On Thu, 19 Jul 2018 23:55:29 +0000 (UTC) Ian Lepore <i...@freebsd.org> wrote:
> Author: ian > Date: Thu Jul 19 23:55:29 2018 > New Revision: 336525 > URL: https://svnweb.freebsd.org/changeset/base/336525 > > Log: > Make it possible to run ntpd as a non-root user, add ntpd uid and gid. > > Code analysis and runtime analysis using truss(8) indicate that the only > privileged operations performed by ntpd are adjusting system time, and > (re-)binding to privileged UDP port 123. These changes add a new mac(4) > policy module, mac_ntpd(4), which grants just those privileges to any > process running with uid 123. > > This also adds a new user and group, ntpd:ntpd, (uid:gid 123:123), and makes > them the owner of the /var/db/ntp directory, so that it can be used as a > location where the non-privileged daemon can write files such as the > driftfile, and any optional logfile or stats files. > > Because there are so many ways to configure ntpd, the question of how to > configure it to run without root privs can be a bit complex, so that will be > addressed in a separate commit. These changes are just what's required to > grant the limited subset of privs to ntpd, and the small change to ntpd to > prevent it from exiting with an error if running as non-root. > > Differential Revision: https://reviews.freebsd.org/D16281 > > Added: > head/share/man/man4/mac_ntpd.4 (contents, props changed) > head/sys/modules/mac_ntpd/ > head/sys/modules/mac_ntpd/Makefile (contents, props changed) > head/sys/security/mac_ntpd/ > head/sys/security/mac_ntpd/mac_ntpd.c (contents, props changed) > Modified: > head/contrib/ntp/ntpd/ntpd.c > head/etc/group > head/etc/master.passwd > head/etc/mtree/BSD.var.dist > head/sys/conf/NOTES > head/sys/conf/files > head/sys/conf/options > head/sys/modules/Makefile > head/usr.sbin/ntp/config.h > > Modified: head/contrib/ntp/ntpd/ntpd.c > ============================================================================== > --- head/contrib/ntp/ntpd/ntpd.c Thu Jul 19 23:54:18 2018 > (r336524) +++ head/contrib/ntp/ntpd/ntpd.c Thu Jul 19 23:55:29 > 2018 (r336525) @@ -123,6 +123,9 @@ > #if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS) > # include <priv.h> > #endif /* HAVE_PRIV_H */ > +#if defined(HAVE_TRUSTEDBSD_MAC) > +# include <sys/mac.h> > +#endif /* HAVE_TRUSTEDBSD_MAC */ > #endif /* HAVE_DROPROOT */ > > #if defined (LIBSECCOMP) && (KERN_SECCOMP) > @@ -634,7 +637,12 @@ ntpdmain( > /* MPE lacks the concept of root */ > # if defined(HAVE_GETUID) && !defined(MPE) > uid = getuid(); > - if (uid && !HAVE_OPT( SAVECONFIGQUIT )) { > + if (uid && !HAVE_OPT( SAVECONFIGQUIT ) > +# if defined(HAVE_TRUSTEDBSD_MAC) > + /* We can run as non-root if the mac_ntpd policy is enabled. */ > + && mac_is_present("ntpd") != 1 > +# endif > + ) { > msyslog_term = TRUE; > msyslog(LOG_ERR, > "must be run as root, not uid %ld", (long)uid); > @@ -1082,7 +1090,17 @@ getgroup: > exit (-1); > } > > -# if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) > +# if defined(HAVE_TRUSTEDBSD_MAC) > + /* > + * To manipulate system time and (re-)bind to NTP_PORT as > needed > + * following interface changes, we must either run as uid 0 > or > + * the mac_ntpd policy module must be enabled. > + */ > + if (sw_uid != 0 && mac_is_present("ntpd") != 1) { > + msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to > drop root privileges"); > + exit (-1); > + } > +# elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) > /* > * for now assume that the privilege to bind to privileged > ports > * is associated with running with uid 0 - should be refined > on > > Modified: head/etc/group > ============================================================================== > --- head/etc/group Thu Jul 19 23:54:18 2018 (r336524) > +++ head/etc/group Thu Jul 19 23:55:29 2018 (r336525) > @@ -29,6 +29,7 @@ dialer:*:68: > network:*:69: > audit:*:77: > www:*:80: > +ntpd:*:123: > _ypldap:*:160: > hast:*:845: > nogroup:*:65533: > > Modified: head/etc/master.passwd > ============================================================================== > --- head/etc/master.passwd Thu Jul 19 23:54:18 2018 (r336524) > +++ head/etc/master.passwd Thu Jul 19 23:55:29 2018 (r336525) > @@ -22,6 +22,7 @@ uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppubl > pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin > auditdistd:*:78:77::0:0:Auditdistd unprivileged > user:/var/empty:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web > Owner:/nonexistent:/usr/sbin/nologin +ntpd:*:123:123::0:0:NTP > Daemon:/var/db/ntp:/usr/sbin/nologin _ypldap:*:160:160::0:0:YP LDAP > unprivileged user:/var/empty:/usr/sbin/nologin hast:*:845:845::0:0:HAST > unprivileged user:/var/empty:/usr/sbin/nologin > nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin > > Modified: head/etc/mtree/BSD.var.dist > ============================================================================== > --- head/etc/mtree/BSD.var.dist Thu Jul 19 23:54:18 2018 > (r336524) +++ head/etc/mtree/BSD.var.dist Thu Jul 19 23:55:29 > 2018 (r336525) @@ -46,7 +46,7 @@ > .. > ipf mode=0700 > .. > - ntp mode=0700 > + ntp uname=ntpd gname=ntpd > .. > pkg > .. > > Added: head/share/man/man4/mac_ntpd.4 > ============================================================================== > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/share/man/man4/mac_ntpd.4 Thu Jul 19 23:55:29 2018 > (r336525) @@ -0,0 +1,116 @@ > +.\" Copyright (c) 2018 Ian Lepore <i...@freebsd.org> > +.\" > +.\" Redistribution and use in source and binary forms, with or without > +.\" modification, are permitted provided that the following conditions > +.\" are met: > +.\" 1. Redistributions of source code must retain the above copyright > +.\" notice, this list of conditions and the following disclaimer. > +.\" 2. Redistributions in binary form must reproduce the above copyright > +.\" notice, this list of conditions and the following disclaimer in the > +.\" documentation and/or other materials provided with the distribution. > +.\" > +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND > +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE > +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR > PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS > BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR > CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS > INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN > CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) > ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF > THE POSSIBILITY OF +.\" SUCH DAMAGE. > +.\" > +.\" $FreeBSD$ > +.\" > +.Dd June 28, 2018 > +.Dt MAC_NTPD 4 > +.Os > +.Sh NAME > +.Nm mac_ntpd > +.Nd "policy allowing ntpd to run as non-root user" > +.Sh SYNOPSIS > +To compile the ntpd policy into your kernel, place the following lines > +in your kernel configuration file: > +.Bd -ragged -offset indent > +.Cd "options MAC" > +.Cd "options MAC_NTPD" > +.Ed > +.Pp > +Alternately, to load the ntpd policy module at boot time, > +place the following line in your kernel configuration file: > +.Bd -ragged -offset indent > +.Cd "options MAC" > +.Ed > +.Pp > +and in > +.Xr loader.conf 5 : > +.Pp > +.Dl "mac_ntpd_load=""YES""" > +.Sh DESCRIPTION > +The > +.Nm > +policy grants any process running as user > +.Sq ntpd > +(uid 123) the privileges needed to manipulate > +system time, and to (re-)bind to the privileged NTP port. > +.Pp > +When > +.Xr ntpd 8 > +is started with > +.Sq -u\ <user> > +on the command line, it performs all initializations requiring root > +privileges, then drops root privileges by switching to the given user id. > +From that point on, the only privileges it requires are the ability > +to manipulate system time, and the ability to re-bind a UDP socket > +to the NTP port (port 123) after a network interface change. > +By default, > +.Fx > +starts > +.Xr ntpd 8 > +with > +.Sq -u\ ntpd:ntpd > +on the command line, if the mac_ntpd policy is available to grant > +the required privileges. > +.Pp > +.Ss Privileges Granted > +The exact set of kernel privileges granted to any process running > +with the configured uid is: > +.Bl -inset -compact -offset indent > +.It PRIV_ADJTIME > +.It PRIV_CLOCK_SETTIME > +.It PRIV_NTP_ADJTIME > +.It PRIV_NETINET_RESERVEDPORT > +.It PRIV_NETINET_REUSEPORT > +.El > +.Pp > +.Ss Runtime Configuration > +The following > +.Xr sysctl 8 > +MIBs are available for fine-tuning this MAC policy. > +All > +.Xr sysctl 8 > +variables can also be set as > +.Xr loader 8 > +tunables in > +.Xr loader.conf 5 . > +.Bl -tag -width indent > +.It Va security.mac.ntpd.enabled > +Enable the > +.Nm > +policy. > +(Default: 1). > +.It Va security.mac.ntpd.uid > +The numeric uid of the ntpd user. > +(Default: 123). > +.El > +.Sh SEE ALSO > +.Xr mac 4 , > +.Xr ntpd 8 > +.Sh HISTORY > +MAC first appeared in > +.Fx 5.0 > +and > +.Nm > +first appeared in > +.Fx 12.0 . > > Modified: head/sys/conf/NOTES > ============================================================================== > --- head/sys/conf/NOTES Thu Jul 19 23:54:18 2018 (r336524) > +++ head/sys/conf/NOTES Thu Jul 19 23:55:29 2018 (r336525) > @@ -1193,6 +1193,7 @@ options MAC_IFOFF > options MAC_LOMAC > options MAC_MLS > options MAC_NONE > +options MAC_NTPD > options MAC_PARTITION > options MAC_PORTACL > options MAC_SEEOTHERUIDS > > Modified: head/sys/conf/files > ============================================================================== > --- head/sys/conf/files Thu Jul 19 23:54:18 2018 (r336524) > +++ head/sys/conf/files Thu Jul 19 23:55:29 2018 (r336525) > @@ -4887,6 +4887,7 @@ security/mac_ifoff/mac_ifoff.c optional mac_ifoff > security/mac_lomac/mac_lomac.c optional mac_lomac > security/mac_mls/mac_mls.c optional mac_mls > security/mac_none/mac_none.c optional mac_none > +security/mac_ntpd/mac_ntpd.c optional mac_ntpd > security/mac_partition/mac_partition.c optional mac_partition > security/mac_portacl/mac_portacl.c optional mac_portacl > security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids > > Modified: head/sys/conf/options > ============================================================================== > --- head/sys/conf/options Thu Jul 19 23:54:18 2018 (r336524) > +++ head/sys/conf/options Thu Jul 19 23:55:29 2018 (r336525) > @@ -158,6 +158,7 @@ MAC_IFOFF opt_dontuse.h > MAC_LOMAC opt_dontuse.h > MAC_MLS opt_dontuse.h > MAC_NONE opt_dontuse.h > +MAC_NTPD opt_dontuse.h > MAC_PARTITION opt_dontuse.h > MAC_PORTACL opt_dontuse.h > MAC_SEEOTHERUIDS opt_dontuse.h > > Modified: head/sys/modules/Makefile > ============================================================================== > --- head/sys/modules/Makefile Thu Jul 19 23:54:18 2018 (r336524) > +++ head/sys/modules/Makefile Thu Jul 19 23:55:29 2018 (r336525) > @@ -230,6 +230,7 @@ SUBDIR= \ > mac_lomac \ > mac_mls \ > mac_none \ > + mac_ntpd \ > mac_partition \ > mac_portacl \ > mac_seeotheruids \ > > Added: head/sys/modules/mac_ntpd/Makefile > ============================================================================== > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/sys/modules/mac_ntpd/Makefile Thu Jul 19 23:55:29 2018 > (r336525) @@ -0,0 +1,8 @@ > +# $FreeBSD$ > + > +.PATH: ${SRCTOP}/sys/security/mac_ntpd > + > +KMOD= mac_ntpd > +SRCS= mac_ntpd.c > + > +.include <bsd.kmod.mk> > > Added: head/sys/security/mac_ntpd/mac_ntpd.c > ============================================================================== > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/sys/security/mac_ntpd/mac_ntpd.c Thu Jul 19 23:55:29 > 2018 (r336525) @@ -0,0 +1,77 @@ > +/*- > + * SPDX-License-Identifier: BSD-2-Clause > + * > + * Copyright (c) 2018 Ian Lepore <i...@freebsd.org> > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * 1. Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * 2. Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in the > + * documentation and/or other materials provided with the distribution. > + * > + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND > + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE > + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE > + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE > + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL > + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS > + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) > + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT > + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY > + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF > + * SUCH DAMAGE. > + * > + * $FreeBSD$ > + */ > + > +#include <sys/param.h> > +#include <sys/kernel.h> > +#include <sys/module.h> > +#include <sys/priv.h> > +#include <sys/sysctl.h> > +#include <sys/ucred.h> > + > +#include <security/mac/mac_policy.h> > + > +SYSCTL_DECL(_security_mac); > + > +static SYSCTL_NODE(_security_mac, OID_AUTO, ntpd, CTLFLAG_RW, 0, > + "mac_ntpd policy controls"); > + > +static int ntpd_enabled = 1; > +SYSCTL_INT(_security_mac_ntpd, OID_AUTO, enabled, CTLFLAG_RWTUN, > + &ntpd_enabled, 0, "Enable mac_ntpd policy"); > + > +static int ntpd_uid = 123; > +SYSCTL_INT(_security_mac_ntpd, OID_AUTO, uid, CTLFLAG_RWTUN, > + &ntpd_uid, 0, "User id for ntpd user"); > + > +static int > +ntpd_priv_grant(struct ucred *cred, int priv) > +{ > + > + if (ntpd_enabled && cred->cr_uid == ntpd_uid) { > + switch (priv) { > + case PRIV_ADJTIME: > + case PRIV_CLOCK_SETTIME: > + case PRIV_NTP_ADJTIME: > + case PRIV_NETINET_RESERVEDPORT: > + case PRIV_NETINET_REUSEPORT: > + return (0); > + default: > + break; > + } > + } > + return (EPERM); > +} > + > +static struct mac_policy_ops ntpd_ops = > +{ > + .mpo_priv_grant = ntpd_priv_grant, > +}; > + > +MAC_POLICY_SET(&ntpd_ops, mac_ntpd, "MAC/ntpd", > + MPC_LOADTIME_FLAG_UNLOADOK, NULL); > > Modified: head/usr.sbin/ntp/config.h > ============================================================================== > --- head/usr.sbin/ntp/config.h Thu Jul 19 23:54:18 2018 > (r336524) +++ head/usr.sbin/ntp/config.h Thu Jul 19 23:55:29 > 2018 (r336525) @@ -392,7 +392,7 @@ > /* #undef HAVE_DOPRNT */ > > /* Can we drop root privileges? */ > -/* #undef HAVE_DROPROOT */ > +#define HAVE_DROPROOT > > /* Define to 1 if you have the <errno.h> header file. */ > #define HAVE_ERRNO_H 1 > @@ -1118,6 +1118,9 @@ > > /* Do we have the TIO serial stuff? */ > /* #undef HAVE_TIO_SERIAL_STUFF */ > + > +/* Are TrustedBSD MAC policy privileges available? */ > +#define HAVE_TRUSTEDBSD_MAC 1 > > /* Define to 1 if the system has the type `uint16_t'. */ > #define HAVE_UINT16_T 1 > _______________________________________________ > svn-src-head@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-head > To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org" After updating CURRENT to r336625, adding user ntpd (UID 123, GID 123) to /etc/master.passwd and /etc/group file(s) and correcting the flags for ntpd given in /etc/rc.conf according to ntpd_flags="-4 -I XXX.XXX.XXX.XXX", and performing a mergemaster to apply the new rc scripts in /etc/rc.d for ntpd, and(!) terminating the remnant ntpd daemon via a killal -9 command, I find myself with the follwoing situation right now: ntpd rejects to start, the console log message reports: [...] Jul 23 07:14:03 <ntp.notice> segestes ntpd[50407]: ntpd 4.2.8p11-a (1): Starting Jul 23 07:14:03 <ntp.info> segestes ntpd[50407]: Command line: /usr/sbin/ntpd -4 -I 192.168.178.231 -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -f /var/db/ntp/ntpd.drift -g Jul 23 07:14:03 <ntp.info> segestes ntpd[51295]: proto: precision = 0.108 usec (-23) Jul 23 07:14:03 <ntp.notice> segestes ntpd[51295]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash signature Jul 23 07:14:03 <ntp.notice> segestes ntpd[51295]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, expire=2017-12-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37 Jul 23 07:14:03 <ntp.err> segestes ntpd[51295]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): expired less than 208 days ago Jul 23 07:14:03 <ntp.err> segestes ntpd[51295]: unable to bind to wildcard address 0.0.0.0 - another process may be running - EXITING [...] On all boxes updated to the most recent CURRENT I face this situation right now. Kernel module mac_ntpd is successfully loaded. As soon as "service ntpd start/restart" is issued, console receives [...] ntpd not running? (check /var/db/ntp/ntpd.pid). Starting ntpd. And checking /var/db/ntp: ll /var/db/ntp total 16 242583 drwxr-xr-x 2 ntpd ntpd - 512B 23 Juli 07:07 ./ 240768 drwxr-xr-x 27 root wheel - 1.0K 23 Juli 07:07 ../ 241233 -rw-r--r-- 1 ntpd ntpd - 8B 23 Juli 07:03 ntpd.drift 241270 -rw-r--r-- 1 ntpd ntpd - 5B 23 Juli 07:16 ntpd.pid Another issue is regarding when /var/dv/ntp doesn't exist. The rc script doesn't create /var/db/ntp and terminates with an error: # service ntpd restart ntpd not running? (check /var/db/ntp/ntpd.pid). stat: /var/db/ntp: stat: No such file or directory Starting ntpd. Kind regards, Oliver _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"