svn commit: r336525 - in head: contrib/ntp/ntpd etc etc/mtree share/man/man4 sys/conf sys/modules sys/modules/mac_ntpd sys/security/mac_ntpd usr.sbin/ntp
O. Hartmann
ohartmann at walstatt.org
Mon Jul 23 05:25:52 UTC 2018
On Thu, 19 Jul 2018 23:55:29 +0000 (UTC)
Ian Lepore <ian at FreeBSD.org> wrote:
> Author: ian
> Date: Thu Jul 19 23:55:29 2018
> New Revision: 336525
> URL: https://svnweb.freebsd.org/changeset/base/336525
>
> Log:
> Make it possible to run ntpd as a non-root user, add ntpd uid and gid.
>
> Code analysis and runtime analysis using truss(8) indicate that the only
> privileged operations performed by ntpd are adjusting system time, and
> (re-)binding to privileged UDP port 123. These changes add a new mac(4)
> policy module, mac_ntpd(4), which grants just those privileges to any
> process running with uid 123.
>
> This also adds a new user and group, ntpd:ntpd, (uid:gid 123:123), and makes
> them the owner of the /var/db/ntp directory, so that it can be used as a
> location where the non-privileged daemon can write files such as the
> driftfile, and any optional logfile or stats files.
>
> Because there are so many ways to configure ntpd, the question of how to
> configure it to run without root privs can be a bit complex, so that will be
> addressed in a separate commit. These changes are just what's required to
> grant the limited subset of privs to ntpd, and the small change to ntpd to
> prevent it from exiting with an error if running as non-root.
>
> Differential Revision: https://reviews.freebsd.org/D16281
>
> Added:
> head/share/man/man4/mac_ntpd.4 (contents, props changed)
> head/sys/modules/mac_ntpd/
> head/sys/modules/mac_ntpd/Makefile (contents, props changed)
> head/sys/security/mac_ntpd/
> head/sys/security/mac_ntpd/mac_ntpd.c (contents, props changed)
> Modified:
> head/contrib/ntp/ntpd/ntpd.c
> head/etc/group
> head/etc/master.passwd
> head/etc/mtree/BSD.var.dist
> head/sys/conf/NOTES
> head/sys/conf/files
> head/sys/conf/options
> head/sys/modules/Makefile
> head/usr.sbin/ntp/config.h
>
> Modified: head/contrib/ntp/ntpd/ntpd.c
> ==============================================================================
> --- head/contrib/ntp/ntpd/ntpd.c Thu Jul 19 23:54:18 2018
> (r336524) +++ head/contrib/ntp/ntpd/ntpd.c Thu Jul 19 23:55:29
> 2018 (r336525) @@ -123,6 +123,9 @@
> #if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS)
> # include <priv.h>
> #endif /* HAVE_PRIV_H */
> +#if defined(HAVE_TRUSTEDBSD_MAC)
> +# include <sys/mac.h>
> +#endif /* HAVE_TRUSTEDBSD_MAC */
> #endif /* HAVE_DROPROOT */
>
> #if defined (LIBSECCOMP) && (KERN_SECCOMP)
> @@ -634,7 +637,12 @@ ntpdmain(
> /* MPE lacks the concept of root */
> # if defined(HAVE_GETUID) && !defined(MPE)
> uid = getuid();
> - if (uid && !HAVE_OPT( SAVECONFIGQUIT )) {
> + if (uid && !HAVE_OPT( SAVECONFIGQUIT )
> +# if defined(HAVE_TRUSTEDBSD_MAC)
> + /* We can run as non-root if the mac_ntpd policy is enabled. */
> + && mac_is_present("ntpd") != 1
> +# endif
> + ) {
> msyslog_term = TRUE;
> msyslog(LOG_ERR,
> "must be run as root, not uid %ld", (long)uid);
> @@ -1082,7 +1090,17 @@ getgroup:
> exit (-1);
> }
>
> -# if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS)
> +# if defined(HAVE_TRUSTEDBSD_MAC)
> + /*
> + * To manipulate system time and (re-)bind to NTP_PORT as
> needed
> + * following interface changes, we must either run as uid 0
> or
> + * the mac_ntpd policy module must be enabled.
> + */
> + if (sw_uid != 0 && mac_is_present("ntpd") != 1) {
> + msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to
> drop root privileges");
> + exit (-1);
> + }
> +# elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS)
> /*
> * for now assume that the privilege to bind to privileged
> ports
> * is associated with running with uid 0 - should be refined
> on
>
> Modified: head/etc/group
> ==============================================================================
> --- head/etc/group Thu Jul 19 23:54:18 2018 (r336524)
> +++ head/etc/group Thu Jul 19 23:55:29 2018 (r336525)
> @@ -29,6 +29,7 @@ dialer:*:68:
> network:*:69:
> audit:*:77:
> www:*:80:
> +ntpd:*:123:
> _ypldap:*:160:
> hast:*:845:
> nogroup:*:65533:
>
> Modified: head/etc/master.passwd
> ==============================================================================
> --- head/etc/master.passwd Thu Jul 19 23:54:18 2018 (r336524)
> +++ head/etc/master.passwd Thu Jul 19 23:55:29 2018 (r336525)
> @@ -22,6 +22,7 @@ uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppubl
> pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
> auditdistd:*:78:77::0:0:Auditdistd unprivileged
> user:/var/empty:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web
> Owner:/nonexistent:/usr/sbin/nologin +ntpd:*:123:123::0:0:NTP
> Daemon:/var/db/ntp:/usr/sbin/nologin _ypldap:*:160:160::0:0:YP LDAP
> unprivileged user:/var/empty:/usr/sbin/nologin hast:*:845:845::0:0:HAST
> unprivileged user:/var/empty:/usr/sbin/nologin
> nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
>
> Modified: head/etc/mtree/BSD.var.dist
> ==============================================================================
> --- head/etc/mtree/BSD.var.dist Thu Jul 19 23:54:18 2018
> (r336524) +++ head/etc/mtree/BSD.var.dist Thu Jul 19 23:55:29
> 2018 (r336525) @@ -46,7 +46,7 @@
> ..
> ipf mode=0700
> ..
> - ntp mode=0700
> + ntp uname=ntpd gname=ntpd
> ..
> pkg
> ..
>
> Added: head/share/man/man4/mac_ntpd.4
> ==============================================================================
> --- /dev/null 00:00:00 1970 (empty, because file is newly added)
> +++ head/share/man/man4/mac_ntpd.4 Thu Jul 19 23:55:29 2018
> (r336525) @@ -0,0 +1,116 @@
> +.\" Copyright (c) 2018 Ian Lepore <ian at FreeBSD.org>
> +.\"
> +.\" Redistribution and use in source and binary forms, with or without
> +.\" modification, are permitted provided that the following conditions
> +.\" are met:
> +.\" 1. Redistributions of source code must retain the above copyright
> +.\" notice, this list of conditions and the following disclaimer.
> +.\" 2. Redistributions in binary form must reproduce the above copyright
> +.\" notice, this list of conditions and the following disclaimer in the
> +.\" documentation and/or other materials provided with the distribution.
> +.\"
> +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
> +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS
> BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
> CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
> SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
> INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
> CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
> ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
> THE POSSIBILITY OF +.\" SUCH DAMAGE.
> +.\"
> +.\" $FreeBSD$
> +.\"
> +.Dd June 28, 2018
> +.Dt MAC_NTPD 4
> +.Os
> +.Sh NAME
> +.Nm mac_ntpd
> +.Nd "policy allowing ntpd to run as non-root user"
> +.Sh SYNOPSIS
> +To compile the ntpd policy into your kernel, place the following lines
> +in your kernel configuration file:
> +.Bd -ragged -offset indent
> +.Cd "options MAC"
> +.Cd "options MAC_NTPD"
> +.Ed
> +.Pp
> +Alternately, to load the ntpd policy module at boot time,
> +place the following line in your kernel configuration file:
> +.Bd -ragged -offset indent
> +.Cd "options MAC"
> +.Ed
> +.Pp
> +and in
> +.Xr loader.conf 5 :
> +.Pp
> +.Dl "mac_ntpd_load=""YES"""
> +.Sh DESCRIPTION
> +The
> +.Nm
> +policy grants any process running as user
> +.Sq ntpd
> +(uid 123) the privileges needed to manipulate
> +system time, and to (re-)bind to the privileged NTP port.
> +.Pp
> +When
> +.Xr ntpd 8
> +is started with
> +.Sq -u\ <user>
> +on the command line, it performs all initializations requiring root
> +privileges, then drops root privileges by switching to the given user id.
> +From that point on, the only privileges it requires are the ability
> +to manipulate system time, and the ability to re-bind a UDP socket
> +to the NTP port (port 123) after a network interface change.
> +By default,
> +.Fx
> +starts
> +.Xr ntpd 8
> +with
> +.Sq -u\ ntpd:ntpd
> +on the command line, if the mac_ntpd policy is available to grant
> +the required privileges.
> +.Pp
> +.Ss Privileges Granted
> +The exact set of kernel privileges granted to any process running
> +with the configured uid is:
> +.Bl -inset -compact -offset indent
> +.It PRIV_ADJTIME
> +.It PRIV_CLOCK_SETTIME
> +.It PRIV_NTP_ADJTIME
> +.It PRIV_NETINET_RESERVEDPORT
> +.It PRIV_NETINET_REUSEPORT
> +.El
> +.Pp
> +.Ss Runtime Configuration
> +The following
> +.Xr sysctl 8
> +MIBs are available for fine-tuning this MAC policy.
> +All
> +.Xr sysctl 8
> +variables can also be set as
> +.Xr loader 8
> +tunables in
> +.Xr loader.conf 5 .
> +.Bl -tag -width indent
> +.It Va security.mac.ntpd.enabled
> +Enable the
> +.Nm
> +policy.
> +(Default: 1).
> +.It Va security.mac.ntpd.uid
> +The numeric uid of the ntpd user.
> +(Default: 123).
> +.El
> +.Sh SEE ALSO
> +.Xr mac 4 ,
> +.Xr ntpd 8
> +.Sh HISTORY
> +MAC first appeared in
> +.Fx 5.0
> +and
> +.Nm
> +first appeared in
> +.Fx 12.0 .
>
> Modified: head/sys/conf/NOTES
> ==============================================================================
> --- head/sys/conf/NOTES Thu Jul 19 23:54:18 2018 (r336524)
> +++ head/sys/conf/NOTES Thu Jul 19 23:55:29 2018 (r336525)
> @@ -1193,6 +1193,7 @@ options MAC_IFOFF
> options MAC_LOMAC
> options MAC_MLS
> options MAC_NONE
> +options MAC_NTPD
> options MAC_PARTITION
> options MAC_PORTACL
> options MAC_SEEOTHERUIDS
>
> Modified: head/sys/conf/files
> ==============================================================================
> --- head/sys/conf/files Thu Jul 19 23:54:18 2018 (r336524)
> +++ head/sys/conf/files Thu Jul 19 23:55:29 2018 (r336525)
> @@ -4887,6 +4887,7 @@ security/mac_ifoff/mac_ifoff.c optional mac_ifoff
> security/mac_lomac/mac_lomac.c optional mac_lomac
> security/mac_mls/mac_mls.c optional mac_mls
> security/mac_none/mac_none.c optional mac_none
> +security/mac_ntpd/mac_ntpd.c optional mac_ntpd
> security/mac_partition/mac_partition.c optional mac_partition
> security/mac_portacl/mac_portacl.c optional mac_portacl
> security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids
>
> Modified: head/sys/conf/options
> ==============================================================================
> --- head/sys/conf/options Thu Jul 19 23:54:18 2018 (r336524)
> +++ head/sys/conf/options Thu Jul 19 23:55:29 2018 (r336525)
> @@ -158,6 +158,7 @@ MAC_IFOFF opt_dontuse.h
> MAC_LOMAC opt_dontuse.h
> MAC_MLS opt_dontuse.h
> MAC_NONE opt_dontuse.h
> +MAC_NTPD opt_dontuse.h
> MAC_PARTITION opt_dontuse.h
> MAC_PORTACL opt_dontuse.h
> MAC_SEEOTHERUIDS opt_dontuse.h
>
> Modified: head/sys/modules/Makefile
> ==============================================================================
> --- head/sys/modules/Makefile Thu Jul 19 23:54:18 2018 (r336524)
> +++ head/sys/modules/Makefile Thu Jul 19 23:55:29 2018 (r336525)
> @@ -230,6 +230,7 @@ SUBDIR= \
> mac_lomac \
> mac_mls \
> mac_none \
> + mac_ntpd \
> mac_partition \
> mac_portacl \
> mac_seeotheruids \
>
> Added: head/sys/modules/mac_ntpd/Makefile
> ==============================================================================
> --- /dev/null 00:00:00 1970 (empty, because file is newly added)
> +++ head/sys/modules/mac_ntpd/Makefile Thu Jul 19 23:55:29 2018
> (r336525) @@ -0,0 +1,8 @@
> +# $FreeBSD$
> +
> +.PATH: ${SRCTOP}/sys/security/mac_ntpd
> +
> +KMOD= mac_ntpd
> +SRCS= mac_ntpd.c
> +
> +.include <bsd.kmod.mk>
>
> Added: head/sys/security/mac_ntpd/mac_ntpd.c
> ==============================================================================
> --- /dev/null 00:00:00 1970 (empty, because file is newly added)
> +++ head/sys/security/mac_ntpd/mac_ntpd.c Thu Jul 19 23:55:29
> 2018 (r336525) @@ -0,0 +1,77 @@
> +/*-
> + * SPDX-License-Identifier: BSD-2-Clause
> + *
> + * Copyright (c) 2018 Ian Lepore <ian at FreeBSD.org>
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> + * are met:
> + * 1. Redistributions of source code must retain the above copyright
> + * notice, this list of conditions and the following disclaimer.
> + * 2. Redistributions in binary form must reproduce the above copyright
> + * notice, this list of conditions and the following disclaimer in the
> + * documentation and/or other materials provided with the distribution.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
> + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
> + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
> + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
> + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> + * SUCH DAMAGE.
> + *
> + * $FreeBSD$
> + */
> +
> +#include <sys/param.h>
> +#include <sys/kernel.h>
> +#include <sys/module.h>
> +#include <sys/priv.h>
> +#include <sys/sysctl.h>
> +#include <sys/ucred.h>
> +
> +#include <security/mac/mac_policy.h>
> +
> +SYSCTL_DECL(_security_mac);
> +
> +static SYSCTL_NODE(_security_mac, OID_AUTO, ntpd, CTLFLAG_RW, 0,
> + "mac_ntpd policy controls");
> +
> +static int ntpd_enabled = 1;
> +SYSCTL_INT(_security_mac_ntpd, OID_AUTO, enabled, CTLFLAG_RWTUN,
> + &ntpd_enabled, 0, "Enable mac_ntpd policy");
> +
> +static int ntpd_uid = 123;
> +SYSCTL_INT(_security_mac_ntpd, OID_AUTO, uid, CTLFLAG_RWTUN,
> + &ntpd_uid, 0, "User id for ntpd user");
> +
> +static int
> +ntpd_priv_grant(struct ucred *cred, int priv)
> +{
> +
> + if (ntpd_enabled && cred->cr_uid == ntpd_uid) {
> + switch (priv) {
> + case PRIV_ADJTIME:
> + case PRIV_CLOCK_SETTIME:
> + case PRIV_NTP_ADJTIME:
> + case PRIV_NETINET_RESERVEDPORT:
> + case PRIV_NETINET_REUSEPORT:
> + return (0);
> + default:
> + break;
> + }
> + }
> + return (EPERM);
> +}
> +
> +static struct mac_policy_ops ntpd_ops =
> +{
> + .mpo_priv_grant = ntpd_priv_grant,
> +};
> +
> +MAC_POLICY_SET(&ntpd_ops, mac_ntpd, "MAC/ntpd",
> + MPC_LOADTIME_FLAG_UNLOADOK, NULL);
>
> Modified: head/usr.sbin/ntp/config.h
> ==============================================================================
> --- head/usr.sbin/ntp/config.h Thu Jul 19 23:54:18 2018
> (r336524) +++ head/usr.sbin/ntp/config.h Thu Jul 19 23:55:29
> 2018 (r336525) @@ -392,7 +392,7 @@
> /* #undef HAVE_DOPRNT */
>
> /* Can we drop root privileges? */
> -/* #undef HAVE_DROPROOT */
> +#define HAVE_DROPROOT
>
> /* Define to 1 if you have the <errno.h> header file. */
> #define HAVE_ERRNO_H 1
> @@ -1118,6 +1118,9 @@
>
> /* Do we have the TIO serial stuff? */
> /* #undef HAVE_TIO_SERIAL_STUFF */
> +
> +/* Are TrustedBSD MAC policy privileges available? */
> +#define HAVE_TRUSTEDBSD_MAC 1
>
> /* Define to 1 if the system has the type `uint16_t'. */
> #define HAVE_UINT16_T 1
> _______________________________________________
> svn-src-head at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-head
> To unsubscribe, send any mail to "svn-src-head-unsubscribe at freebsd.org"
After updating CURRENT to r336625, adding user ntpd (UID 123, GID 123)
to /etc/master.passwd and /etc/group file(s) and correcting the
flags for ntpd given in /etc/rc.conf according to ntpd_flags="-4 -I
XXX.XXX.XXX.XXX", and performing a mergemaster to apply the new rc scripts
in /etc/rc.d for ntpd, and(!) terminating the remnant ntpd daemon via a killal
-9 command, I find myself with the follwoing situation right now:
ntpd rejects to start, the console log message reports:
[...]
Jul 23 07:14:03 <ntp.notice> segestes ntpd[50407]: ntpd 4.2.8p11-a (1): Starting
Jul 23 07:14:03 <ntp.info> segestes ntpd[50407]: Command line: /usr/sbin/ntpd
-4 -I 192.168.178.231 -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf
-f /var/db/ntp/ntpd.drift -g Jul 23 07:14:03 <ntp.info> segestes ntpd[51295]:
proto: precision = 0.108 usec (-23) Jul 23 07:14:03 <ntp.notice> segestes
ntpd[51295]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash
signature Jul 23 07:14:03 <ntp.notice> segestes ntpd[51295]: leapsecond file
('/var/db/ntpd.leap-seconds.list'): loaded, expire=2017-12-28T00:00:00Z
last=2017-01-01T00:00:00Z ofs=37 Jul 23 07:14:03 <ntp.err> segestes
ntpd[51295]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): expired less
than 208 days ago Jul 23 07:14:03 <ntp.err> segestes ntpd[51295]: unable to
bind to wildcard address 0.0.0.0 - another process may be running - EXITING
[...]
On all boxes updated to the most recent CURRENT I face this situation right
now. Kernel module mac_ntpd is successfully loaded. As soon as "service ntpd
start/restart" is issued, console receives
[...]
ntpd not running? (check /var/db/ntp/ntpd.pid).
Starting ntpd.
And checking /var/db/ntp:
ll /var/db/ntp
total 16
242583 drwxr-xr-x 2 ntpd ntpd - 512B 23 Juli 07:07 ./
240768 drwxr-xr-x 27 root wheel - 1.0K 23 Juli 07:07 ../
241233 -rw-r--r-- 1 ntpd ntpd - 8B 23 Juli 07:03 ntpd.drift
241270 -rw-r--r-- 1 ntpd ntpd - 5B 23 Juli 07:16 ntpd.pid
Another issue is regarding when /var/dv/ntp doesn't exist. The rc script
doesn't create /var/db/ntp and terminates with an error:
# service ntpd restart
ntpd not running? (check /var/db/ntp/ntpd.pid).
stat: /var/db/ntp: stat: No such file or directory
Starting ntpd.
Kind regards,
Oliver
More information about the svn-src-all
mailing list