[openwrt/openwrt] dropbear: relax path permission checks for authorized keys

LEDE Commits lede-commits at lists.infradead.org
Thu Aug 7 07:48:10 PDT 2025 

hauke pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/68e5f46899eb3e0faa78dca698a1ee60691412fe

commit 68e5f46899eb3e0faa78dca698a1ee60691412fe
Author: Konstantin Demin <rockdrilla at gmail.com>
AuthorDate: Thu Jul 31 16:24:09 2025 +0300

    dropbear: relax path permission checks for authorized keys
    
    Check permissions of correct folder for certificates too.
    
    Fixes: bbe4d6ddb2a9 ("dropbear: bump to 2025.88")
    Signed-off-by: Konstantin Demin <rockdrilla at gmail.com>
    Link: https://github.com/openwrt/openwrt/pull/19611
    Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
 package/network/services/dropbear/Makefile         |  2 +-
 .../patches/050-dropbear-multihop-fix.patch        | 17 ++--
 .../dropbear/patches/100-pubkey_path.patch         | 93 ++++++++++++++++------
 3 files changed, 79 insertions(+), 33 deletions(-)

diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index dcf67c8400..87b1a2459f 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
 PKG_VERSION:=2025.88
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
diff --git a/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch b/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch
index bde2dda066..d8d6ff18c9 100644
--- a/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch
+++ b/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch
@@ -1,15 +1,16 @@
-Author: Konstantin Demin <rockdrilla at gmail.com>
+From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001
+From: Konstantin Demin <rockdrilla at gmail.com>
+Date: Fri, 9 May 2025 22:39:35 +0300
 Subject: Fix proxycmd without netcat
 
-Fixes commit e5a0ef27c227 "Execute multihop commands directly, no shell"
+fixes e5a0ef27c2 "Execute multihop commands directly, no shell"
 
+Signed-off-by: Konstantin Demin <rockdrilla at gmail.com>
 Forwarded: https://github.com/mkj/dropbear/pull/363
-
+---
  src/cli-main.c | 12 +++++++++++-
  1 file changed, 11 insertions(+), 1 deletion(-)
 
-diff --git a/src/cli-main.c b/src/cli-main.c
-index 2fafa88900..0a052a3512 100644
 --- a/src/cli-main.c
 +++ b/src/cli-main.c
 @@ -77,7 +77,11 @@ int main(int argc, char ** argv) {
@@ -25,7 +26,7 @@ index 2fafa88900..0a052a3512 100644
  		cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
  		if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR ||
  			signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR ||
-@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *user_data_cmd) {
+@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *
  	dropbear_exit("Failed to run '%s'\n", cmd);
  }
  
@@ -39,7 +40,7 @@ index 2fafa88900..0a052a3512 100644
  
  static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
  	char * cmd_arg = NULL;
-@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in,
  		cmd_arg = m_malloc(shell_cmdlen);
  		snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd);
  		exec_fn = shell_proxy_cmd;
@@ -51,7 +52,7 @@ index 2fafa88900..0a052a3512 100644
  	}
  
  	ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out);
-@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in,
  cleanup:
  	m_free(cli_opts.proxycmd);
  	m_free(cmd_arg);
diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch
index 307762fec0..5aafdffe67 100644
--- a/package/network/services/dropbear/patches/100-pubkey_path.patch
+++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
@@ -1,29 +1,55 @@
+ src/svr-authpubkey.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 55 insertions(+), 4 deletions(-)
+
 --- a/src/svr-authpubkey.c
 +++ b/src/svr-authpubkey.c
-@@ -435,20 +435,45 @@ out:
- /* Returns the full path to the user's authorized_keys file in an
-  * allocated string which caller must free. */
- static char *authorized_keys_filepath() {
-+	static const char * const global_authkeys_dir = "/etc/dropbear";
-+	/* strlen(global_authkeys_dir) */
-+	#define  n_global_authkeys_dir  13
-+	static const char * const authkeys_file = "authorized_keys";
-+	/* strlen(authkeys_file) */
-+	#define  n_authkeys_file  15
+@@ -79,6 +79,39 @@ static void send_msg_userauth_pk_ok(cons
+ 		const unsigned char* keyblob, unsigned int keybloblen);
+ static int checkfileperm(char * filename);
+ 
++static const char * const global_authkeys_dir = "/etc/dropbear";
++/* strlen(global_authkeys_dir) */
++#define  n_global_authkeys_dir  13
++static const char * const authkeys_file = "authorized_keys";
++/* strlen(authkeys_file) */
++#define  n_authkeys_file  15
++
++/* OpenWrt-specific:
++   use OpenWrt' global authorized keys directory if:
++   1. logging as uid 0 (typically root).
++   2. "svr_opts.authorized_keys_dir" is set to default i.e. no "-D" option was specified
++      OR
++      "-D" option is specified as homedir-relative path ("~" or "~/...")
++      OR
++      "-D" option is specified as "/etc/dropbear".
++ */
++static int is_openwrt_defaults(void) {
++	if (ses.authstate.pw_uid != 0) return 0;
++	switch (svr_opts.authorized_keys_dir[0]) {
++		case '~':
++			switch (svr_opts.authorized_keys_dir[1]) {
++				case 0:
++					return 1;
++				case '/':
++					return 1;
++			}
++			break;
++		case '/':
++			return (strcmp(svr_opts.authorized_keys_dir, global_authkeys_dir) == 0);
++	}
++	return 0;
++}
 +
+ /* process a pubkey auth request, sending success or failure message as
+  * appropriate */
+ void svr_auth_pubkey(int valid_user) {
+@@ -439,16 +472,22 @@ out:
+ static char *authorized_keys_filepath() {
  	size_t len = 0;
  	char *pathname = NULL, *dir = NULL;
 -	const char *filename = "authorized_keys";
 +
-+	/* OpenWrt-specific:
-+	   use OpenWrt' global authorized keys directory if:
-+	   1. logging as uid 0 (typically root)
-+	   2. "svr_opts.authorized_keys_dir" is set to default i.e. no "-D" option was specified
-+	 */
-+	while (1) {
-+		if (ses.authstate.pw_uid != 0) break;
-+		if (svr_opts.authorized_keys_dir[0] == '/') break;
-+
++	if (is_openwrt_defaults()) {
 +		len = n_global_authkeys_dir + n_authkeys_file + 2;
 +		pathname = m_malloc(len);
 +		snprintf(pathname, len, "%s/%s", global_authkeys_dir, authkeys_file);
@@ -42,10 +68,29 @@
 +	snprintf(pathname, len, "%s/%s", dir, authkeys_file);
  	m_free(dir);
  	return pathname;
-+
-+	/* not needed anymore */
-+	#undef  n_global_authkeys_dir
-+	#undef  n_authkeys_file
  }
+@@ -549,11 +588,23 @@ out:
+  * When this path is inside the user's home dir it checks up to and including
+  * the home dir, otherwise it checks every path component. */
+ static int checkpubkeyperms() {
+-	char *path = authorized_keys_filepath(), *sep = NULL;
++	char *path = NULL, *sep = NULL;
+ 	int ret = DROPBEAR_SUCCESS;
  
- /* Checks whether a specified publickey (and associated algorithm) is an
++	if (is_openwrt_defaults()) {
++		TRACE(("enter checkpubkeyperms/openwrt"))
++		if (checkfileperm(global_authkeys_dir) != DROPBEAR_SUCCESS) {
++			TRACE(("checkpubkeyperms: bad perm on %s", global_authkeys_dir))
++			ret = DROPBEAR_FAILURE;
++		}
++		TRACE(("leave checkpubkeyperms/openwrt"))
++		return ret;
++	}
++
+ 	TRACE(("enter checkpubkeyperms"))
+ 
++	path = authorized_keys_filepath();
++
+ 	/* Walk back up path checking permissions, stopping at either homedir,
+ 	 * or root if the path is outside of the homedir. */
+ 	while ((sep = strrchr(path, '/')) != NULL) {

More information about the lede-commits mailing list