From owner-svn-src-head@freebsd.org Fri Jul 20 13:59:30 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CC7511046740; Fri, 20 Jul 2018 13:59:30 +0000 (UTC) (envelope-from ian@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7CFB57DA59; Fri, 20 Jul 2018 13:59:30 +0000 (UTC) (envelope-from ian@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 52B63110E9; Fri, 20 Jul 2018 13:59:30 +0000 (UTC) (envelope-from ian@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w6KDxUoA087002; Fri, 20 Jul 2018 13:59:30 GMT (envelope-from ian@FreeBSD.org) Received: (from ian@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w6KDxT1p087000; Fri, 20 Jul 2018 13:59:29 GMT (envelope-from ian@FreeBSD.org) Message-Id: <201807201359.w6KDxT1p087000@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ian set sender to ian@FreeBSD.org using -f From: Ian Lepore Date: Fri, 20 Jul 2018 13:59:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r336547 - in head/etc: defaults rc.d X-SVN-Group: head X-SVN-Commit-Author: ian X-SVN-Commit-Paths: in head/etc: defaults rc.d X-SVN-Commit-Revision: 336547 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2018 13:59:31 -0000 Author: ian Date: Fri Jul 20 13:59:29 2018 New Revision: 336547 URL: https://svnweb.freebsd.org/changeset/base/336547 Log: Automatically run ntpd as non-root when possible. Ntpd needs only a subset of full root privileges to do its job. Specifically it needs the ability to manipulate system time, and to re-bind to a privileged UDP port after interface changes. The mac_ntpd(4) policy module (see r336525) can grant these privs. These changes detect the availability of mac_ntpd(4). If enabled, and if the ntpd configuration is fairly vanilla, it automatically runs ntpd as the non-root user 'ntpd' (uid 123). "Vanilla" means the config doesn't include command line or ntp.conf options changing the location of files or using any files/dirs likely to be inaccessible to user ntpd. Ntpd can still run as non-root when using such options, but the admin must ensure all required files and dirs are accessible, and then set ntpd_user=ntpd in rc.conf. Note that these changes also address PR 199127 by using the command_args technique suggested in the patch. They also tangentially address PR 113552, which is primarily about inconsistent filenames in documentation, but some of the inconsistancy was caused by old code in rc.d/ntpd which is leftover from the intial import from netbsd. There was code to do chroot setup which required the use of the netbsd clockctl(4) device; that code never had any effect on freebsd, because we lack that device and don't build ntpd with the options that would allow using it. PR: 113552 199127 Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16050 Modified: head/etc/defaults/rc.conf head/etc/rc.d/ntpd Modified: head/etc/defaults/rc.conf ============================================================================== --- head/etc/defaults/rc.conf Fri Jul 20 13:45:09 2018 (r336546) +++ head/etc/defaults/rc.conf Fri Jul 20 13:59:29 2018 (r336547) @@ -381,8 +381,7 @@ ntpd_enable="NO" # Run ntpd Network Time Protocol (or ntpd_program="/usr/sbin/ntpd" # path to ntpd, if you want a different one. ntpd_config="/etc/ntp.conf" # ntpd(8) configuration file ntpd_sync_on_start="NO" # Sync time on ntpd startup, even if offset is high -ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntpd.drift" - # Flags to ntpd (if enabled). +ntpd_flags="" # Additional flags to ntpd ntp_src_leapfile="/etc/ntp/leap-seconds" # Initial source for ntpd leapfile ntp_db_leapfile="/var/db/ntpd.leap-seconds.list" Modified: head/etc/rc.d/ntpd ============================================================================== --- head/etc/rc.d/ntpd Fri Jul 20 13:45:09 2018 (r336546) +++ head/etc/rc.d/ntpd Fri Jul 20 13:59:29 2018 (r336547) @@ -14,53 +14,103 @@ name="ntpd" desc="Network Time Protocol daemon" rcvar="ntpd_enable" command="/usr/sbin/${name}" -pidfile="/var/run/${name}.pid" extra_commands="fetch needfetch" fetch_cmd="ntpd_fetch_leapfile" needfetch_cmd="ntpd_needfetch_leapfile" start_precmd="ntpd_precmd" _ntp_tmp_leapfile="/var/run/ntpd.leap-seconds.list" +_ntp_default_dir="/var/db/ntp" +_ntp_default_driftfile="${_ntp_default_dir}/ntpd.drift" +_ntp_old_driftfile="/var/db/ntpd.drift" +pidfile="${_ntp_default_dir}/${name}.pid" + load_rc_config $name -ntpd_precmd() +can_run_nonroot() { - rc_flags="-c ${ntpd_config} ${ntpd_flags}" - - if checkyesno ntpd_sync_on_start; then - rc_flags="-g $rc_flags" + # If the admin set what uid to use, we don't change it. + if [ -n "${ntpd_user}" ]; then + return 1 fi - ntpd_init_leapfile + # If the admin set any command line options involving files, we + # may not be able to access them as user ntpd. + case "${rc_flags}" in + *-f* | *--driftfile* | *-i* | *--jaildir* | \ + *-k* | *--keyfile* | *-l* | *--logfile* | \ + *-p* | *--pidfile* | *-s* | *--statsdir* ) + return 1;; + esac - if [ ! -f $ntp_db_leapfile ]; then - ntpd_fetch_leapfile + # If the admin set any options in ntp.conf involving files, + # we may not be able to access them as user ntpd. + local fileopts="^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[ \t]*logfile|^[ \t]*statsdir" + grep -E -q "${fileopts}" "${ntpd_config}" && return 1 + + # Try to set up the the MAC ntpd policy so ntpd can run with reduced + # privileges. Detect whether MAC is compiled into the kernel, load + # the policy module if not already present, then check whether the + # policy has been disabled via tunable or sysctl. + [ -n "$(sysctl -qn security.mac.version)" ] || return 1 + sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1 + [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1 + + # On older existing systems, the ntp dir may by owned by root, change + # it to ntpd to give the daemon create/write access to the driftfile. + if [ "$(stat -f %u ${_ntp_default_dir})" = "0" ]; then + chown ntpd:ntpd "${_ntp_default_dir}" || return 1 + chmod 0755 "${_ntp_default_dir}" || return 1 + logger -s -t "rc.d/ntpd" -p daemon.notice \ + "${_ntp_default_dir} updated to owner ntpd:ntpd, mode 0755" fi - if [ -z "$ntpd_chrootdir" ]; then - return 0; + # If the driftfile exists in the standard location for older existing + # systems, move it into the ntp dir and fix the ownership if we can. + if [ -f "${_ntp_old_driftfile}" ] && [ ! -L "${_ntp_old_driftfile}" ]; then + mv "${_ntp_old_driftfile}" "${_ntp_default_driftfile}" && + chown ntpd:ntpd "${_ntp_default_driftfile}" || return 1 + logger -s -t "rc.d/ntpd" -p daemon.notice \ + "${_ntp_default_driftfile} updated to owner ntpd:ntpd" + logger -s -t "rc.d/ntpd" -p daemon.notice \ + "${_ntp_old_driftfile} moved to ${_ntp_default_driftfile}" fi +} - # If running in a chroot cage, ensure that the appropriate files - # exist inside the cage, as well as helper symlinks into the cage - # from outside. - # - # As this is called after the is_running and required_dir checks - # are made in run_rc_command(), we can safely assume ${ntpd_chrootdir} - # exists and ntpd isn't running at this point (unless forcestart - # is used). - # - if [ ! -c "${ntpd_chrootdir}/dev/clockctl" ]; then - rm -f "${ntpd_chrootdir}/dev/clockctl" - ( cd /dev ; /bin/pax -rw -pe clockctl "${ntpd_chrootdir}/dev" ) +ntpd_precmd() +{ + local driftopt + + # If we can run as a non-root user, switch uid to ntpd and use the + # new default location for the driftfile inside the ntpd-owned dir. + # Otherwise, figure out what to do about the driftfile option. If set + # by the admin, we don't add the option. If the file exists in the old + # default location we use that, else we use the new default location. + if can_run_nonroot; then + _user="ntpd" + driftopt="-f ${_ntp_default_driftfile}" + elif [ -z "${rc_flags##*-f*}" ] || + [ -z "${rc_flags##*--driftfile*}" ] || + grep -q "^[ \t]*driftfile" "${ntpd_config}"; then + driftopt="" # admin set the option, we don't need to add it. + elif [ -f "${_ntp_old_driftfile}" ]; then + driftopt="-f ${_ntp_old_driftfile}" + else + driftopt="-f ${_ntp_default_driftfile}" fi - ln -fs "${ntpd_chrootdir}/var/db/ntp.drift" /var/db/ntp.drift - ln -fs "${ntpd_chrootdir}${_ntp_tmp_leapfile}" ${_ntp_tmp_leapfile} - # Change run_rc_commands()'s internal copy of $ntpd_flags - # - rc_flags="-u ntpd:ntpd -i ${ntpd_chrootdir} $rc_flags" + # Set command_args based on the various config vars. + command_args="-p ${pidfile} -c ${ntpd_config} ${driftopt}" + if checkyesno ntpd_sync_on_start; then + command_args="${command_args} -g" + fi + + # Make sure the leapfile is ready to use. + ntpd_init_leapfile + if [ ! -f "${ntp_db_leapfile}" ]; then + ntpd_fetch_leapfile + fi } current_ntp_ts() {