Is it time to drop seccomp?

Richard Laager rlaager at wiktel.com
Wed Feb 13 05:11:17 UTC 2019 

On 2/12/19 10:15 PM, Hal Murray via devel wrote:
> It's possible to start ntpd non-root.
> 
> I've been using the following:
> 
> Post normal install:
>   chown ntp:ntp /usr/local/sbin/ntpd
>   chmod +s      /usr/local/sbin/ntpd
>   setcap cap_setgid,cap_setuid,cap_sys_resource,cap_ipc_lock,\
> cap_sys_nice,cap_sys_time,cap_net_bind_service=pe /usr/local/sbin/ntpd

I think the setuid/setcap as described above is dangerous. Unless you
limit the permissions on "other" (e.g. chmod 2700 or 2750), any user
will be able to execute ntpd (with a config file of their choice) and
have it set the system time! Also, you probably don't want the ntp user
to be able to modify the ntpd executable, so you would probably want
2500 or 2550 as the mode.

Given the user thing isn't useful anyway (per your comments below)...
How does this work (in conjunction with the code below to set the
user/group at runtime):

  chown root:root /usr/local/sbin/ntpd
  chmod 750 /usr/local/sbin/ntpd
  setcap cap_setgid,cap_setuid,cap_sys_resource,cap_ipc_lock,\
cap_sys_nice,cap_sys_time,cap_net_bind_service=pe /usr/local/sbin/ntpd

> Patch to ntpd.service for Fedora/systemd
> ExecStart=/usr/sbin/runuser -u ntp -- /usr/local/sbin/ntpd $OPTIONS

Don't use runuser with systemd. Have systemd set the user:
User=ntp

and if you want to set a group:
Group=ntp

> For debian:
>                 start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE 
> --startas /sbin/runuser -- -u ntp -- $DAEMON -p $PIDFILE $NTPD_OPTS

Do you want "-g ntp" here?

----

Here is an alternatively for systemd only, but it avoids the need for
setcap and permissions changes.

Leave things as per a normal install (no chown/chmod/setcap), and add
this to the unit file:

User=ntp
Group=ntp
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
CapabilityBoundingSet=CAP_IPC_LOCK CAP_SYS_NICE CAP_SYS_TIME
CapabilityBoundingSet=CAP_NET_BIND_SERVICE=PE

You can probably set NoNewPrivileges=yes for good measure too.

The sysvinit script could be left alone to continue to run the daemon as
root and let it drop privileges as it always has.

-- 
Richard

More information about the devel mailing list