Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
On Tue, Mar 31, 2020, 22:40 Reindl Harald wrote: > > > Am 31.03.20 um 20:32 schrieb Jędrzej Dudkiewicz: > > but I understand that > > systemd-timesyncd always uses unprivileged source port? > what else? > NTP has a "Symmetric Active" mode, where both peers use port 123 as source *and* destination. (It even seems that old NTPv1 actually determined the mode based on nothing else but sport) ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
Am 31.03.20 um 20:32 schrieb Jędrzej Dudkiewicz: > but I understand that > systemd-timesyncd always uses unprivileged source port? what else? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
Lennart, I suppose that what you wrote concerns UDP port on the server providing system that systemd-timesyncd uses to synchronize time? This is not a problem, from the point of view of the system where systemd-timesyncd is running privileged remote port is not a problem, I have problems if source UDP port (so one created by systemd-timesyncd) is problematic, but I understand that systemd-timesyncd always uses unprivileged source port? Thanks for an answer, JD On Tue, Mar 31, 2020 at 4:57 PM Lennart Poettering wrote: > > On Mi, 11.03.20 17:34, Jędrzej Dudkiewicz (jedrzej.dudkiew...@gmail.com) > wrote: > > > Hi, > > > > I have quite a few devices running Linux in client's network - so I > > have no control over it. It seems that all privileged UDP ports are > > blocked I have to use unprivileged port. I'd like to use > > systemd-timesyncd to synchronize time, thought I can't find a way to > > force it to use unprivileged port. Is there any way to do it? > > There's not, currently, the port nr is hardcoded. It might be OK to > make the port nr configurable though, via an env var. You could then > set the env var via a drop-in for systemd-timesyncd.service that uses > Environment=. Patch should be simple, look for resolve_getaddrinfo() > in timesyncd-manager.c. Consider prepping a patch and posting as > github PR, we'll the review/merge it. > > Lennart > > -- > Lennart Poettering, Berlin -- Jędrzej Dudkiewicz I really hate this damn machine, I wish that they would sell it. It never does just what I want, but only what I tell it. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
On Mi, 11.03.20 17:34, Jędrzej Dudkiewicz (jedrzej.dudkiew...@gmail.com) wrote: > Hi, > > I have quite a few devices running Linux in client's network - so I > have no control over it. It seems that all privileged UDP ports are > blocked I have to use unprivileged port. I'd like to use > systemd-timesyncd to synchronize time, thought I can't find a way to > force it to use unprivileged port. Is there any way to do it? There's not, currently, the port nr is hardcoded. It might be OK to make the port nr configurable though, via an env var. You could then set the env var via a drop-in for systemd-timesyncd.service that uses Environment=. Patch should be simple, look for resolve_getaddrinfo() in timesyncd-manager.c. Consider prepping a patch and posting as github PR, we'll the review/merge it. Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
I don't understand your answer/information at all. I wanted to know how to use unprivileged port with systemd-timesyncd - and I got information that it has sane defaults. So how should I read your answer? Is there something in systemd that still makes it insecure? Should I add some other parameter so that source port is randomized? Isn't it random already? JD On Mon, Mar 23, 2020 at 2:50 AM Cristian Rodríguez wrote: > > On Wed, Mar 11, 2020 at 4:17 PM Jędrzej Dudkiewicz > wrote: > > > Sorry, of course source port - > > No, you really want UDP source port randomization using whatever > algorithm the kernel chooses to, due to security reasons. > ___ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- Jędrzej Dudkiewicz I really hate this damn machine, I wish that they would sell it. It never does just what I want, but only what I tell it. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
On Wed, Mar 11, 2020 at 4:17 PM Jędrzej Dudkiewicz wrote: > Sorry, of course source port - No, you really want UDP source port randomization using whatever algorithm the kernel chooses to, due to security reasons. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
On Thu, Mar 12, 2020 at 8:29 AM Michael Chapman wrote: > > On Thu, 12 Mar 2020, Jędrzej Dudkiewicz wrote: > [...] > > And one more question: what is systemd-timedated? It seems that is > > exactly same thing, but I don't think this is true? > > It's the DBus service that most bits of timedatectl talk to. [...] > > systemd-timedated doesn't actually have any relationship with > systemd-timesyncd, despite the similar name. Ah, I understand now. Thank you very much. -- Jędrzej Dudkiewicz I really hate this damn machine, I wish that they would sell it. It never does just what I want, but only what I tell it. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
On Thu, 12 Mar 2020, Jędrzej Dudkiewicz wrote: [...] > And one more question: what is systemd-timedated? It seems that is > exactly same thing, but I don't think this is true? It's the DBus service that most bits of timedatectl talk to. timedatectl doesn't modify system configuration directly. When you run `timedatectl set-time ...`, for instance, it's actually systemd-timedated that changes the system's time. There's a bunch of reasons for this split: privilege separation is a good idea in general; the privileged service can choose whether to perform or deny a request according to the system's polkit configuration; other non-timedatectl clients can have equal programmatic access to the same time-and-date settings. systemd-timedated doesn't actually have any relationship with systemd-timesyncd, despite the similar name.___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
On Wed, Mar 11, 2020 at 5:52 PM Mantas Mikulėnas wrote: > > Well, are you asking about the *source* port or about the *destination* port? > There are two on every UDP packet. Sorry, of course source port - I spent so much time trying to synchronize time using systemd-timesyncd and ntpdate that I couldn't think about any other port - well, context is everything. > The source port is *not* from the privileged range -- systemd-timesyncd > always just lets the OS choose a random port from the ephemeral range. (I > have seen some other NTP clients such as Windows insist on using 123 as both > source and destination, but that's not the case with systemd-timesyncd nor > with most other SNTP clients.) Ok, this seems to be an obvious solution - yet ntpd and ntpdate by default bind to local 123 port - I see that systemd does the sensible thing. > The destination port has to be from the privileged range (specifically 123) > because that's what NTP servers *listen on* -- the client cannot decide on a > different port entirely on its own; you'd need to run your own NTP server > configured to use a different port. Yes. > Although if you already have an NTP server listening on a different port, > then unfortunately no, systemd-timesyncd does not currently have a config > option for that. It seems port 123 is hardcoded in manager_connect(), most > likely because that's what every public NTP server uses. No, this is Windows server and I after running `ntpdate -u ` I can synchronize time just fine. Now one more question - I read that to run properly, systemd-timesyncd needs systemd-networkd successfuly started. This is true in my case - systemd-networkd reports success. I have server IP set in `/etc/systemd/timesyncd.conf` file like this: [Time] NTP= Note that these devices run Debian 9.4, so not only old version, but also distribution that isn't known for being on cutting edge. And one more question: what is systemd-timedated? It seems that is exactly same thing, but I don't think this is true? Thanks in advance, JD > (Really I can't really think of any good purpose for such a block -- if > anything, I'd expect to see the opposite, i.e. services on low ports allowed, > the rest blocked. Does your network block DNS on port 53, too?) > On Wed, Mar 11, 2020 at 6:34 PM Jędrzej Dudkiewicz > wrote: >> >> Hi, >> >> I have quite a few devices running Linux in client's network - so I >> have no control over it. It seems that all privileged UDP ports are >> blocked I have to use unprivileged port. I'd like to use >> systemd-timesyncd to synchronize time, thought I can't find a way to >> force it to use unprivileged port. Is there any way to do it? >> >> Thanks in advance, >> -- >> Jędrzej Dudkiewicz >> >> I really hate this damn machine, I wish that they would sell it. >> It never does just what I want, but only what I tell it. >> ___ >> systemd-devel mailing list >> systemd-devel@lists.freedesktop.org >> https://lists.freedesktop.org/mailman/listinfo/systemd-devel > > > > -- > Mantas Mikulėnas -- Jędrzej Dudkiewicz I really hate this damn machine, I wish that they would sell it. It never does just what I want, but only what I tell it. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
Well, are you asking about the *source* port or about the *destination* port? There are two on every UDP packet. The source port is *not* from the privileged range -- systemd-timesyncd always just lets the OS choose a random port from the ephemeral range. (I have seen some other NTP clients such as Windows insist on using 123 as both source and destination, but that's not the case with systemd-timesyncd nor with most other SNTP clients.) The destination port has to be from the privileged range (specifically 123) because that's what NTP servers *listen on* -- the client cannot decide on a different port entirely on its own; you'd need to run your own NTP server configured to use a different port. Although if you already have an NTP server listening on a different port, then unfortunately no, systemd-timesyncd does not currently have a config option for that. It seems port 123 is hardcoded in manager_connect(), most likely because that's what every public NTP server uses. (Really I can't really think of any good purpose for such a block -- if anything, I'd expect to see the opposite, i.e. services on low ports allowed, the rest blocked. Does your network block DNS on port 53, too?) On Wed, Mar 11, 2020 at 6:34 PM Jędrzej Dudkiewicz < jedrzej.dudkiew...@gmail.com> wrote: > Hi, > > I have quite a few devices running Linux in client's network - so I > have no control over it. It seems that all privileged UDP ports are > blocked I have to use unprivileged port. I'd like to use > systemd-timesyncd to synchronize time, thought I can't find a way to > force it to use unprivileged port. Is there any way to do it? > > Thanks in advance, > -- > Jędrzej Dudkiewicz > > I really hate this damn machine, I wish that they would sell it. > It never does just what I want, but only what I tell it. > ___ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- Mantas Mikulėnas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel