diff --git a/loginrec.c b/loginrec.c index 14b8090f7443694bad4ede9d7bae6a3343c34037..d6ec75fea0319280251525adfc6b3f8fcf7d32be 100644 --- a/loginrec.c +++ b/loginrec.c @@ -329,8 +329,6 @@ login_write (struct logininfo *li) { #ifndef HAVE_CYGWIN if ((int)geteuid() != 0) { - dropbear_log(LOG_WARNING, - "Attempt to write login records by non-root user (aborting)"); return 1; } #endif diff --git a/svr-auth.c b/svr-auth.c index 404232e55812279472c664317fd7dd1602bbc5f8..19126609055305779504b1401905870d76eded3b 100644 --- a/svr-auth.c +++ b/svr-auth.c @@ -226,6 +226,7 @@ static int checkusername(unsigned char *username, unsigned int userlen) { char* listshell = NULL; char* usershell = NULL; + int uid; TRACE(("enter checkusername")) if (userlen > MAX_USERNAME_LEN) { return DROPBEAR_FAILURE; @@ -255,6 +256,18 @@ static int checkusername(unsigned char *username, unsigned int userlen) { return DROPBEAR_FAILURE; } + /* check if we are running as non-root, and login user is different from the server */ + uid = geteuid(); + if (uid != 0 && uid != ses.authstate.pw_uid) { + TRACE(("running as nonroot, only server uid is allowed")) + dropbear_log(LOG_WARNING, + "Login attempt with wrong user %s from %s", + ses.authstate.pw_name, + svr_ses.addrstring); + send_msg_userauth_failure(0, 1); + return DROPBEAR_FAILURE; + } + /* check for non-root if desired */ if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) { TRACE(("leave checkusername: root login disabled"))