subject:"svn commit\: r336525 \- in head\: contrib\/ntp\/ntpd etc etc\/mtree share\/man\/man4 sys\/conf sys\/modules sys\/modules\/mac_ntpd sys\/security\/mac

Re: svn commit: r336525 - in head: contrib/ntp/ntpd etc etc/mtree share/man/man4 sys/conf sys/modules sys/modules/mac_ntpd sys/security/mac_ntpd usr.sbin/ntp

2018-07-22 Thread O. Hartmann

On Thu, 19 Jul 2018 23:55:29 + (UTC)
Ian Lepore  wrote:

> Author: ian
> Date: Thu Jul 19 23:55:29 2018
> New Revision: 336525
> URL: https://svnweb.freebsd.org/changeset/base/336525
> 
> Log:
>   Make it possible to run ntpd as a non-root user, add ntpd uid and gid.
>   
>   Code analysis and runtime analysis using truss(8) indicate that the only
>   privileged operations performed by ntpd are adjusting system time, and
>   (re-)binding to privileged UDP port 123. These changes add a new mac(4)
>   policy module, mac_ntpd(4), which grants just those privileges to any
>   process running with uid 123.
>   
>   This also adds a new user and group, ntpd:ntpd, (uid:gid 123:123), and makes
>   them the owner of the /var/db/ntp directory, so that it can be used as a
>   location where the non-privileged daemon can write files such as the
>   driftfile, and any optional logfile or stats files.
>   
>   Because there are so many ways to configure ntpd, the question of how to
>   configure it to run without root privs can be a bit complex, so that will be
>   addressed in a separate commit. These changes are just what's required to
>   grant the limited subset of privs to ntpd, and the small change to ntpd to
>   prevent it from exiting with an error if running as non-root.
>   
>   Differential Revision:  https://reviews.freebsd.org/D16281
> 
> Added:
>   head/share/man/man4/mac_ntpd.4   (contents, props changed)
>   head/sys/modules/mac_ntpd/
>   head/sys/modules/mac_ntpd/Makefile   (contents, props changed)
>   head/sys/security/mac_ntpd/
>   head/sys/security/mac_ntpd/mac_ntpd.c   (contents, props changed)
> Modified:
>   head/contrib/ntp/ntpd/ntpd.c
>   head/etc/group
>   head/etc/master.passwd
>   head/etc/mtree/BSD.var.dist
>   head/sys/conf/NOTES
>   head/sys/conf/files
>   head/sys/conf/options
>   head/sys/modules/Makefile
>   head/usr.sbin/ntp/config.h
> 
> Modified: head/contrib/ntp/ntpd/ntpd.c
> ==
> --- head/contrib/ntp/ntpd/ntpd.c  Thu Jul 19 23:54:18 2018
> (r336524) +++ head/contrib/ntp/ntpd/ntpd.cThu Jul 19 23:55:29
> 2018  (r336525) @@ -123,6 +123,9 @@
>  #if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS)
>  # include 
>  #endif /* HAVE_PRIV_H */
> +#if defined(HAVE_TRUSTEDBSD_MAC)
> +# include 
> +#endif /* HAVE_TRUSTEDBSD_MAC */
>  #endif /* HAVE_DROPROOT */
>  
>  #if defined (LIBSECCOMP) && (KERN_SECCOMP)
> @@ -634,7 +637,12 @@ ntpdmain(
>   /* MPE lacks the concept of root */
>  # if defined(HAVE_GETUID) && !defined(MPE)
>   uid = getuid();
> - if (uid && !HAVE_OPT( SAVECONFIGQUIT )) {
> + if (uid && !HAVE_OPT( SAVECONFIGQUIT )
> +#  if defined(HAVE_TRUSTEDBSD_MAC)
> + /* We can run as non-root if the mac_ntpd policy is enabled. */
> + && mac_is_present("ntpd") != 1
> +#  endif
> + ) {
>   msyslog_term = TRUE;
>   msyslog(LOG_ERR,
>   "must be run as root, not uid %ld", (long)uid);
> @@ -1082,7 +1090,17 @@ getgroup:
>   exit (-1);
>   }
>  
> -#  if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS)
> +#  if defined(HAVE_TRUSTEDBSD_MAC)
> + /*
> +  * To manipulate system time and (re-)bind to NTP_PORT as
> needed
> +  * following interface changes, we must either run as uid 0
> or
> +  * the mac_ntpd policy module must be enabled.
> +  */
> + if (sw_uid != 0 && mac_is_present("ntpd") != 1) {
> + msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to
> drop root privileges");
> + exit (-1);
> + }
> +#  elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS)
>   /*
>* for now assume that the privilege to bind to privileged
> ports
>* is associated with running with uid 0 - should be refined
> on
> 
> Modified: head/etc/group
> ==
> --- head/etc/groupThu Jul 19 23:54:18 2018(r336524)
> +++ head/etc/groupThu Jul 19 23:55:29 2018(r336525)
> @@ -29,6 +29,7 @@ dialer:*:68:
>  network:*:69:
>  audit:*:77:
>  www:*:80:
> +ntpd:*:123:
>  _ypldap:*:160:
>  hast:*:845:
>  nogroup:*:65533:
> 
> Modified: head/etc/master.passwd
> ==
> --- head/etc/master.passwdThu Jul 19 23:54:18 2018(r336524)
> +++ head/etc/master.passwdThu Jul 19 23:55:29 2018(r336525)
> @@ -22,6 +22,7 @@ uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppubl
>  pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
>  auditdistd:*:78:77::0:0:Auditdistd unprivileged
> user:/var/empty:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web
> Owner:/nonexistent:/usr/sbin/nologin +ntpd:*:123:123::0:0:NTP
>

svn commit: r336525 - in head: contrib/ntp/ntpd etc etc/mtree share/man/man4 sys/conf sys/modules sys/modules/mac_ntpd sys/security/mac_ntpd usr.sbin/ntp

2018-07-19 Thread Ian Lepore

Author: ian
Date: Thu Jul 19 23:55:29 2018
New Revision: 336525
URL: https://svnweb.freebsd.org/changeset/base/336525

Log:
  Make it possible to run ntpd as a non-root user, add ntpd uid and gid.
  
  Code analysis and runtime analysis using truss(8) indicate that the only
  privileged operations performed by ntpd are adjusting system time, and
  (re-)binding to privileged UDP port 123. These changes add a new mac(4)
  policy module, mac_ntpd(4), which grants just those privileges to any
  process running with uid 123.
  
  This also adds a new user and group, ntpd:ntpd, (uid:gid 123:123), and makes
  them the owner of the /var/db/ntp directory, so that it can be used as a
  location where the non-privileged daemon can write files such as the
  driftfile, and any optional logfile or stats files.
  
  Because there are so many ways to configure ntpd, the question of how to
  configure it to run without root privs can be a bit complex, so that will be
  addressed in a separate commit. These changes are just what's required to
  grant the limited subset of privs to ntpd, and the small change to ntpd to
  prevent it from exiting with an error if running as non-root.
  
  Differential Revision:https://reviews.freebsd.org/D16281

Added:
  head/share/man/man4/mac_ntpd.4   (contents, props changed)
  head/sys/modules/mac_ntpd/
  head/sys/modules/mac_ntpd/Makefile   (contents, props changed)
  head/sys/security/mac_ntpd/
  head/sys/security/mac_ntpd/mac_ntpd.c   (contents, props changed)
Modified:
  head/contrib/ntp/ntpd/ntpd.c
  head/etc/group
  head/etc/master.passwd
  head/etc/mtree/BSD.var.dist
  head/sys/conf/NOTES
  head/sys/conf/files
  head/sys/conf/options
  head/sys/modules/Makefile
  head/usr.sbin/ntp/config.h

Modified: head/contrib/ntp/ntpd/ntpd.c
==
--- head/contrib/ntp/ntpd/ntpd.cThu Jul 19 23:54:18 2018
(r336524)
+++ head/contrib/ntp/ntpd/ntpd.cThu Jul 19 23:55:29 2018
(r336525)
@@ -123,6 +123,9 @@
 #if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS)
 # include 
 #endif /* HAVE_PRIV_H */
+#if defined(HAVE_TRUSTEDBSD_MAC)
+# include 
+#endif /* HAVE_TRUSTEDBSD_MAC */
 #endif /* HAVE_DROPROOT */
 
 #if defined (LIBSECCOMP) && (KERN_SECCOMP)
@@ -634,7 +637,12 @@ ntpdmain(
/* MPE lacks the concept of root */
 # if defined(HAVE_GETUID) && !defined(MPE)
uid = getuid();
-   if (uid && !HAVE_OPT( SAVECONFIGQUIT )) {
+   if (uid && !HAVE_OPT( SAVECONFIGQUIT )
+#  if defined(HAVE_TRUSTEDBSD_MAC)
+   /* We can run as non-root if the mac_ntpd policy is enabled. */
+   && mac_is_present("ntpd") != 1
+#  endif
+   ) {
msyslog_term = TRUE;
msyslog(LOG_ERR,
"must be run as root, not uid %ld", (long)uid);
@@ -1082,7 +1090,17 @@ getgroup:
exit (-1);
}
 
-#  if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS)
+#  if defined(HAVE_TRUSTEDBSD_MAC)
+   /*
+* To manipulate system time and (re-)bind to NTP_PORT as needed
+* following interface changes, we must either run as uid 0 or
+* the mac_ntpd policy module must be enabled.
+*/
+   if (sw_uid != 0 && mac_is_present("ntpd") != 1) {
+   msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to 
drop root privileges");
+   exit (-1);
+   }
+#  elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS)
/*
 * for now assume that the privilege to bind to privileged ports
 * is associated with running with uid 0 - should be refined on

Modified: head/etc/group
==
--- head/etc/group  Thu Jul 19 23:54:18 2018(r336524)
+++ head/etc/group  Thu Jul 19 23:55:29 2018(r336525)
@@ -29,6 +29,7 @@ dialer:*:68:
 network:*:69:
 audit:*:77:
 www:*:80:
+ntpd:*:123:
 _ypldap:*:160:
 hast:*:845:
 nogroup:*:65533:

Modified: head/etc/master.passwd
==
--- head/etc/master.passwd  Thu Jul 19 23:54:18 2018(r336524)
+++ head/etc/master.passwd  Thu Jul 19 23:55:29 2018(r336525)
@@ -22,6 +22,7 @@ uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppubl
 pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
 auditdistd:*:78:77::0:0:Auditdistd unprivileged 
user:/var/empty:/usr/sbin/nologin
 www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
+ntpd:*:123:123::0:0:NTP Daemon:/var/db/ntp:/usr/sbin/nologin
 _ypldap:*:160:160::0:0:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
 hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin
 nobody:*:65534:65534::0:0:Unprivileged

Re: svn commit: r336525 - in head: contrib/ntp/ntpd etc etc/mtree share/man/man4 sys/conf sys/modules sys/modules/mac_ntpd sys/security/mac_ntpd usr.sbin/ntp

svn commit: r336525 - in head: contrib/ntp/ntpd etc etc/mtree share/man/man4 sys/conf sys/modules sys/modules/mac_ntpd sys/security/mac_ntpd usr.sbin/ntp

2 matches

Site Navigation

Mail list logo

Footer information