Difuse/difos
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

dropbear: adjust file permissions

Browse source 
runtime:
- adjust ownership/permissions while starting dropbear
build time:
- correct file permissions for preseed files in $(TOPDIR)/files/etc/dropbear/ (if any)

closes #10849

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
This commit is contained in:
Konstantin Demin 2024-01-09 03:40:02 +03:00 committed by Rui Salvaterra
parent a97e0dad6e
commit 05100d8651
2 changed files with 95 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
package/network/services/dropbear/Makefile
View file

@ -70,10 +70,11 @@ define Package/dropbear/description
endef endef
define Package/dropbear/conffiles define Package/dropbear/conffiles
$(if $(CONFIG_DROPBEAR_ED25519),/etc/dropbear/dropbear_ed25519_host_key)
$(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key)
/etc/dropbear/dropbear_rsa_host_key
/etc/config/dropbear /etc/config/dropbear
/etc/dropbear/authorized_keys
/etc/dropbear/dropbear_ecdsa_host_key
/etc/dropbear/dropbear_ed25519_host_key
/etc/dropbear/dropbear_rsa_host_key
endef endef
define Package/dropbearconvert define Package/dropbearconvert
@ -227,9 +228,7 @@ define Package/dropbear/install
$(INSTALL_DIR) $(1)/etc/dropbear $(INSTALL_DIR) $(1)/etc/dropbear
$(INSTALL_DIR) $(1)/lib/preinit $(INSTALL_DIR) $(1)/lib/preinit
$(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear $(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear
$(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key) $(foreach f,$(filter /etc/dropbear/%,$(Package/dropbear/conffiles)),$(if $(wildcard $(TOPDIR)/files/$(f)),chmod 0600 $(TOPDIR)/files/$(f) || :; ))
$(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key)
touch $(1)/etc/dropbear/dropbear_rsa_host_key
endef endef
define Package/dropbearconvert/install define Package/dropbearconvert/install

130
package/network/services/dropbear/files/dropbear.init
View file

@ -12,28 +12,52 @@ PIDCOUNT=0
extra_command "killclients" "Kill ${NAME} processes except servers and yourself" extra_command "killclients" "Kill ${NAME} processes except servers and yourself"
# most of time real_stat() will be failing
# due to missing "stat" binary (by default)
real_stat() { env stat -L "$@" 2>/dev/null ; }
dumb_stat() { ls -Ldln "$1" | tr -s '\t ' ' ' ; }
stat_perm() { real_stat -c '%A' "$1" || dumb_stat "$1" | cut -d ' ' -f 1 ; }
stat_owner() { real_stat -c '%u' "$1" || dumb_stat "$1" | cut -d ' ' -f 3 ; }
_dropbearkey() _dropbearkey()
{ {
/usr/bin/dropbearkey "$@" 0<&- 1>&- 2>&- /usr/bin/dropbearkey "$@" </dev/null >/dev/null 2>&1
} }
# $1 - host key file name # $1 - file name (host key or config)
hk_verify() file_verify()
{ {
[ -f "$1" ] || return 1 [ -f "$1" ] || return 1
[ -s "$1" ] || return 2 # checking file ownership
_dropbearkey -y -f "$1" || return 3 [ "$(stat_owner "$1")" = "0" ] || {
chown 0 "$1"
[ "$(stat_owner "$1")" = "0" ] || return 2
}
# checking file permissions
[ "$(stat_perm "$1")" = "-rw-------" ] || {
chmod 0600 "$1"
[ "$(stat_perm "$1")" = "-rw-------" ] || return 3
}
# file is host key or not?
# if $2 is empty string - file is "host key"
# if $2 is non-empty string - file is "config"
[ -z "$2" ] || return 0
# checking file contents (finally)
[ -s "$1" ] || return 4
_dropbearkey -y -f "$1" || return 5
return 0 return 0
} }
# $1 - hk_verify() return code # $1 - file_verify() return code
hk_errmsg() file_errmsg()
{ {
case "$1" in case "$1" in
0) ;; 0) ;;
1) echo "file does not exist" ;; 1) echo "file does not exist" ;;
2) echo "file has zero length" ;; 2) echo "file has wrong owner (must be owned by root)" ;;
3) echo "file is not valid host key or not supported" ;; 3) echo "file has wrong permissions (must not have group/other write bit)" ;;
4) echo "file has zero length" ;;
5) echo "file is not valid host key or not supported" ;;
*) echo "unknown error" ;; *) echo "unknown error" ;;
esac esac
} }
@ -43,58 +67,83 @@ hk_errmsg()
hk_config() hk_config()
{ {
local x m local x m
hk_verify "$2"; x=$? file_verify "$2" ; x=$?
case "$x" in if [ "$x" = 0 ] ; then
0) procd_append_param command -r "$2" procd_append_param command -r "$2"
;; return
*) m=$(hk_errmsg "$x") fi
logger -t "${NAME}" -p daemon.warn \ m=$(file_errmsg "$x")
"option '$1', value '$2': $m, skipping" logger -s -t "${NAME}" -p daemon.warn \
;; "Option '$1', skipping '$2': $m"
esac
} }
# $1 - host key file name # $1 - host key file name
hk_config__keyfile() hk_config__keyfile() { hk_config keyfile "$1" ; }
{
hk_config 'keyfile' "$1" ktype_all='ed25519 ecdsa rsa'
}
hk_generate_as_needed() hk_generate_as_needed()
{ {
local kdir kgen ktype tdir kcount tfile local hk_cfg_dir kgen ktype kfile hk_tmp_dir
kdir='/etc/dropbear' hk_cfg_dir='/etc/dropbear'
kgen='' [ -d "${hk_cfg_dir}" ] || mkdir -p "${hk_cfg_dir}"
for ktype in ed25519 ecdsa rsa; do
hk_verify "${kdir}/dropbear_${ktype}_host_key" && continue
kgen="${kgen} ${ktype}" kgen=
for ktype in ${ktype_all} ; do
kfile="${hk_cfg_dir}/dropbear_${ktype}_host_key"
if file_verify "${kfile}" ; then continue ; fi
kgen="${kgen}${kgen:+ }${ktype}"
done done
[ -z "${kgen}" ] && return # all keys are sane?
[ -n "${kgen}" ] || return 0
tdir=$(mktemp -d); chmod 0700 "${tdir}" hk_tmp_dir=$(mktemp -d)
# system in bad state?
[ -n "${hk_tmp_dir}" ] || return 1
kcount=0 chmod 0700 "${hk_tmp_dir}"
for ktype in ${kgen}; do
tfile="${tdir}/dropbear_${ktype}_host_key"
if ! _dropbearkey -t ${ktype} -f "${tfile}"; then for ktype in ${kgen} ; do
kfile="${hk_tmp_dir}/dropbear_${ktype}_host_key"
if ! _dropbearkey -t ${ktype} -f "${kfile}" ; then
# unsupported key type # unsupported key type
rm -f "${tfile}" rm -f "${kfile}"
continue continue
fi fi
kcount=$((kcount+1)) chmod 0600 "${kfile}"
done done
if [ ${kcount} -ne 0 ]; then kgen=
mkdir -p "${kdir}"; chmod 0700 "${kdir}"; chown root "${kdir}" for ktype in ${ktype_all} ; do
mv -f "${tdir}/"* "${kdir}/" kfile="${hk_tmp_dir}/dropbear_${ktype}_host_key"
[ -s "${kfile}" ] || continue
kgen="${kgen}${kgen:+ }${ktype}"
done
if [ -n "${kgen}" ] ; then
for ktype in ${kgen} ; do
kfile="${hk_tmp_dir}/dropbear_${ktype}_host_key"
[ -s "${kfile}" ] || continue
mv -f "${kfile}" "${hk_cfg_dir}/"
done
fi fi
rm -rf "${tdir}" rm -rf "${hk_tmp_dir}"
# cleanup empty files
for ktype in ${ktype_all} ; do
kfile="${hk_cfg_dir}/dropbear_${ktype}_host_key"
[ -s "${kfile}" ] || rm -f "${kfile}"
done
} }
append_ports() append_ports()
@ -207,6 +256,7 @@ boot()
start_service() start_service()
{ {
hk_generate_as_needed hk_generate_as_needed
file_verify /etc/dropbear/authorized_keys config
. /lib/functions.sh . /lib/functions.sh
. /lib/functions/network.sh . /lib/functions/network.sh