diff options
-rw-r--r-- | runopts.h | 6 | ||||
-rw-r--r-- | svr-auth.c | 5 | ||||
-rw-r--r-- | svr-runopts.c | 9 |
3 files changed, 18 insertions, 2 deletions
@@ -92,8 +92,14 @@ typedef struct svr_runopts { #endif int norootlogin; + +#ifdef HAVE_GETGROUPLIST + /* restrict_group is the group name if group restriction was enabled, + NULL otherwise */ char *restrict_group; + /* restrict_group_gid is only valid if restrict_group is set */ gid_t restrict_group_gid; +#endif int noauthpass; int norootpass; @@ -197,6 +197,7 @@ out: m_free(methodname); } +#ifdef HAVE_GETGROUPLIST /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ static int check_group_membership(gid_t check_gid, const char* username, gid_t user_gid) { int ngroups, i, ret; @@ -230,7 +231,7 @@ static int check_group_membership(gid_t check_gid, const char* username, gid_t u return match; } - +#endif /* Check that the username exists and isn't disallowed (root), and has a valid shell. * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */ @@ -300,6 +301,7 @@ static int checkusername(const char *username, unsigned int userlen) { } /* check for login restricted to certain group if desired */ +#ifdef HAVE_GETGROUPLIST if (svr_opts.restrict_group) { if (check_group_membership(svr_opts.restrict_group_gid, ses.authstate.pw_name, ses.authstate.pw_gid) == DROPBEAR_FAILURE) { @@ -310,6 +312,7 @@ static int checkusername(const char *username, unsigned int userlen) { return DROPBEAR_FAILURE; } } +#endif HAVE_GETGROUPLIST TRACE(("shell is %s", ses.authstate.pw_shell)) diff --git a/svr-runopts.c b/svr-runopts.c index 99d63bb..fe83e02 100644 --- a/svr-runopts.c +++ b/svr-runopts.c @@ -70,7 +70,9 @@ static void printhelp(const char * progname) { "-m Don't display the motd on login\n" #endif "-w Disallow root logins\n" +#ifdef HAVE_GETGROUPLIST "-G Restrict logins to members of specified group\n" +#endif #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH "-s Disable password logins\n" "-g Disable password logins for root\n" @@ -135,8 +137,10 @@ void svr_getopts(int argc, char ** argv) { svr_opts.forced_command = NULL; svr_opts.forkbg = 1; svr_opts.norootlogin = 0; +#ifdef HAVE_GETGROUPLIST svr_opts.restrict_group = NULL; svr_opts.restrict_group_gid = 0; +#endif svr_opts.noauthpass = 0; svr_opts.norootpass = 0; svr_opts.allowblankpass = 0; @@ -235,9 +239,11 @@ void svr_getopts(int argc, char ** argv) { case 'w': svr_opts.norootlogin = 1; break; +#ifdef HAVE_GETGROUPLIST case 'G': next = &svr_opts.restrict_group; break; +#endif case 'W': next = &recv_window_arg; break; @@ -340,6 +346,7 @@ void svr_getopts(int argc, char ** argv) { buf_setpos(svr_opts.banner, 0); } +#ifdef HAVE_GETGROUPLIST if (svr_opts.restrict_group) { struct group *restrictedgroup = getgrnam(svr_opts.restrict_group); @@ -348,8 +355,8 @@ void svr_getopts(int argc, char ** argv) { } else { dropbear_exit("Cannot restrict logins to group '%s' as the group does not exist", svr_opts.restrict_group); } - } +#endif if (recv_window_arg) { opts.recv_window = atol(recv_window_arg); |