Add a sanity check for DROPBEAR_SVR_MULTIUSER==0 mode

author: Matt Johnston <matt@ucc.asn.au> 2019-03-20 22:57:06 +0800
committer: Matt Johnston <matt@ucc.asn.au> 2019-03-20 22:57:06 +0800
commit: 0afcfafbb993c856db65e033569539f66491cc1b (patch)
tree: 9feb51d6f13f30353c3a5830bd70938517af90fa
parent: 0af22aa8e43722082947bb48fa9ec2990f702c49 (diff)
2 files changed, 13 insertions, 1 deletions
diff --git a/common-session.c b/common-session.c
index 96dd4dc..aa31e49 100644
--- a/common-session.c
+++ b/common-session.c
@@ -68,6 +68,16 @@ void common_session_init(int sock_in, int sock_out) {
 	/* Sets it to lowdelay */
 	update_channel_prio();
 
+#if !DROPBEAR_SVR_MULTIUSER
+	/* A sanity check to prevent an accidental configuration option
+	   leaving multiuser systems exposed */
+	errno = 0;
+	getuid();
+	if (errno != ENOSYS) {
+		dropbear_exit("Non-multiuser Dropbear requires a non-multiuser kernel");
+	}
+#endif
+
 	now = monotonic_now();
 	ses.connect_time = now;
 	ses.last_packet_time_keepalive_recv = now;
diff --git a/default_options.h b/default_options.h
index 7365d2c..9000fcc 100644
--- a/default_options.h
+++ b/default_options.h
@@ -196,7 +196,9 @@ group1 in Dropbear server too */
  * authorized_keys file into account */
 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1
 
-/* Disable if your kernel does not have multiple user support */
+/* Set this to 0 if your system does not have multiple user support.
+   (Linux kernel CONFIG_MULTIUSER option)
+   The resulting binary will not run on a normal system. */
 #define DROPBEAR_SVR_MULTIUSER 1
 
 /* Client authentication options */
author	Matt Johnston <matt@ucc.asn.au>	2019-03-20 22:57:06 +0800
committer	Matt Johnston <matt@ucc.asn.au>	2019-03-20 22:57:06 +0800
commit	0afcfafbb993c856db65e033569539f66491cc1b (patch)
tree	9feb51d6f13f30353c3a5830bd70938517af90fa
parent	0af22aa8e43722082947bb48fa9ec2990f702c49 (diff)