Starting with reduced capabilities (non root)

Hal Murray hmurray at megapathdsl.net
Mon Feb 12 21:37:33 UTC 2018 

I've been running on Linux with ntpd starting as non-root with reduced 
capabilities.  Do we want to merge this in?

It's not a big deal, but one more small step in the right direction.  The 
biggest disadvantage I can see is the increased complexity in the startup 
scripts.

It will take a lot of testing and some waf install tweaks that may be over my 
head.

Here are the changes it takes.  (I might have missed something).

The basic idea is to use setcap to setup the required capabilities.  The 
capabilities on a file get ORed in with the starting-users capabilities, so 
the second part is to start running as user ntp rather than root.  Setuid 
doesn't do what we need.  We need to use runuser or su or ...

Install (I have a script where I put this):
# cap_sys_resource => setrlimit
# cap_ipc_lock     => mlockall, mmap, shmctl
# cap_sys_nice     => sched_setscheduler
# cap_setgid,cap_setuid => droproot stuff (may not be needed to drop priv)
  setcap cap_setgid,cap_setuid,cap_sys_resource,cap_ipc_lock,cap_sys_nice,cap_
sys_time,cap_net_bind_service=pe $DESTDIR/usr/local/sbin/ntpd
(the above was one long line before my mail system does whatever it does)
  chown ntp:ntp $DESTDIR/usr/local/sbin/ntpd
  chmod +s $DESTDIR/usr/local/sbin/ntpd

ntpd.service (systemd):
  ExecStart=/usr/sbin/runuser -u ntp -- /usr/local/sbin/ntpd -u ntp:ntp 
$OPTIONS

>From /etc/init.d/ntp on Ubuntu 16.04.3 LTS:
                        start-stop-daemon --start --quiet --oknodo --pidfile 
$PIDFILE --exec /sbin/runuser -- -u ntp -- $DAEMON -p $PIDFILE $NTPD_OPTS
(The first -- is for start-stop-daemon, the second -- is for runuser.)

ntpd needs a minor patch to not die if started as non-root.  That should 
probably be changed to die if started without needed capabilities.

I think we can avoid  cap_setgid and cap_setuid by not switching to ntp:ntp.  
For testing, I just used the old drop root code to dump the capabilities that 
are not needed after startup.

You also have to get the permissions right on log files and refclock device 
files.


-- 
These are my opinions.  I hate spam.

More information about the devel mailing list