[Git][NTPsec/ntpsec][master] Add droproot support for FreeBSD

Sat Mar 28 06:27:32 UTC 2020


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
e99e60f7 by Hal Murray at 2020-03-27T16:08:34-07:00
Add droproot support for FreeBSD
  Needs kernel module mac_ntpd.ko to be loaded.
  Then, sysctl -a | grep ntpd should show:
    security.mac.ntpd.uid: 123
    security.mac.ntpd.enabled: 1
  Adding this to /etc/rc.conf will load it:
    kld_list="mac_ntpd"

- - - - -


2 changed files:

- ntpd/ntp_sandbox.c
- wscript


Changes:

=====================================
ntpd/ntp_sandbox.c
=====================================
@@ -35,6 +35,12 @@ static priv_set_t *lowprivs = NULL;
 static priv_set_t *highprivs = NULL;
 #endif /* HAVE_SOLARIS_PRIVS */
 
+#ifdef HAVE_PRIV_NTP_ADJTIME
+#include <sys/types.h>
+#include <sys/sysctl.h>
+static void CheckFreeBSDdroproot(uid_t uid);
+#endif
+
 #ifdef HAVE_SECCOMP_H
 # include <seccomp.h>
 static void catchTrap(int sig, siginfo_t *, void *);
@@ -68,13 +74,13 @@ bool sandbox(const bool droproot,
 #ifndef HAVE_LINUX_CAPABILITY
 	UNUSED_ARG(want_dynamic_interface_tracking);
 #endif /* HAVE_LINUX_CAPABILITY */
-#if !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS) && !defined(HAVE_SYS_CLOCKCTL_H)
+#if !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS) && !defined(HAVE_SYS_CLOCKCTL_H) && !defined(HAVE_PRIV_NTP_ADJTIME)
 	if (droproot) {
 		msyslog(LOG_ERR,
 			"INIT: root can't be dropped due to missing capabilities.");
 		exit(-1);
 	}
-#endif /* !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS)  && !defined(HAVE_SYS_CLOCKCTL_H) */
+#endif /* !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS)  && !defined(HAVE_SYS_CLOCKCTL_H) && !defined(HAVE_PRIV_NTP_ADJTIME) */
 	if (droproot) {
 		/* Drop super-user privileges and chroot now if the OS supports this */
 #  ifdef HAVE_LINUX_CAPABILITY
@@ -172,6 +178,10 @@ getgroup:
 			exit(-1);
 		}
 #  endif /* HAVE_SOLARIS_PRIVS */
+#ifdef HAVE_PRIV_NTP_ADJTIME
+		if (user)
+			CheckFreeBSDdroproot(sw_uid);
+#endif
                 /* FIXME? Apple takes an int as 2nd argument */
 		if (user && initgroups(user, (gid_t)sw_gid)) {
 			msyslog(LOG_ERR, "INIT: Cannot initgroups() to user `%s': %s", user, strerror(errno));
@@ -477,6 +487,29 @@ int scmp_sc[] = {
 	return nonroot;
 }
 
+#ifdef HAVE_PRIV_NTP_ADJTIME
+void CheckFreeBSDdroproot(uid_t uid) {
+	/* This checks that mac_ntpd.ko is loaded.
+	 * It defaults to 123 and enabled, aka what we want.
+	 * We could also check security.mac.ntpd.enabled.
+	 */
+	uid_t need;
+	size_t size = sizeof(need);
+	int err;
+	err = sysctlbyname("security.mac.ntpd.uid", &need, &size, NULL, 0);
+	if (err) {
+		msyslog(LOG_ERR, "INIT: sysctl failed. Is mac_ntpd.ko loaded? (%s)", strerror(errno));
+		exit(-1);
+	}
+	if (uid != need) {
+		msyslog(LOG_ERR, "INIT: FreeBSD needs user %d", need);
+		exit(-1);
+	}
+	return;
+}
+#endif
+
+
 #ifdef HAVE_SECCOMP_H
 
 /* New threads default to kill on SIGSYS */


=====================================
wscript
=====================================
@@ -611,7 +611,9 @@ int main(int argc, char **argv) {
         ('res_init', ["netinet/in.h", "arpa/nameser.h", "resolv.h"]),
         ('sched_setscheduler', ["sched.h"]),
         ('strlcpy', ["string.h"]),
-        ('strlcat', ["string.h"])
+        ('strlcat', ["string.h"]),
+	# Hack.  It's not a function, but this works.
+	('PRIV_NTP_ADJTIME', ["sys/priv.h"])		# FreeBSD
     )
     for ft in optional_functions:
         probe_function(ctx, function=ft[0], prerequisites=ft[1])
@@ -822,13 +824,14 @@ int main(int argc, char **argv) {
     check_SSL_version(ctx)
 
     # before write_config()
-    droproot_type = ""
     if ctx.is_defined("HAVE_LINUX_CAPABILITY"):
         droproot_type = "Linux"
     elif ctx.is_defined("HAVE_SOLARIS_PRIVS"):
         droproot_type = "Solaris"
     elif ctx.is_defined("HAVE_SYS_CLOCKCTL_H"):
         droproot_type = "NetBSD"
+    elif ctx.is_defined("HAVE_PRIV_NTP_ADJTIME"):
+        droproot_type = "FreeBSD"
     else:
         droproot_type = "None"
 



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/e99e60f74ecbc6b86c4c31019a5c5b5923b3da7e

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/e99e60f74ecbc6b86c4c31019a5c5b5923b3da7e
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200328/d5253fb3/attachment-0001.htm>
