Jailing {open,}ntpd
Dewayne Geraghty
dewayne.geraghty at heuristicsystems.com.au
Wed Jun 27 04:40:05 UTC 2018
On 27/06/2018 1:17 PM, Dewayne Geraghty wrote:
> Hi Roger, I have a similar mental state :)
>
> Yes, I run ports ntpd within a chroot environment.
>
> ntpd can run within a jail, but it lacks the priv to perform a syscall
> to modify time. Which is correct behaviour, for a restricted
> environment; protecting other jailed environs. Previously there was
> also an mlock call, which prevented it running but that was changed a
> while ago; but that's an aside unless you're running on old "stuff". ;)
>
> As this is not a security issue, I've removed those interested in that
> area from the CC.
>
> There are a few tricks with chroot, but first a disclaimer: I use jails
> for everything except ntpd, so there may be a better way.
>
> Trick 1. This is how I want ntpd to run
>
> /usr/local/sbin/ntpd -c /etc/ntp.conf -x -G -g -p /var/run/ntpd.pid
>
> but you can't pass arguments into chroot. So I created a "/start" that
> I place my chroot commands into.
>
> Trick 2. Use ldd to see what libs you need to copy into your chroot.
> Also remember, that you must have ld-elf and /dev/null. So
>
> Using ROOTD as your chroot destination
>
> mkdir $ROOTD/libexec && cp /libexec/ld-elf.so.1 $ROOTD/libexec ;
>
> and setup dev
>
> mkdir $ROOTD/dev
> touch $ROOTD/dev/null
> chmod 666 $ROOTD/dev/null; # Yes this is sufficient!
>
> The rest of the files are from the ntpd tarfile. Enjoy ;)
>
> PS: ntpq wont report due to "servname not supported for ai_socktype"...
> no solution yet.
>
Oops. Running on low memory.
Roger, forget trick 1 above, we run our ntp via
chroot /usr/chroot/ntp /usr/local/sbin/ntpd -c /etc/ntp.conf -x -G -g -p
/var/run/ntpd.pid
and yes, "ntpq -np 127.0.0.1" works from the base system. Tsk.
More information about the freebsd-jail
mailing list