Attachment #12278 for bug #21444

View | Details | Raw Unified | Return to bug 21444
Collapse All | Expand All




driftfile</i> ] [ -g ] [ -k <i>keyfile</i> ] [ -l <i>logfile</i> ]
[ -N high ] [ -p <i>pidfile</i> ] [ -r <i>broadcastdelay</i> ] [ -s
<i>statsdir</i> ] [ -t <i>key</i> ] [ -v <i>variable</i> ] [ -V <i>
variable</i> ] [ -T <i>chroot_dir</i> ] [ -U <i>server_user</i> ] [ -x ]</tt> 

<h4>Description</h4>



<dd>Add a system variable listed by default.</dd>


<DT><TT>-T <I>chroot_dir</I></DT>
<DD>Chroot the ntpd server process into <I>chroot_dir</I>. To use this
option you have to copy all the files that ntpd process needs into the
chroot directory. This option adds security only if the server also drops
root privileges (see -U option).</DD>

<DT><TT>-U <I>server_user</I></DT>
<DD>Ntpd process drops root privileges and changes user ID to
<I>server_user</I> and group ID to the primary group of <I>server_user</I>.
To use this option you need libcap-library.
</DD>

<dt><tt>-x</tt></dt>

<dd>Normally, the time is slewed if the offset is less than the

Lines 26-31 Link Here

(-)ntp-4.0.99m-rc2/html/ntpdate.htm.droproot (+7 lines)
26		26
27	<tt>ntpdate [ -bBdoqsuv ] [ -a <i>key</i> ] [ -e <i>authdelay</i> ]	27	<tt>ntpdate [ -bBdoqsuv ] [ -a <i>key</i> ] [ -e <i>authdelay</i> ]
28	[ -k <i>keyfile</i> ] [ -o <i>version</i> ] [ -p <i>samples</i> ] [	28	[ -k <i>keyfile</i> ] [ -o <i>version</i> ] [ -p <i>samples</i> ] [
		29	-U <i>user_name</i> ] [
29	-t <i>timeout</i> ] <i>server</i> [ ... ]</tt>	30	-t <i>timeout</i> ] <i>server</i> [ ... ]</tt>
30		31
31	<h4>Description</h4>	32	<h4>Description</h4>
Lines 161-166 Link Here
161		162
162	<dd>Be verbose. This option will cause <tt>ntpdate</tt>'s version	163	<dd>Be verbose. This option will cause <tt>ntpdate</tt>'s version
163	identification string to be logged.</dd>	164	identification string to be logged.</dd>
		165
		166	<dt><tt>-U <i>user_name</i></tt></dt>
		167
		168	<dd>ntpdate process drops root privileges and changes user ID to
		169	<i>user_name</i> and group ID to the primary group of <i>server_user</i>.
		170	To use this option you need libcap-library.</dd>
164	</dl>	171	</dl>
165		172
166	<h4>Files</h4>	173	<h4>Files</h4>

Lines 166-172 Link Here

(-)ntp-4.0.99m-rc2/ntpd/Makefile.in.droproot (-1 / +1 lines)
166		166
167	DEFS = @DEFS@ -I. -I$(srcdir) -I$(top_builddir)	167	DEFS = @DEFS@ -I. -I$(srcdir) -I$(top_builddir)
168	CPPFLAGS = @CPPFLAGS@	168	CPPFLAGS = @CPPFLAGS@
169	LIBS = @LIBS@	169	LIBS = @LIBS@ -lcap
170	ANSI2KNR = ../util/ansi2knr	170	ANSI2KNR = ../util/ansi2knr
171	check_y2k_SOURCES = check_y2k.c	171	check_y2k_SOURCES = check_y2k.c
172	check_y2k_OBJECTS = check_y2k$U.$(OBJEXT)	172	check_y2k_OBJECTS = check_y2k$U.$(OBJEXT)

Lines 6-11 Link Here

(-)ntp-4.0.99m-rc2/ntpd/ntpd.c.droproot (+90 lines)
6	# include <config.h>	6	# include <config.h>
7	#endif	7	#endif
8		8
		9	#include <sys/capability.h>
		10	#include <sys/prctl.h>
		11	#include <pwd.h>
		12	#include <grp.h>
		13
9	#include "ntpd.h"	14	#include "ntpd.h"
10	#include "ntp_io.h"	15	#include "ntp_io.h"
11	#include "ntp_stdlib.h"	16	#include "ntp_stdlib.h"
Lines 96-101 Link Here
96	#include "ntp_crypto.h"	101	#include "ntp_crypto.h"
97	#endif /* PUBKEY */	102	#endif /* PUBKEY */
98		103
		104	/* Username to run as */
		105	char *server_user=0;
		106	/* Chroot to this dir */
		107	char *chroot_dir=0;
		108
99	/*	109	/*
100	* Signals we catch for debugging. If not debugging we ignore them.	110	* Signals we catch for debugging. If not debugging we ignore them.
101	*/	111	*/
Lines 188-197 Link Here
188	char *argv[]	198	char *argv[]
189	)	199	)
190	{	200	{
		201	server_user = NULL;
		202	chroot_dir = NULL;
191	return ntpdmain(argc, argv);	203	return ntpdmain(argc, argv);
192	}	204	}
193	#endif	205	#endif
194		206
		207	/* This patch is adapted (copied) from Chris Wings drop root patch
		208	* for xntpd.
		209	*/
		210	void drop_root(uid_t server_uid, gid_t server_gid)
		211	{
		212	cap_t caps;
		213
		214	if (prctl(PR_SET_KEEPCAPS, 1)) {
		215	msyslog(LOG_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
		216	exit(1);
		217	}
		218
		219	if ( setgroups(0, NULL) == -1 ) {
		220	msyslog(LOG_ERR, "setgroups failed.");
		221	exit(1);
		222	}
		223
		224	if ( setegid(server_gid) == -1 \|\| seteuid(server_uid) == -1 ) {
		225	msyslog(LOG_ERR, "setegid/seteuid to uid=%d/gid=%d failed.", server_uid,
		226	server_gid);
		227	exit(1);
		228	}
		229
		230	caps = cap_from_text("cap_sys_time=epi");
		231	if (caps == NULL) {
		232	msyslog(LOG_ERR, "cap_from_text failed.");
		233	exit(1);
		234	}
		235
		236	if (cap_set_proc(caps) == -1) {
		237	msyslog(LOG_ERR, "cap_set_proc failed.");
		238	exit(1);
		239	}
		240
		241	/* Try to free the memory from cap_from_text */
		242	cap_free( caps );
		243
		244	if ( setregid(server_gid, server_gid) == -1 \|\|
		245	setreuid(server_uid, server_uid) == -1 ) {
		246	msyslog(LOG_ERR, "setregid/setreuid to uid=%d/gid=%d failed.", server_uid,
		247	server_gid);
		248	exit(1);
		249	}
		250
		251	msyslog(LOG_DEBUG, "running as uid(%d)/gid(%d) euid(%d)/egid(%d).",
		252	getuid(), getgid(), geteuid(), getegid());
		253	}
		254
195	#ifdef _AIX	255	#ifdef _AIX
196	/*	256	/*
197	* OK. AIX is different than solaris in how it implements plock().	257	* OK. AIX is different than solaris in how it implements plock().
Lines 337-342 Link Here
337	#ifdef _AIX /* HMS: ifdef SIGDANGER? */	397	#ifdef _AIX /* HMS: ifdef SIGDANGER? */
338	struct sigaction sa;	398	struct sigaction sa;
339	#endif	399	#endif
		400	struct passwd *pwd = NULL;
		401	uid_t server_uid;
		402	gid_t server_gid;
340		403
341	initializing = 1; /* mark that we are initializing */	404	initializing = 1; /* mark that we are initializing */
342	debug = 0; /* no debugging by default */	405	debug = 0; /* no debugging by default */
Lines 377-382 Link Here
377	#endif	440	#endif
378	getstartup(argc, argv); /* startup configuration, may set debug */	441	getstartup(argc, argv); /* startup configuration, may set debug */
379		442
		443	/* Lookup server_user uid/gid before chroot/chdir */
		444	if ( server_user ) {
		445	pwd = getpwnam( server_user );
		446	if ( pwd == NULL ) {
		447	msyslog(LOG_ERR, "Failed to lookup user '%s'.", server_user);
		448	exit(1);
		449	}
		450	server_uid = pwd->pw_uid;
		451	server_gid = pwd->pw_gid;
		452	}
		453
		454	/* Try to chroot to chroot_dir. This probably makes sense only if
		455	* the server drops root privileges.
		456	*/
		457	if ( chroot_dir ) {
		458	if ( chroot(chroot_dir) == -1 \|\| chdir("/") == -1 ) {
		459	msyslog(LOG_ERR, "chroot/chdir to '%s' failed.", chroot_dir);
		460	exit(1);
		461	}
		462	/* Close /dev/log */
		463	closelog();
		464	}
		465
380	/*	466	/*
381	* Initialize random generator and public key pair	467	* Initialize random generator and public key pair
382	*/	468	*/
Lines 745-750 Link Here
745	#endif /* AUTOKEY */	831	#endif /* AUTOKEY */
746	initializing = 0;	832	initializing = 0;
747		833
		834	if ( server_user ) {
		835	drop_root( server_uid, server_gid );
		836	}
		837
748	#if defined(SYS_WINNT) && !defined(NODETACH)	838	#if defined(SYS_WINNT) && !defined(NODETACH)
749	# if defined(DEBUG)	839	# if defined(DEBUG)
750	if(!debug)	840	if(!debug)

Lines 15-21 Link Here

(-)ntp-4.0.99m-rc2/ntpd/cmd_args.c.droproot (-1 / +39 lines)
15	extern char const *progname;	15	extern char const *progname;
16	int listen_to_virtual_ips = 0;	16	int listen_to_virtual_ips = 0;
17		17
		18	static const char *ntp_options = "aAbc:dD:f:gk:l:LmnN:p:P:qr:s:t:v:V:x:U:T:";
		19
		20	/* Drop root patch */
		21	extern char *server_user;
		22	extern char *chroot_dir;
		23
		24	/*
18	static const char *ntp_options = "aAbc:dD:f:gk:l:LmnN:p:P:qr:s:t:v:V:x";	25	static const char *ntp_options = "aAbc:dD:f:gk:l:LmnN:p:P:qr:s:t:v:V:x";
		26	*/
19		27
20	#ifdef HAVE_NETINFO	28	#ifdef HAVE_NETINFO
21	extern int check_netinfo;	29	extern int check_netinfo;
Lines 114-120 Link Here
114	++errflg;	122	++errflg;
115	break;	123	break;
116		124
117	default:	125	case 'U':
		126	if ( !ntp_optarg ) {
		127	fprintf(stderr, "Error: Need username with 'U' option\n");
		128	exit(1);
		129	}
		130	else {
		131	if ( !server_user ) {
		132	server_user = strdup(ntp_optarg);
		133	}
		134	}
		135	break;
		136
		137	case 'T':
		138	if ( !ntp_optarg ) {
		139	fprintf(stderr, "Error: Need directory with 'T' option\n");
		140	exit(1);
		141	}
		142	else {
		143	if ( !chroot_dir ) {
		144	chroot_dir = strdup(ntp_optarg);
		145	}
		146	}
		147	break;
		148
		149	default:
118	break;	150	break;
119	}	151	}
120		152
Lines 123-128 Link Here
123	(void) fprintf(stderr, "\t\t[ -f freq_file ] [ -k key_file ] [ -l log_file ]\n");	155	(void) fprintf(stderr, "\t\t[ -f freq_file ] [ -k key_file ] [ -l log_file ]\n");
124	(void) fprintf(stderr, "\t\t[ -p pid_file ] [ -r broad_delay ] [ -s statdir ]\n");	156	(void) fprintf(stderr, "\t\t[ -p pid_file ] [ -r broad_delay ] [ -s statdir ]\n");
125	(void) fprintf(stderr, "\t\t[ -t trust_key ] [ -v sys_var ] [ -V default_sysvar ]\n");	157	(void) fprintf(stderr, "\t\t[ -t trust_key ] [ -v sys_var ] [ -V default_sysvar ]\n");
		158	(void) fprintf(stderr, "\t\t[ -T chroot_dir ] [ -U server_user ]\n");
126	#if defined(HAVE_SCHED_SETSCHEDULER)	159	#if defined(HAVE_SCHED_SETSCHEDULER)
127	(void) fprintf(stderr, "\t\t[ -P fixed_process_priority ]\n");	160	(void) fprintf(stderr, "\t\t[ -P fixed_process_priority ]\n");
128	#endif	161	#endif
Lines 293-298 Link Here
293	allow_step = FALSE;	326	allow_step = FALSE;
294	break;	327	break;
295		328
		329	case 'U': /* already done at pre-scan */
		330	case 'T': /* already done at pre-scan */
		331	break;
		332
296	default:	333	default:
297	errflg++;	334	errflg++;
298	break;	335	break;
Lines 304-309 Link Here
304	(void) fprintf(stderr, "\t\t[ -f freq_file ] [ -k key_file ] [ -l log_file ]\n");	341	(void) fprintf(stderr, "\t\t[ -f freq_file ] [ -k key_file ] [ -l log_file ]\n");
305	(void) fprintf(stderr, "\t\t[ -p pid_file ] [ -r broad_delay ] [ -s statdir ]\n");	342	(void) fprintf(stderr, "\t\t[ -p pid_file ] [ -r broad_delay ] [ -s statdir ]\n");
306	(void) fprintf(stderr, "\t\t[ -t trust_key ] [ -v sys_var ] [ -V default_sysvar ]\n");	343	(void) fprintf(stderr, "\t\t[ -t trust_key ] [ -v sys_var ] [ -V default_sysvar ]\n");
		344	(void) fprintf(stderr, "\t\t[ -T chroot_dir ] [ -U server_user ]\n");
307	#if defined(HAVE_SCHED_SETSCHEDULER)	345	#if defined(HAVE_SCHED_SETSCHEDULER)
308	(void) fprintf(stderr, "\t\t[ -P fixed_process_priority ]\n");	346	(void) fprintf(stderr, "\t\t[ -P fixed_process_priority ]\n");
309	#endif	347	#endif

Lines 139-145 Link Here

(-)ntp-4.0.99m-rc2/ntpdate/Makefile.in.droproot (-1 / +1 lines)
139		139
140	DEFS = @DEFS@ -I. -I$(srcdir) -I$(top_builddir)	140	DEFS = @DEFS@ -I. -I$(srcdir) -I$(top_builddir)
141	CPPFLAGS = @CPPFLAGS@	141	CPPFLAGS = @CPPFLAGS@
142	LIBS = @LIBS@	142	LIBS = @LIBS@ -lcap
143	ANSI2KNR = ../util/ansi2knr	143	ANSI2KNR = ../util/ansi2knr
144	ntpdate_SOURCES = ntpdate.c	144	ntpdate_SOURCES = ntpdate.c
145	ntpdate_OBJECTS = ntpdate$U.$(OBJEXT)	145	ntpdate_OBJECTS = ntpdate$U.$(OBJEXT)

Lines 41-46 Link Here

(-)ntp-4.0.99m-rc2/ntpdate/ntpdate.c.droproot (-3 / +123 lines)
41	# include <sys/resource.h>	41	# include <sys/resource.h>
42	#endif /* HAVE_SYS_RESOURCE_H */	42	#endif /* HAVE_SYS_RESOURCE_H */
43		43
		44	/* Linux capabilities */
		45	#include <sys/capability.h>
		46	#include <sys/prctl.h>
		47	#include <pwd.h>
		48	#include <grp.h>
		49
44	#ifdef SYS_VXWORKS	50	#ifdef SYS_VXWORKS
45	# include "ioLib.h"	51	# include "ioLib.h"
46	# include "sockLib.h"	52	# include "sockLib.h"
Lines 127-132 Link Here
127	int rate = 0;	133	int rate = 0;
128		134
129	/*	135	/*
		136	* Use capabilities to drop privileges and switch uids
		137	*/
		138	char *server_user;
		139
		140	/*
130	* Program name.	141	* Program name.
131	*/	142	*/
132	char *progname;	143	char *progname;
Lines 273-278 Link Here
273	static ni_namelist *getnetinfoservers P((void));	284	static ni_namelist *getnetinfoservers P((void));
274	#endif	285	#endif
275		286
		287	/* This patch is adapted (copied) from Chris Wings drop root patch
		288	* for xntpd.
		289	*/
		290	void drop_root(uid_t server_uid, gid_t server_gid)
		291	{
		292	cap_t caps;
		293
		294	if (prctl(PR_SET_KEEPCAPS, 1)) {
		295	if (syslogit) {
		296	msyslog(LOG_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
		297	}
		298	else {
		299	fprintf(stderr, "prctl(PR_SET_KEEPCAPS, 1) failed.\n");
		300	}
		301	exit(1);
		302	}
		303
		304	if ( setgroups(0, NULL) == -1 ) {
		305	if (syslogit) {
		306	msyslog(LOG_ERR, "setgroups failed.");
		307	}
		308	else {
		309	fprintf(stderr, "setgroups failed.\n");
		310	}
		311	exit(1);
		312	}
		313
		314	if ( setegid(server_gid) == -1 \|\| seteuid(server_uid) == -1 ) {
		315	if (syslogit) {
		316	msyslog(LOG_ERR, "setegid/seteuid to uid=%d/gid=%d failed.", server_uid,
		317	server_gid);
		318	}
		319	else {
		320	fprintf(stderr, "setegid/seteuid to uid=%d/gid=%d failed.\n", server_uid,
		321	server_gid);
		322	}
		323	exit(1);
		324	}
		325
		326	caps = cap_from_text("cap_sys_time=epi");
		327	if (caps == NULL) {
		328	if (syslogit) {
		329	msyslog(LOG_ERR, "cap_from_text failed.");
		330	}
		331	else {
		332	fprintf(stderr, "cap_from_text failed.\n");
		333	}
		334	exit(1);
		335	}
		336
		337	if (cap_set_proc(caps) == -1) {
		338	if (syslogit) {
		339	msyslog(LOG_ERR, "cap_set_proc failed.");
		340	}
		341	else {
		342	fprintf(stderr, "cap_set_proc failed.\n");
		343	}
		344	exit(1);
		345	}
		346
		347	/* Try to free the memory from cap_from_text */
		348	cap_free( caps );
		349
		350	if ( setregid(server_gid, server_gid) == -1 \|\|
351	setreuid(server_uid, server_uid) == -1 ) {
352	if (syslogit) {
353	msyslog(LOG_ERR, "setregid/setreuid to uid=%d/gid=%d failed.",
354	server_uid, server_gid);
355	}
356	else {
357	fprintf(stderr, "setregid/setreuid to uid=%d/gid=%d failed.\n",
358	server_uid, server_gid);
359	}
360	exit(1);
361	}
362
363	if (syslogit) {
364	msyslog(LOG_DEBUG, "running as uid(%d)/gid(%d) euid(%d)/egid(%d).",
365	getuid(), getgid(), geteuid(), getegid());
366	}
367	}
368
276	/*	369	/*
277	* Main program. Initialize us and loop waiting for I/O and/or	370	* Main program. Initialize us and loop waiting for I/O and/or
278	* timer expiries.	371	* timer expiries.
Lines 323-329 Link Here
323	#ifdef NO_MAIN_ALLOWED	416	#ifdef NO_MAIN_ALLOWED
324	clear_globals();	417	clear_globals();
325	#endif	418	#endif
326		419	server_user = NULL;
327	errflg = 0;	420	errflg = 0;
328	progname = argv[0];	421	progname = argv[0];
329	syslogit = 0;	422	syslogit = 0;
Lines 331-337 Link Here
331	/*	424	/*
332	* Decode argument list	425	* Decode argument list
333	*/	426	*/
334	while ((c = ntp_getopt(argc, argv, "a:bBde:k:o:p:qr:st:uv")) != EOF)	427	while ((c = ntp_getopt(argc, argv, "a:bBde:k:o:p:qr:st:uvU:")) != EOF)
335	switch (c)	428	switch (c)
336	{	429	{
337	case 'a':	430	case 'a':
Lines 417-429 Link Here
417	case '?':	510	case '?':
418	++errflg;	511	++errflg;
419	break;	512	break;
		513	case 'U':
		514	if (ntp_optarg) {
		515	server_user = strdup(ntp_optarg);
		516	}
		517	else {
		518	++errflg;
		519	}
		520	break;
		521
420	default:	522	default:
421	break;	523	break;
422	}	524	}
423		525
424	if (errflg) {	526	if (errflg) {
425	(void) fprintf(stderr,	527	(void) fprintf(stderr,
426	"usage: %s [-bBdqsv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-r rate] [-t timeo] server ...\n",	528	"usage: %s [-bBdqsv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-r rate] [-t timeo] [-U username] server ...\n",
427	progname);	529	progname);
428	exit(2);	530	exit(2);
429	}	531	}
Lines 536-541 Link Here
536	initializing = 0;	638	initializing = 0;
537		639
538	was_alarmed = 0;	640	was_alarmed = 0;
		641
		642	if (server_user) {
		643	struct passwd *pwd = NULL;
		644
		645	/* Lookup server_user uid/gid before chroot/chdir */
		646	pwd = getpwnam( server_user );
		647	if ( pwd == NULL ) {
		648	if (syslogit) {
		649	msyslog(LOG_ERR, "Failed to lookup user '%s'.", server_user);
		650	}
		651	else {
		652	fprintf(stderr, "Failed to lookup user '%s'.\n", server_user);
		653	}
		654	exit(1);
		655	}
		656	drop_root(pwd->pw_uid, pwd->pw_gid);
		657	}
		658
539	rbuflist = (struct recvbuf *)0;	659	rbuflist = (struct recvbuf *)0;
540	while (complete_servers < sys_numservers) {	660	while (complete_servers < sys_numservers) {
541	#ifdef HAVE_POLL_H	661	#ifdef HAVE_POLL_H

Return to bug 21444

Lines 22-28 Link Here

(-)ntp-4.0.99m-rc2/html/ntpd.htm.droproot (-1 / +14 lines)
22	driftfile</i> ] [ -g ] [ -k <i>keyfile</i> ] [ -l <i>logfile</i> ]	22	driftfile</i> ] [ -g ] [ -k <i>keyfile</i> ] [ -l <i>logfile</i> ]
23	[ -N high ] [ -p <i>pidfile</i> ] [ -r <i>broadcastdelay</i> ] [ -s	23	[ -N high ] [ -p <i>pidfile</i> ] [ -r <i>broadcastdelay</i> ] [ -s
24	<i>statsdir</i> ] [ -t <i>key</i> ] [ -v <i>variable</i> ] [ -V <i>	24	<i>statsdir</i> ] [ -t <i>key</i> ] [ -v <i>variable</i> ] [ -V <i>
25	variable</i> ] [ -x ]</tt>	25	variable</i> ] [ -T <i>chroot_dir</i> ] [ -U <i>server_user</i> ] [ -x ]</tt>
26		26
27	<h4>Description</h4>	27	<h4>Description</h4>
28		28
Lines 379-384 Link Here
379		379
380	<dd>Add a system variable listed by default.</dd>	380	<dd>Add a system variable listed by default.</dd>
381		381
		382
		383	<DT><TT>-T <I>chroot_dir</I></DT>
		384	<DD>Chroot the ntpd server process into <I>chroot_dir</I>. To use this
		385	option you have to copy all the files that ntpd process needs into the
		386	chroot directory. This option adds security only if the server also drops
		387	root privileges (see -U option).</DD>
		388
		389	<DT><TT>-U <I>server_user</I></DT>
		390	<DD>Ntpd process drops root privileges and changes user ID to
		391	<I>server_user</I> and group ID to the primary group of <I>server_user</I>.
		392	To use this option you need libcap-library.
		393	</DD>
		394
382	<dt><tt>-x</tt></dt>	395	<dt><tt>-x</tt></dt>
383		396
384	<dd>Normally, the time is slewed if the offset is less than the	397	<dd>Normally, the time is slewed if the offset is less than the