summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--runopts.h6
-rw-r--r--svr-auth.c5
-rw-r--r--svr-runopts.c9
3 files changed, 18 insertions, 2 deletions
diff --git a/runopts.h b/runopts.h
index 67d5c48..3123383 100644
--- a/runopts.h
+++ b/runopts.h
@@ -92,8 +92,14 @@ typedef struct svr_runopts {
#endif
int norootlogin;
+
+#ifdef HAVE_GETGROUPLIST
+ /* restrict_group is the group name if group restriction was enabled,
+ NULL otherwise */
char *restrict_group;
+ /* restrict_group_gid is only valid if restrict_group is set */
gid_t restrict_group_gid;
+#endif
int noauthpass;
int norootpass;
diff --git a/svr-auth.c b/svr-auth.c
index c9a75c0..64d97aa 100644
--- a/svr-auth.c
+++ b/svr-auth.c
@@ -197,6 +197,7 @@ out:
m_free(methodname);
}
+#ifdef HAVE_GETGROUPLIST
/* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
static int check_group_membership(gid_t check_gid, const char* username, gid_t user_gid) {
int ngroups, i, ret;
@@ -230,7 +231,7 @@ static int check_group_membership(gid_t check_gid, const char* username, gid_t u
return match;
}
-
+#endif
/* Check that the username exists and isn't disallowed (root), and has a valid shell.
* returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */
@@ -300,6 +301,7 @@ static int checkusername(const char *username, unsigned int userlen) {
}
/* check for login restricted to certain group if desired */
+#ifdef HAVE_GETGROUPLIST
if (svr_opts.restrict_group) {
if (check_group_membership(svr_opts.restrict_group_gid,
ses.authstate.pw_name, ses.authstate.pw_gid) == DROPBEAR_FAILURE) {
@@ -310,6 +312,7 @@ static int checkusername(const char *username, unsigned int userlen) {
return DROPBEAR_FAILURE;
}
}
+#endif HAVE_GETGROUPLIST
TRACE(("shell is %s", ses.authstate.pw_shell))
diff --git a/svr-runopts.c b/svr-runopts.c
index 99d63bb..fe83e02 100644
--- a/svr-runopts.c
+++ b/svr-runopts.c
@@ -70,7 +70,9 @@ static void printhelp(const char * progname) {
"-m Don't display the motd on login\n"
#endif
"-w Disallow root logins\n"
+#ifdef HAVE_GETGROUPLIST
"-G Restrict logins to members of specified group\n"
+#endif
#if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
"-s Disable password logins\n"
"-g Disable password logins for root\n"
@@ -135,8 +137,10 @@ void svr_getopts(int argc, char ** argv) {
svr_opts.forced_command = NULL;
svr_opts.forkbg = 1;
svr_opts.norootlogin = 0;
+#ifdef HAVE_GETGROUPLIST
svr_opts.restrict_group = NULL;
svr_opts.restrict_group_gid = 0;
+#endif
svr_opts.noauthpass = 0;
svr_opts.norootpass = 0;
svr_opts.allowblankpass = 0;
@@ -235,9 +239,11 @@ void svr_getopts(int argc, char ** argv) {
case 'w':
svr_opts.norootlogin = 1;
break;
+#ifdef HAVE_GETGROUPLIST
case 'G':
next = &svr_opts.restrict_group;
break;
+#endif
case 'W':
next = &recv_window_arg;
break;
@@ -340,6 +346,7 @@ void svr_getopts(int argc, char ** argv) {
buf_setpos(svr_opts.banner, 0);
}
+#ifdef HAVE_GETGROUPLIST
if (svr_opts.restrict_group) {
struct group *restrictedgroup = getgrnam(svr_opts.restrict_group);
@@ -348,8 +355,8 @@ void svr_getopts(int argc, char ** argv) {
} else {
dropbear_exit("Cannot restrict logins to group '%s' as the group does not exist", svr_opts.restrict_group);
}
-
}
+#endif
if (recv_window_arg) {
opts.recv_window = atol(recv_window_arg);