From: Juergen Perlinger Date: Wed, 25 Jul 2018 05:08:13 +0000 (+0200) Subject: [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, other TrustedBSD... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d47b26ead6b5aebfea403966b53c2f455b96391;p=thirdparty%2Fntp.git [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, other TrustedBSD platforms bk: 5b5805bdBBiXAGks9qBW8kjKCeUJrw --- diff --git a/ChangeLog b/ChangeLog index cc8d76b13..401441e32 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ * [Sec 3505] CVE-2018-12327 - Arbitrary Code Execution Vulnerability - fixed stack buffer overflow in NTPQ/NTPDC * [Sec 3012] noepeer tweaks. +* [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, + other TrustedBSD platforms + - applied patch by Ian Lepore * [Bug 3506] Service Control Manager interacts poorly with NTPD - changed interaction with SCM to signal pending startup * [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c index 7d8f1186d..b477a7180 100644 --- a/ntpd/ntpd.c +++ b/ntpd/ntpd.c @@ -127,6 +127,9 @@ #if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS) # include #endif /* HAVE_PRIV_H */ +#if defined(HAVE_TRUSTEDBSD_MAC) +# include +#endif /* HAVE_TRUSTEDBSD_MAC */ #endif /* HAVE_DROPROOT */ #if defined (LIBSECCOMP) && (KERN_SECCOMP) @@ -844,7 +847,12 @@ ntpdmain( /* MPE lacks the concept of root */ # if defined(HAVE_GETUID) && !defined(MPE) uid = getuid(); - if (uid && !HAVE_OPT( SAVECONFIGQUIT )) { + if (uid && !HAVE_OPT( SAVECONFIGQUIT ) +# if defined(HAVE_TRUSTEDBSD_MAC) + /* We can run as non-root if the mac_ntpd policy is enabled. */ + && mac_is_present("ntpd") != 1 +# endif + ) { msyslog_term = TRUE; msyslog(LOG_ERR, "must be run as root, not uid %ld", (long)uid); @@ -1166,7 +1174,17 @@ ntpdmain( if (0 == set_user_group_ids()) exit(-1); -# if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) +# if defined(HAVE_TRUSTEDBSD_MAC) + /* + * To manipulate system time and (re-)bind to NTP_PORT as needed + * following interface changes, we must either run as uid 0 or + * the mac_ntpd policy module must be enabled. + */ + if (sw_uid != 0 && mac_is_present("ntpd") != 1) { + msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to drop root privileges"); + exit (-1); + } +# elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) /* * for now assume that the privilege to bind to privileged ports * is associated with running with uid 0 - should be refined on diff --git a/sntp/m4/ntp_libntp.m4 b/sntp/m4/ntp_libntp.m4 index 3f35a92da..adf97cea4 100644 --- a/sntp/m4/ntp_libntp.m4 +++ b/sntp/m4/ntp_libntp.m4 @@ -693,7 +693,28 @@ esac AC_MSG_RESULT([$ntp_have_solarisprivs]) -case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs" in +AC_CHECK_HEADERS([sys/mac.h]) + +AC_ARG_ENABLE( + [trustedbsd_mac], + [AS_HELP_STRING( + [--enable-trustedbsd-mac], + [- Use TrustedBSD MAC policy for non-root clock control] + )], + [ntp_use_trustedbsd_mac=$enableval] +) + +AC_MSG_CHECKING([if we should use TrustedBSD MAC privileges]) + +case "$ntp_use_trustedbsd_mac$ac_cv_header_sys_mac_h" in + yesyes) + AC_DEFINE([HAVE_TRUSTEDBSD_MAC], [1], + [Are TrustedBSD MAC policy privileges available?]) +esac + +AC_MSG_RESULT([$ntp_use_trustedbsd_mac]) + +case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs$ntp_use_trustedbsd_mac" in *yes*) AC_DEFINE([HAVE_DROPROOT], [1], [Can we drop root privileges?])