Re: ntpd && pledge
On Thursday 07 July 2016 00:32:04 Ian Mcwilliam wrote: > Seems changes to pledge have made ntpd abort. > > ntpd(67855): syscall 5 "rpath" > ntpd(81479): syscall 5 "rpath" > > Jul 7 10:29:23 ianm-openbsd ntpd[76119]: constraint > 2404:6800:4006:800::2004; terminated with signal 6 (Abort trap) Thanks - this was actually due to a change to libtls, which has been reverted.
ntpd && pledge
Seems changes to pledge have made ntpd abort. ntpd(67855): syscall 5 "rpath" ntpd(81479): syscall 5 "rpath" Jul 7 10:29:23 ianm-openbsd ntpd[76119]: constraint 2404:6800:4006:800::2004; terminated with signal 6 (Abort trap) Ian McWilliam
Re: ntpd pledge, needs "unix" to talk to ntpctl
> Andreas Kusalananda K=C3=A4h=C3=A4riwrites: > > > Hi, > > > > I noticed that ntpd would die if I tried to use ntpctl to check on it: > > > > [...] > > 29946 ntpd CALL poll(0xda8993ab5c0,4,1000) > > 29946 ntpd RET poll 1 > > 29946 ntpd CALL kbind(0x7f7c2558,0x18,0x7bb3facd5f812ed9) > > 29946 ntpd RET kbind 0 > > 29946 ntpd CALL accept(5,0x7f7c2630,0x7f7c262c) > > 29946 ntpd PLDG accept, "unix", errno 1 Operation not permitted > > 29946 ntpd PSIG SIGABRT SIG_DFL > > [...] > > > > I also get ntpd(): syscall 30 "unix" in the console. > > Confirmed, the failure is in control_accept(), which should be allowed > to speak on a Unix socket. > > See the diff below. > > > Cheer, > > > > ps. is tech@ the right list for these sorts of things? > > For this case I'd say "yes", as it was trivial for me to reproduce the > bug. > > Index: ntp.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D you are sending mime again. the kernel has been fixed for this issue, not ntpd. We don't want that process able to open sockets outbound, which your diff does.
Re: ntpd pledge, needs "unix" to talk to ntpctl
On Fri, Nov 20, 2015 at 02:07:46PM +0100, J??r??mie Courr??ges-Anglas wrote: > Andreas Kusalananda K??h??riwrites: > > > Hi, > > > > I noticed that ntpd would die if I tried to use ntpctl to check on it: > > > > [...] > > 29946 ntpd CALL poll(0xda8993ab5c0,4,1000) > > 29946 ntpd RET poll 1 > > 29946 ntpd CALL kbind(0x7f7c2558,0x18,0x7bb3facd5f812ed9) > > 29946 ntpd RET kbind 0 > > 29946 ntpd CALL accept(5,0x7f7c2630,0x7f7c262c) > > 29946 ntpd PLDG accept, "unix", errno 1 Operation not permitted > > 29946 ntpd PSIG SIGABRT SIG_DFL > > [...] > > > > I also get ntpd(): syscall 30 "unix" in the console. > > Confirmed, the failure is in control_accept(), which should be allowed > to speak on a Unix socket. > > See the diff below. > There was some semantical fix in sys/kern/uipc_usrreq.c for unix sockets that might have triggered it. I'm sure I had used ntpctl with "older" pledge. The diff looks OK, with the drawback that the ntp process now needs "all of unix" for the accept() - but the unix socket is pre-opened before its pledge/chroot. OK reyk@ > Index: ntp.c > === > RCS file: /cvs/src/usr.sbin/ntpd/ntp.c,v > retrieving revision 1.139 > diff -u -p -p -u -r1.139 ntp.c > --- ntp.c 30 Oct 2015 16:41:53 - 1.139 > +++ ntp.c 20 Nov 2015 13:03:29 - > @@ -149,7 +149,7 @@ ntp_main(int pipe_prnt[2], int fd_ctl, s > endservent(); > > /* The ntp process will want to open NTP client sockets -> "inet" */ > - if (pledge("stdio inet", NULL) == -1) > + if (pledge("stdio unix inet", NULL) == -1) > err(1, "pledge"); > > signal(SIGTERM, ntp_sighdlr); > > -- > jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE > --
Re: ntpd pledge, needs "unix" to talk to ntpctl
Reyk Floeterwrites: > On Fri, Nov 20, 2015 at 02:07:46PM +0100, J??r??mie Courr??ges-Anglas wrote: >> Andreas Kusalananda K??h??ri writes: >> >> > Hi, >> > >> > I noticed that ntpd would die if I tried to use ntpctl to check on it: >> > >> > [...] >> > 29946 ntpd CALL poll(0xda8993ab5c0,4,1000) >> > 29946 ntpd RET poll 1 >> > 29946 ntpd CALL kbind(0x7f7c2558,0x18,0x7bb3facd5f812ed9) >> > 29946 ntpd RET kbind 0 >> > 29946 ntpd CALL accept(5,0x7f7c2630,0x7f7c262c) >> > 29946 ntpd PLDG accept, "unix", errno 1 Operation not permitted >> > 29946 ntpd PSIG SIGABRT SIG_DFL >> > [...] >> > >> > I also get ntpd(): syscall 30 "unix" in the console. >> >> Confirmed, the failure is in control_accept(), which should be allowed >> to speak on a Unix socket. >> >> See the diff below. >> > > There was some semantical fix in sys/kern/uipc_usrreq.c for unix > sockets that might have triggered it. Yup. And the change that lead to this ntpd failure was amended earlier today, so the patch isn't actually needed. Cheers, > I'm sure I had used ntpctl with > "older" pledge. > > The diff looks OK, with the drawback that the ntp process now needs > "all of unix" for the accept() - but the unix socket is pre-opened > before its pledge/chroot. > > OK reyk@ > >> Index: ntp.c >> === >> RCS file: /cvs/src/usr.sbin/ntpd/ntp.c,v >> retrieving revision 1.139 >> diff -u -p -p -u -r1.139 ntp.c >> --- ntp.c30 Oct 2015 16:41:53 - 1.139 >> +++ ntp.c20 Nov 2015 13:03:29 - >> @@ -149,7 +149,7 @@ ntp_main(int pipe_prnt[2], int fd_ctl, s >> endservent(); >> >> /* The ntp process will want to open NTP client sockets -> "inet" */ >> -if (pledge("stdio inet", NULL) == -1) >> +if (pledge("stdio unix inet", NULL) == -1) >> err(1, "pledge"); >> >> signal(SIGTERM, ntp_sighdlr); >> >> -- >> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE >> -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
ntpd pledge, needs "unix" to talk to ntpctl
Hi, I noticed that ntpd would die if I tried to use ntpctl to check on it: [...] 29946 ntpd CALL poll(0xda8993ab5c0,4,1000) 29946 ntpd RET poll 1 29946 ntpd CALL kbind(0x7f7c2558,0x18,0x7bb3facd5f812ed9) 29946 ntpd RET kbind 0 29946 ntpd CALL accept(5,0x7f7c2630,0x7f7c262c) 29946 ntpd PLDG accept, "unix", errno 1 Operation not permitted 29946 ntpd PSIG SIGABRT SIG_DFL [...] I also get ntpd(): syscall 30 "unix" in the console. Cheer, ps. is tech@ the right list for these sorts of things? -- :: Andreas Kusalananda Kähäri :: Bioinformatics Developer :: Uppsala, Sweden ::--