[Git][NTPsec/ntpsec][master] Add support for NetBSD clockctl interface.

Eric S. Raymond gitlab at mg.gitlab.com
Fri Jul 8 02:36:51 UTC 2016 

Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
9bf60227 by Eric S. Raymond at 2016-07-07T22:31:26-04:00
Add support for NetBSD clockctl interface.

According to clockctl(4), if the owner of a non-root device has access to
/dev/clocktl, that process will be be able to set and slew the clock
through all the time-related system calls normally availabke to root.

What we do here is presume that the ntp user has that access.  Thus
we refrain from bailing out after dropping root.

- - - - -


2 changed files:

- ntpd/ntp_sandbox.c
- pylib/configure.py


Changes:

=====================================
ntpd/ntp_sandbox.c
=====================================
--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
@@ -58,13 +58,13 @@ bool sandbox(const bool droproot,
 	UNUSED_ARG(want_dynamic_interface_tracking);
 #endif /* HAVE_LINUX_CAPABILITY */
 	bool nonroot = false;
-#if !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS)
+#if !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS) && !defined(HAVE_SYS_CLOCKCTL)
 	if (droproot) {
 		msyslog(LOG_ERR,
 			"root can't be dropped due to missing capabilities.");
 		exit(-1);
 	}
-#endif /* !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS) */
+#endif /* !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS)  && !defined(HAVE_SYS_CLOCKCTL) */
 # ifdef ENABLE_DROPROOT
 	if (droproot) {
 		/* Drop super-user privileges and chroot now if the OS supports this */


=====================================
pylib/configure.py
=====================================
--- a/pylib/configure.py
+++ b/pylib/configure.py
@@ -345,6 +345,7 @@ def cmd_configure(ctx, config):
 		"stdatomic.h",
 		"sys/audioio.h",
 		"sys/capability.h",     # Linux
+		"sys/clockctl.h",	# NetBSD
 		"sys/ioctl.h",
 		"sys/modem.h",          # Apple
 		"sys/prctl.h",          # Linux



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/9bf60227d06f5c548a81d3338b5a36f2fb733710
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20160708/ae4664fe/attachment.html>

More information about the vc mailing list