Summary: | net-misc/chrony-3.5-r2: default config runs as root; no privsep. | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Default Configs | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | grknight, jer |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/gentoo/gentoo/pull/14973 https://bugs.gentoo.org/show_bug.cgi?id=746116 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 713688 |
Description
Sam James
2020-02-28 18:23:16 UTC
Note that the 'user' option requires the non-default caps USE flag By default it listens on 127.0.0.1 Anyway it could be seen as improvement I don't guess it is a security bug. @ ago: Component "Gentoo security", "Default configuration" is exactly for things like that. (In reply to Agostino Sarubbo from comment #2) > By default it listens on 127.0.0.1 > IMO this does not matter; it's a privileged daemon which reaches out to the internet. I'd be equally concerned if e.g. dnsmasq was running as root. Best to not trust remote NTP servers. I will have a try at making a patch for this. (In reply to Thomas Deutschmann from comment #3) > @ ago: Component "Gentoo security", "Default configuration" is exactly for > things like that. I took bug 587586 as example where is more or less the same but it is not under security. Next time I'll put it under Default configs seccomp in chrony is only enabled at runtime if -F N is given, where: * N = 1: filtering * N = -1: logs would-be blocked syscalls, but allows through The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5eefb61d11a77c123475fec73db819fa6121b7f2 commit 5eefb61d11a77c123475fec73db819fa6121b7f2 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-04 04:49:58 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-30 18:36:43 +0000 net-misc/chrony: Run as non-root when USE=caps, revbump When caps is enabled, drop to the user ntp (acct-user/ntp), as opposed to remaining root. Adds a tmpfile.d entry for /run/chrony to ensure correct permissions. Closes: https://bugs.gentoo.org/711058 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-misc/chrony/chrony-3.5-r3.ebuild | 150 +++++++++++++++++++++++++++++++++++ net-misc/chrony/chrony-9999.ebuild | 29 ++++++- net-misc/chrony/files/chronyd.conf | 2 +- 3 files changed, 177 insertions(+), 4 deletions(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2c99543bfd3245724e21089a617f28d828c5548 commit a2c99543bfd3245724e21089a617f28d828c5548 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-15 20:53:29 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-30 18:36:44 +0000 net-misc/chrony: Enable seccomp filtering when USE=seccomp We already have USE=seccomp but chronyd won't do anything unless -F is set to 1. We could also set -F -1 which will log any syscalls which would've been blocked but won't deny them. Also fixes systemd for previous commit. Bug: https://bugs.gentoo.org/711058 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/14973 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-misc/chrony/chrony-3.5-r3.ebuild | 30 ++-- net-misc/chrony/chrony-4.0_pre1-r1.ebuild | 155 +++++++++++++++++++++ net-misc/chrony/chrony-9999.ebuild | 30 ++-- .../files/chrony-3.5-r3-systemd-gentoo.patch | 12 ++ net-misc/chrony/files/chronyd.conf | 2 +- 5 files changed, 200 insertions(+), 29 deletions(-) |