v2: - keep more capabilities (raw sockets, timestamping configuration) - copy ownership of server UDS - follow location of server UDS for client sockets - support operation with NTPSHM servo - move default UDS addresses to /var/run/linuxptp
This patchset implements a support for dropping all root privileges except four capabilities that are needed to work with clocks and (raw) sockets. This should limit impact of security issues. A new option is added to ptp4l/phc2sys/pmc to specify the username to which should be the process switch. I tried few different approaches with the configuration. I think this one will be least problematic for migrations and user experience. A pmc/phc2sys running under root can still work with non-root ptp4l. There are some cases which requires the permissions of the PTP clocks to be set up for the operation as they cannot be opened before root is dropped. The default location of all UDS sockets is changed to /var/run/linuxptp. The directory is created by ptp4l on first start. If the user configuration of ptp4l is changed, the directory has to be removed. In the v1 discussion there was a suggestion to not use libcap. I have not looked into that yet, but I can try it if this whole thing makes sense otherwise. Miroslav Lichvar (6): util: Add functions for dropping root privileges. uds: Copy ownership of server socket. clock: Add support for dropping root privileges. pmc: Add support for dropping root privileges. phc2sys: Add support for dropping root privileges. config: move default UDS addresses to /var/run/linuxptp. clock.c | 29 +++++++++--- config.c | 5 +- configs/default.cfg | 4 +- incdefs.sh | 11 ++++- makefile | 4 ++ phc2sys.8 | 14 +++++- phc2sys.c | 31 +++++++++++-- pmc.8 | 15 ++++-- pmc.c | 12 +++-- pmc_common.c | 32 +++++++++++++ ptp4l.8 | 14 +++++- uds.c | 9 ++++ util.c | 111 ++++++++++++++++++++++++++++++++++++++++++++ util.h | 19 ++++++++ 14 files changed, 283 insertions(+), 27 deletions(-) -- 2.26.3 _______________________________________________ Linuxptp-devel mailing list Linuxptp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linuxptp-devel
