Re: svn commit: r336525 - in head: contrib/ntp/ntpd etc etc/mtree share/man/man4 sys/conf sys/modules sys/modules/mac_ntpd sys/security/mac_ntpd usr.sbin/ntp
On Thu, 19 Jul 2018 23:55:29 + (UTC) Ian Lepore wrote: > Author: ian > Date: Thu Jul 19 23:55:29 2018 > New Revision: 336525 > URL: https://svnweb.freebsd.org/changeset/base/336525 > > Log: > Make it possible to run ntpd as a non-root user, add ntpd uid and gid. > > Code analysis and runtime analysis using truss(8) indicate that the only > privileged operations performed by ntpd are adjusting system time, and > (re-)binding to privileged UDP port 123. These changes add a new mac(4) > policy module, mac_ntpd(4), which grants just those privileges to any > process running with uid 123. > > This also adds a new user and group, ntpd:ntpd, (uid:gid 123:123), and makes > them the owner of the /var/db/ntp directory, so that it can be used as a > location where the non-privileged daemon can write files such as the > driftfile, and any optional logfile or stats files. > > Because there are so many ways to configure ntpd, the question of how to > configure it to run without root privs can be a bit complex, so that will be > addressed in a separate commit. These changes are just what's required to > grant the limited subset of privs to ntpd, and the small change to ntpd to > prevent it from exiting with an error if running as non-root. > > Differential Revision: https://reviews.freebsd.org/D16281 > > Added: > head/share/man/man4/mac_ntpd.4 (contents, props changed) > head/sys/modules/mac_ntpd/ > head/sys/modules/mac_ntpd/Makefile (contents, props changed) > head/sys/security/mac_ntpd/ > head/sys/security/mac_ntpd/mac_ntpd.c (contents, props changed) > Modified: > head/contrib/ntp/ntpd/ntpd.c > head/etc/group > head/etc/master.passwd > head/etc/mtree/BSD.var.dist > head/sys/conf/NOTES > head/sys/conf/files > head/sys/conf/options > head/sys/modules/Makefile > head/usr.sbin/ntp/config.h > > Modified: head/contrib/ntp/ntpd/ntpd.c > == > --- head/contrib/ntp/ntpd/ntpd.c Thu Jul 19 23:54:18 2018 > (r336524) +++ head/contrib/ntp/ntpd/ntpd.cThu Jul 19 23:55:29 > 2018 (r336525) @@ -123,6 +123,9 @@ > #if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS) > # include > #endif /* HAVE_PRIV_H */ > +#if defined(HAVE_TRUSTEDBSD_MAC) > +# include > +#endif /* HAVE_TRUSTEDBSD_MAC */ > #endif /* HAVE_DROPROOT */ > > #if defined (LIBSECCOMP) && (KERN_SECCOMP) > @@ -634,7 +637,12 @@ ntpdmain( > /* MPE lacks the concept of root */ > # if defined(HAVE_GETUID) && !defined(MPE) > uid = getuid(); > - if (uid && !HAVE_OPT( SAVECONFIGQUIT )) { > + if (uid && !HAVE_OPT( SAVECONFIGQUIT ) > +# if defined(HAVE_TRUSTEDBSD_MAC) > + /* We can run as non-root if the mac_ntpd policy is enabled. */ > + && mac_is_present("ntpd") != 1 > +# endif > + ) { > msyslog_term = TRUE; > msyslog(LOG_ERR, > "must be run as root, not uid %ld", (long)uid); > @@ -1082,7 +1090,17 @@ getgroup: > exit (-1); > } > > -# if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) > +# if defined(HAVE_TRUSTEDBSD_MAC) > + /* > + * To manipulate system time and (re-)bind to NTP_PORT as > needed > + * following interface changes, we must either run as uid 0 > or > + * the mac_ntpd policy module must be enabled. > + */ > + if (sw_uid != 0 && mac_is_present("ntpd") != 1) { > + msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to > drop root privileges"); > + exit (-1); > + } > +# elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) > /* >* for now assume that the privilege to bind to privileged > ports >* is associated with running with uid 0 - should be refined > on > > Modified: head/etc/group > == > --- head/etc/groupThu Jul 19 23:54:18 2018(r336524) > +++ head/etc/groupThu Jul 19 23:55:29 2018(r336525) > @@ -29,6 +29,7 @@ dialer:*:68: > network:*:69: > audit:*:77: > www:*:80: > +ntpd:*:123: > _ypldap:*:160: > hast:*:845: > nogroup:*:65533: > > Modified: head/etc/master.passwd > == > --- head/etc/master.passwdThu Jul 19 23:54:18 2018(r336524) > +++ head/etc/master.passwdThu Jul 19 23:55:29 2018(r336525) > @@ -22,6 +22,7 @@ uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppubl > pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin > auditdistd:*:78:77::0:0:Auditdistd unprivileged > user:/var/empty:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web > Owner:/nonexistent:/usr/sbin/nologin +ntpd:*:123:123::0:0:NTP >
svn commit: r336525 - in head: contrib/ntp/ntpd etc etc/mtree share/man/man4 sys/conf sys/modules sys/modules/mac_ntpd sys/security/mac_ntpd usr.sbin/ntp
Author: ian Date: Thu Jul 19 23:55:29 2018 New Revision: 336525 URL: https://svnweb.freebsd.org/changeset/base/336525 Log: Make it possible to run ntpd as a non-root user, add ntpd uid and gid. Code analysis and runtime analysis using truss(8) indicate that the only privileged operations performed by ntpd are adjusting system time, and (re-)binding to privileged UDP port 123. These changes add a new mac(4) policy module, mac_ntpd(4), which grants just those privileges to any process running with uid 123. This also adds a new user and group, ntpd:ntpd, (uid:gid 123:123), and makes them the owner of the /var/db/ntp directory, so that it can be used as a location where the non-privileged daemon can write files such as the driftfile, and any optional logfile or stats files. Because there are so many ways to configure ntpd, the question of how to configure it to run without root privs can be a bit complex, so that will be addressed in a separate commit. These changes are just what's required to grant the limited subset of privs to ntpd, and the small change to ntpd to prevent it from exiting with an error if running as non-root. Differential Revision:https://reviews.freebsd.org/D16281 Added: head/share/man/man4/mac_ntpd.4 (contents, props changed) head/sys/modules/mac_ntpd/ head/sys/modules/mac_ntpd/Makefile (contents, props changed) head/sys/security/mac_ntpd/ head/sys/security/mac_ntpd/mac_ntpd.c (contents, props changed) Modified: head/contrib/ntp/ntpd/ntpd.c head/etc/group head/etc/master.passwd head/etc/mtree/BSD.var.dist head/sys/conf/NOTES head/sys/conf/files head/sys/conf/options head/sys/modules/Makefile head/usr.sbin/ntp/config.h Modified: head/contrib/ntp/ntpd/ntpd.c == --- head/contrib/ntp/ntpd/ntpd.cThu Jul 19 23:54:18 2018 (r336524) +++ head/contrib/ntp/ntpd/ntpd.cThu Jul 19 23:55:29 2018 (r336525) @@ -123,6 +123,9 @@ #if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS) # include #endif /* HAVE_PRIV_H */ +#if defined(HAVE_TRUSTEDBSD_MAC) +# include +#endif /* HAVE_TRUSTEDBSD_MAC */ #endif /* HAVE_DROPROOT */ #if defined (LIBSECCOMP) && (KERN_SECCOMP) @@ -634,7 +637,12 @@ ntpdmain( /* MPE lacks the concept of root */ # if defined(HAVE_GETUID) && !defined(MPE) uid = getuid(); - if (uid && !HAVE_OPT( SAVECONFIGQUIT )) { + if (uid && !HAVE_OPT( SAVECONFIGQUIT ) +# if defined(HAVE_TRUSTEDBSD_MAC) + /* We can run as non-root if the mac_ntpd policy is enabled. */ + && mac_is_present("ntpd") != 1 +# endif + ) { msyslog_term = TRUE; msyslog(LOG_ERR, "must be run as root, not uid %ld", (long)uid); @@ -1082,7 +1090,17 @@ getgroup: exit (-1); } -# if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) +# if defined(HAVE_TRUSTEDBSD_MAC) + /* +* To manipulate system time and (re-)bind to NTP_PORT as needed +* following interface changes, we must either run as uid 0 or +* the mac_ntpd policy module must be enabled. +*/ + if (sw_uid != 0 && mac_is_present("ntpd") != 1) { + msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to drop root privileges"); + exit (-1); + } +# elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) /* * for now assume that the privilege to bind to privileged ports * is associated with running with uid 0 - should be refined on Modified: head/etc/group == --- head/etc/group Thu Jul 19 23:54:18 2018(r336524) +++ head/etc/group Thu Jul 19 23:55:29 2018(r336525) @@ -29,6 +29,7 @@ dialer:*:68: network:*:69: audit:*:77: www:*:80: +ntpd:*:123: _ypldap:*:160: hast:*:845: nogroup:*:65533: Modified: head/etc/master.passwd == --- head/etc/master.passwd Thu Jul 19 23:54:18 2018(r336524) +++ head/etc/master.passwd Thu Jul 19 23:55:29 2018(r336525) @@ -22,6 +22,7 @@ uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppubl pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin +ntpd:*:123:123::0:0:NTP Daemon:/var/db/ntp:/usr/sbin/nologin _ypldap:*:160:160::0:0:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged