[Bug 3509] Add support for running as non-root on FreeBSD, Darwin, other TrustedBSD...

bk: 5b5805bdBBiXAGks9qBW8kjKCeUJrw

diff --git a/ChangeLog b/ChangeLog
index cc8d76b1375c84e1e58e505d6037c9e705633311..401441e3264d855d5f871f716f4fe89b369ce154 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,9 @@
 * [Sec 3505] CVE-2018-12327 - Arbitrary Code Execution Vulnerability
   - fixed stack buffer overflow in NTPQ/NTPDC <perlinger@ntp.org>
 * [Sec 3012] noepeer tweaks.  <stenn@ntp.org>
+* [Bug 3509] Add support for running as non-root on FreeBSD, Darwin,
+             other TrustedBSD platforms
+  - applied patch by Ian Lepore <perlinger@ntp.org>
 * [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org>
   - changed interaction with SCM to signal pending startup
 * [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>

diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
index 7d8f1186daba875204a26a4c48d9a6f8c4a1beaa..b477a71804bffc347b45f3ec3794c5a6bbd670ab 100644 (file)
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -127,6 +127,9 @@
 #if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS)
 # include <priv.h>
 #endif /* HAVE_PRIV_H */
+#if defined(HAVE_TRUSTEDBSD_MAC)
+# include <sys/mac.h>
+#endif /* HAVE_TRUSTEDBSD_MAC */
 #endif /* HAVE_DROPROOT */
 
 #if defined (LIBSECCOMP) && (KERN_SECCOMP)
@@ -844,7 +847,12 @@ ntpdmain(
        /* MPE lacks the concept of root */
 # if defined(HAVE_GETUID) && !defined(MPE)
        uid = getuid();
-       if (uid && !HAVE_OPT( SAVECONFIGQUIT )) {
+       if (uid && !HAVE_OPT( SAVECONFIGQUIT )
+#  if defined(HAVE_TRUSTEDBSD_MAC)
+           /* We can run as non-root if the mac_ntpd policy is enabled. */
+           && mac_is_present("ntpd") != 1
+#  endif
+           ) {
                msyslog_term = TRUE;
                msyslog(LOG_ERR,
                        "must be run as root, not uid %ld", (long)uid);
@@ -1166,7 +1174,17 @@ ntpdmain(
                if (0 == set_user_group_ids())
                        exit(-1);
 
-#  if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS)
+#  if defined(HAVE_TRUSTEDBSD_MAC)
+               /*
+                * To manipulate system time and (re-)bind to NTP_PORT as needed
+                * following interface changes, we must either run as uid 0 or
+                * the mac_ntpd policy module must be enabled.
+                */
+               if (sw_uid != 0 && mac_is_present("ntpd") != 1) {
+                       msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to drop root privileges");
+                       exit (-1);
+               }
+#  elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS)
                /*
                 * for now assume that the privilege to bind to privileged ports
                 * is associated with running with uid 0 - should be refined on

diff --git a/sntp/m4/ntp_libntp.m4 b/sntp/m4/ntp_libntp.m4
index 3f35a92daeb4608004d17227d8a46440b113b718..adf97cea4026eb920947835df460424ac316af3c 100644 (file)
--- a/sntp/m4/ntp_libntp.m4
+++ b/sntp/m4/ntp_libntp.m4
@@ -693,7 +693,28 @@ esac
 
 AC_MSG_RESULT([$ntp_have_solarisprivs])
 
-case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs" in
+AC_CHECK_HEADERS([sys/mac.h])
+
+AC_ARG_ENABLE(
+    [trustedbsd_mac],
+    [AS_HELP_STRING(
+       [--enable-trustedbsd-mac],
+       [- Use TrustedBSD MAC policy for non-root clock control]
+    )],
+    [ntp_use_trustedbsd_mac=$enableval]
+)
+
+AC_MSG_CHECKING([if we should use TrustedBSD MAC privileges])
+
+case "$ntp_use_trustedbsd_mac$ac_cv_header_sys_mac_h" in
+ yesyes)
+    AC_DEFINE([HAVE_TRUSTEDBSD_MAC], [1],
+       [Are TrustedBSD MAC policy privileges available?])
+esac
+
+AC_MSG_RESULT([$ntp_use_trustedbsd_mac])
+
+case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs$ntp_use_trustedbsd_mac" in
  *yes*)
     AC_DEFINE([HAVE_DROPROOT], [1],
        [Can we drop root privileges?])