conf: warn if not having read-only access to keys

After dropping root privileges, log a warning message if chronyd
doesn't have read access or has (unnecessary) write access to the
files containing symmetric and server NTS keys.

diff --git a/conf.c b/conf.c
index 9f42a42607b4c40728f679cccd6e66c8f8917146..0597836d8f05a4da117830236928ee5f07a3e2de 100644 (file)
--- a/conf.c
+++ b/conf.c
@@ -1774,6 +1774,19 @@ CNF_CreateDirs(uid_t uid, gid_t gid)
 
 /* ================================================== */
 
+void
+CNF_CheckReadOnlyAccess(void)
+{
+  unsigned int i;
+
+  if (keys_file)
+    UTI_CheckReadOnlyAccess(keys_file);
+  for (i = 0; i < ARR_GetSize(nts_server_key_files); i++)
+    UTI_CheckReadOnlyAccess(*(char **)ARR_GetElement(nts_server_key_files, i));
+}
+
+/* ================================================== */
+
 void
 CNF_AddInitSources(void)
 {

diff --git a/conf.h b/conf.h
index 11fd11dfab695d54d375c5ba458cd86c6d929995..d7acb4fdd2b119932f359bba98883f0765571c0c 100644 (file)
--- a/conf.h
+++ b/conf.h
@@ -44,6 +44,8 @@ extern void CNF_ParseLine(const char *filename, int number, char *line);
 
 extern void CNF_CreateDirs(uid_t uid, gid_t gid);
 
+extern void CNF_CheckReadOnlyAccess(void);
+
 extern void CNF_AddInitSources(void);
 extern void CNF_AddSources(void);
 extern void CNF_AddBroadcasts(void);

diff --git a/main.c b/main.c
index c40b5e4bb4445786e2732a9e2ebd151278a482d3..31e3c8f0644e2e04c2bc20acea9a348b31952566 100644 (file)
--- a/main.c
+++ b/main.c
@@ -637,9 +637,13 @@ int main
   }
 
   /* Drop root privileges if the specified user has a non-zero UID */
-  if (!geteuid() && (pw->pw_uid || pw->pw_gid))
+  if (!geteuid() && (pw->pw_uid || pw->pw_gid)) {
     SYS_DropRoot(pw->pw_uid, pw->pw_gid, SYS_MAIN_PROCESS);
 
+    /* Warn if missing read access or having write access to keys */
+    CNF_CheckReadOnlyAccess();
+  }
+
   if (!geteuid())
     LOG(LOGS_WARN, "Running with root privileges");
 

diff --git a/util.c b/util.c
index 4b9d30ee93da99ddd774e2b74ecf6fa7a4f29a27..0321720e42830d52c2efc308ae7ad2706847c5d6 100644 (file)
--- a/util.c
+++ b/util.c
@@ -1271,6 +1271,17 @@ UTI_CheckFilePermissions(const char *path, mode_t perm)
 
 /* ================================================== */
 
+void
+UTI_CheckReadOnlyAccess(const char *path)
+{
+  if (access(path, R_OK) != 0 && errno != ENOENT)
+    LOG(LOGS_WARN, "Missing read access to %s : %s", path, strerror(errno));
+  if (access(path, W_OK) == 0)
+    LOG(LOGS_WARN, "Having write access to %s", path);
+}
+
+/* ================================================== */
+
 static int
 join_path(const char *basedir, const char *name, const char *suffix,
           char *buffer, size_t length, LOG_Severity severity)

diff --git a/util.h b/util.h
index 6844798c616fee4867ba80b97789cf670360596b..d8e25dee19123872a0f22a0673a9cae31261ebea 100644 (file)
--- a/util.h
+++ b/util.h
@@ -200,6 +200,10 @@ extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid
    specified.  It does not return error if it is not an accessible file. */
 extern int UTI_CheckFilePermissions(const char *path, mode_t perm);
 
+/* Log a warning message if not having read access or having write access
+   to a file/directory */
+extern void UTI_CheckReadOnlyAccess(const char *path);
+
 /* Open a file.  The full path of the file is constructed from the basedir
    (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL).
    Created files have specified permissions (umasked).  Returns NULL on error.