switch after start in order to drop root privileges. It overrides the
@code{user} directive (default @code{@DEFAULT_USER@}). It may be set to a
non-root user only when @code{chronyd} is compiled with support for Linux
-capabilities (libcap) or on NetBSD with the @code{/dev/clockctl} device.
+capabilities (libcap), on NetBSD with the @code{/dev/clockctl} device or on
+Mac OS X.
+
+In the Mac OS X implementation @code{chronyd} forks into two processes. The
+child process retains root privileges but can only perform a very limited range
+of privileged system calls on behalf of the parent. The parent process drops
+root privileges to run as the specified system user.
@item -F <level>
This option configures a system call filter when @code{chronyd} is compiled with
support for the Linux secure computing (seccomp) facility. In level 1 the
The @code{user} directive sets the name of the system user to which
@code{chronyd} will switch after start in order to drop root privileges.
It may be set to a non-root user only when @code{chronyd} is compiled with
-support for Linux capabilities (libcap) or on NetBSD with the
-@code{/dev/clockctl} device.
+support for Linux capabilities (libcap), on NetBSD with the
+@code{/dev/clockctl} device or on Mac OS X.
+
+In the Mac OS X implementation @code{chronyd} forks into two processes. The
+child process retains root privileges but can only perform a very limited range
+of privileged system calls on behalf of the parent. The parent process drops
+root privileges to run as the specified system user.
The default value is @code{@DEFAULT_USER@}.
@c }}}
after start in order to drop root privileges. It overrides the \fBuser\fR
directive (default \fB@DEFAULT_USER@\fR). It may be set to a non-root user
only when \fBchronyd\fR is compiled with support for Linux capabilities
-(libcap) or on NetBSD with the \fB/dev/clockctl\fR device.
+(libcap), on NetBSD with the \fB/dev/clockctl\fR device or on Mac OS X.
+
+In the Mac OS X implementation \fBchronyd\fR forks into two processes. The
+child process retains root privileges but can only perform a very limited range
+of privileged system calls on behalf of the parent. The parent process drops
+root privileges to run as the specified system user.
.TP
\fB\-F\fR \fIlevel\fR
This option configures a system call filter when \fBchronyd\fR is compiled with
EXTRA_LIBS="-lresolv"
EXTRA_CLI_LIBS="-lresolv"
add_def MACOSX
+ if [ $feat_droproot = "1" ]; then
+ EXTRA_OBJECTS="$EXTRA_OBJECTS privops.o"
+ add_def PRIVOPS_ADJUSTTIME
+ add_def PRIVOPS_SETTIME
+ add_def PRIVOPS_BINDSOCKET
+ add_def PRIVOPS_HELPER
+ add_def FEAT_PRIVDROP
+ fi
echo "Configuring for MacOS X (" $SYSTEM "MacOS X version" $VERSION ")"
;;
SunOS)
#include "local.h"
#include "logging.h"
#include "conf.h"
+#include "privops.h"
#include "util.h"
#define INVALID_SOCK_FD -1
#endif
/* Bind the socket if a port or address was specified */
- if (my_addr_len > 0 && bind(sock_fd, &my_addr.u, my_addr_len) < 0) {
+ if (my_addr_len > 0 && PRV_BindSocket(sock_fd, &my_addr.u, my_addr_len) < 0) {
LOG(LOGS_ERR, LOGF_NtpIO, "Could not bind %s NTP socket : %s",
UTI_SockaddrFamilyToString(family), strerror(errno));
close(sock_fd);
SYS_Linux_DropRoot(uid, gid);
#elif defined(NETBSD) && defined(FEAT_PRIVDROP)
SYS_NetBSD_DropRoot(uid, gid);
+#elif defined(MACOSX) && defined(FEAT_PRIVDROP)
+ SYS_MacOSX_DropRoot(uid, gid);
#else
LOG_FATAL(LOGF_Sys, "dropping root privileges not supported");
#endif
#include "localp.h"
#include "sched.h"
#include "logging.h"
+#include "privops.h"
#include "util.h"
/* ================================================== */
newadj.tv_sec = 0;
newadj.tv_usec = 0;
- if (adjtime(&newadj, &oldadj) < 0) {
+ if (PRV_AdjustTime(&newadj, &oldadj) < 0) {
LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
}
}
UTI_TimevalToDouble(&newadj, &adjustment_requested);
rounding_error = adjust_required - adjustment_requested;
- if (adjtime(&newadj, &oldadj) < 0) {
+ if (PRV_AdjustTime(&newadj, &oldadj) < 0) {
LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
}
zeroadj.tv_sec = 0;
zeroadj.tv_usec = 0;
- if (adjtime(&zeroadj, &remadj) < 0) {
+ if (PRV_AdjustTime(&zeroadj, &remadj) < 0) {
LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
}
UTI_AddDoubleToTimeval(&old_time, -offset, &new_time);
- if (settimeofday(&new_time, NULL) < 0) {
+ if (PRV_SetTime(&new_time, NULL) < 0) {
DEBUG_LOG(LOGF_SysMacOSX, "settimeofday() failed");
return 0;
}
/* ================================================== */
+#ifdef FEAT_PRIVDROP
+void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid)
+{
+ PRV_Initialise();
+
+ if (setgroups(0, NULL))
+ LOG_FATAL(LOGF_SysMacOSX, "setgroups() failed : %s", strerror(errno));
+
+ if (setgid(gid))
+ LOG_FATAL(LOGF_SysMacOSX, "setgid(%d) failed : %s", gid, strerror(errno));
+
+ if (setuid(uid))
+ LOG_FATAL(LOGF_SysMacOSX, "setuid(%d) failed : %s", uid, strerror(errno));
+
+ DEBUG_LOG(LOGF_SysMacOSX, "Root dropped to uid %d gid %d", uid, gid);
+}
+#endif
+
+/* ================================================== */
+
void
SYS_MacOSX_Initialise(void)
{
SCH_RemoveTimeout(drift_removal_id);
clock_finalise();
+#ifdef FEAT_PRIVDROP
+ PRV_Finalise();
+#endif
}
/* ================================================== */
#define GOT_SYS_MACOSX_H
void SYS_MacOSX_SetScheduler(int SchedPriority);
+void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid);
void SYS_MacOSX_Initialise(void);
void SYS_MacOSX_Finalise(void);
projects / thirdparty / chrony.git / commitdiff
