path is outside of the homedir. */ + while ((sep = strrchr(path, '/')) != NULL) { -- 2.47.2