From: Harlan Stenn <stenn@ntp.org>
Date: Tue, 24 Sep 2013 08:05:09 +0000 (-0400)
Subject: [Bug 2482] Add droproot ahd jail support for Solaris
X-Git-Tag: NTP_4_2_7P389~2^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=31052af4fa19226fe967ec7e0f6ca0edfaa66ef0;p=thirdparty%2Fntp.git

[Bug 2482] Add droproot ahd jail support for Solaris

bk: 524147b5XXPe_hXD-ygwMgCUMiA-cg
---

diff --git a/ChangeLog b/ChangeLog
index 10684a878..b280dcdbc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,5 @@
+* [Bug 2481] ntpd aborts when both user and group are specified with -u.
+* [Bug 2482] Add droproot ahd jail support for Solaris.
 (4.2.7p388) 2013/09/19 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 2473] NTPD exits after clock is stepped backwards externally
 (4.2.7p387) 2013/09/16 Released by Harlan Stenn <stenn@ntp.org>
diff --git a/configure.ac b/configure.ac
index 0d6b47e81..4297760cc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4159,17 +4159,6 @@ case "$ac_cv_header_libscf_h" in
 esac
 AC_SUBST([LSCF])
 
-AC_CHECK_FUNC(
-    [setppriv],
-    [ans=yes],
-    [ans=no]
-)
-case "$ans" in
- yes)
-    AC_DEFINE([HAVE_SOLARIS_PRIVS], [1],
-	[Are Solaris privileges available?])
-esac
-
 NTP_IPV6
 
 
diff --git a/ntpd/cmd_args.c b/ntpd/cmd_args.c
index 5357ace9c..045c0a98e 100644
--- a/ntpd/cmd_args.c
+++ b/ntpd/cmd_args.c
@@ -134,9 +134,12 @@ getCmdOpts(
 		user = estrdup(OPT_ARG( USER ));
 		group = strrchr(user, ':');
 		if (group != NULL) {
+			size_t	len;
+
 			*group++ = '\0'; /* get rid of the ':' */
+			len = group - user;
 			group = estrdup(group);
-			user = erealloc(user, group - user);
+			user = erealloc(user, len);
 		}
 	}
 #endif
diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
index a01b889de..8e36a2685 100644
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -78,6 +78,7 @@
 # include <apollo/base.h>
 #endif /* SYS_DOMAINOS */
 
+
 #include "recvbuff.h"
 #include "ntp_cmdargs.h"
 
@@ -106,8 +107,11 @@
 #ifdef HAVE_LINUX_CAPABILITIES
 # include <sys/capability.h>
 # include <sys/prctl.h>
-#endif
-#endif
+#endif /* HAVE_LINUX_CAPABILITIES */
+#if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS)
+# include <priv.h>
+#endif /* HAVE_PRIV_H */
+#endif /* HAVE_DROPROOT */
 
 #ifdef HAVE_DNSREGISTRATION
 #include <dns_sd.h>
@@ -120,6 +124,11 @@ DNSServiceRef mdns;
 #define ntp_setpgrp(x, y)	setpgrp(x, y)
 #endif
 
+#ifdef HAVE_SOLARIS_PRIVS
+#define LOWPRIVS "basic,sys_time,net_privaddr,proc_setid,!proc_info,!proc_session,!proc_exec"
+static priv_set_t *lowprivs = NULL;
+static priv_set_t *highprivs = NULL;
+#endif /* HAVE_SOLARIS_PRIVS */
 /*
  * Scheduling priority we run at
  */
@@ -821,13 +830,15 @@ ntpdmain(
 			msyslog( LOG_ERR, "prctl( PR_SET_KEEPCAPS, 1L ) failed: %m" );
 			exit(-1);
 		}
+#  elif HAVE_SOLARIS_PRIVS
+		(void) setpflags(PRIV_AWARE_RESET, 1);
 #  else
 		/* we need a user to switch to */
 		if (user == NULL) {
 			msyslog(LOG_ERR, "Need user name to drop root privileges (see -u flag!)" );
 			exit(-1);
 		}
-#  endif	/* HAVE_LINUX_CAPABILITIES */
+#  endif	/* HAVE_LINUX_CAPABILITIES || HAVE_SOLARIS_PRIVS */
 
 		if (user != NULL) {
 			if (isdigit((unsigned char)*user)) {
@@ -892,6 +903,22 @@ getgroup:
 				exit (-1);
 			}
 		}
+#  ifdef HAVE_SOLARIS_PRIVS
+		if ((lowprivs = priv_str_to_set(LOWPRIVS, ",", NULL)) == NULL) {
+			msyslog(LOG_ERR, "priv_str_to_set() failed:%m");
+			exit(-1);
+		}
+		if ((highprivs = priv_allocset()) == NULL) {
+			msyslog(LOG_ERR, "priv_allocset() failed:%m");
+			exit(-1);
+		}
+		(void) getppriv(PRIV_PERMITTED, highprivs);
+		(void) priv_intersect(highprivs, lowprivs);
+		if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) {
+			msyslog(LOG_ERR, "setppriv() failed:%m");
+			exit(-1);
+		}
+#  endif /* HAVE_SOLARIS_PRIVS */
 		if (user && initgroups(user, sw_gid)) {
 			msyslog(LOG_ERR, "Cannot initgroups() to user `%s': %m", user);
 			exit (-1);
@@ -913,14 +940,14 @@ getgroup:
 			exit (-1);
 		}
 
-#  ifndef HAVE_LINUX_CAPABILITIES
+#  if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS)
 		/*
 		 * for now assume that the privilege to bind to privileged ports
 		 * is associated with running with uid 0 - should be refined on
 		 * ports that allow binding to NTP_PORT with uid != 0
 		 */
 		disable_dynamic_updates |= (sw_uid != 0);  /* also notifies routing message listener */
-#  endif
+#  endif /* !HAVE_LINUX_CAPABILITIES && !HAVE_SOLARIS_PRIVS */
 
 		if (disable_dynamic_updates && interface_interval) {
 			interface_interval = 0;
@@ -955,6 +982,18 @@ getgroup:
 			cap_free(caps);
 		}
 #  endif	/* HAVE_LINUX_CAPABILITIES */
+#  ifdef HAVE_SOLARIS_PRIVS
+		if (priv_delset(lowprivs, "proc_setid") == -1) {
+			msyslog(LOG_ERR, "priv_delset() failed:%m");
+			exit(-1);
+		}
+		if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) {
+			msyslog(LOG_ERR, "setppriv() failed:%m");
+			exit(-1);
+		}
+		priv_freeset(lowprivs);
+		priv_freeset(highprivs);
+#  endif /* HAVE_SOLARIS_PRIVS */
 		root_dropped = TRUE;
 		fork_deferred_worker();
 	}	/* if (droproot) */
diff --git a/ntpd/ntpdbase-opts.def b/ntpd/ntpdbase-opts.def
index 386f0b765..a396dce4e 100644
--- a/ntpd/ntpdbase-opts.def
+++ b/ntpd/ntpdbase-opts.def
@@ -122,7 +122,7 @@ flag = {
     value     = i;
     arg-type  = string;
     descrip   = "Jail directory";
-    omitted-usage = "built without --enable-clockctl or --enable-linuxcaps";
+    omitted-usage = "built without --enable-clockctl or --enable-linuxcaps or --enable-solarisprivs";
     doc = <<-  _EndOfDoc_
 	Chroot the server to the directory
 	@kbd{jaildir}
@@ -134,8 +134,8 @@ flag = {
 	This option is only available if the OS supports adjusting the clock
 	without full root privileges.
 	This option is supported under NetBSD (configure with
-	@code{--enable-clockctl}) and Linux (configure with
-	@code{--enable-linuxcaps}).
+	@code{--enable-clockctl}) or Linux (configure with
+	@code{--enable-linuxcaps}) or Solaris (configure with @code{--enable-solarisprivs}).
 	_EndOfDoc_;
 };
 
@@ -335,14 +335,14 @@ flag = {
     value     = u;
     arg-type  = string;
     descrip   = "Run as userid (or userid:groupid)";
-    omitted-usage = "built without --enable-clockctl or --enable-linuxcaps";
+    omitted-usage = "built without --enable-clockctl or --enable-linuxcaps or --enable-solarisprivs";
     doc = <<-  _EndOfDoc_
 	Specify a user, and optionally a group, to switch to.
 	This option is only available if the OS supports adjusting the clock
 	without full root privileges.
 	This option is supported under NetBSD (configure with
-	@code{--enable-clockctl}) and Linux (configure with
-	@code{--enable-linuxcaps}).
+	@code{--enable-clockctl}) or Linux (configure with
+	@code{--enable-linuxcaps}) or Solaris (configure with @code{--enable-solarisprivs}).
 	_EndOfDoc_;
 };
 
diff --git a/sntp/m4/ntp_libntp.m4 b/sntp/m4/ntp_libntp.m4
index 279e7d423..7a81b5863 100644
--- a/sntp/m4/ntp_libntp.m4
+++ b/sntp/m4/ntp_libntp.m4
@@ -639,7 +639,43 @@ case "$ntp_have_linuxcaps" in
     ;;
 esac
 
-case "$ntp_use_dev_clockctl$ntp_have_linuxcaps" in
+
+AC_CHECK_HEADERS([priv.h])
+
+AC_MSG_CHECKING([if we have solaris privileges])
+
+case "$ac_cv_header_priv_h" in
+ yes)
+    case "$host" in 
+     *-solaris*)
+	AC_CHECK_FUNC(
+    	    [setppriv],
+    	    [ntp_have_solarisprivs=yes],
+    	    [ntp_have_solarisprivs=no]
+	)
+	;;
+    esac
+esac
+
+AC_ARG_ENABLE(
+    [solarisprivs],
+    [AS_HELP_STRING(
+	[--enable-solarisprivs],
+	[+ Use Solaris privileges for non-root clock control]
+    )],
+    [ntp_have_solarisprivs=$enableval]
+)
+
+
+case "$ntp_have_solarisprivs" in
+ yes)
+    AC_DEFINE([HAVE_SOLARIS_PRIVS], [1],
+	[Are Solaris privileges available?])
+esac
+
+AC_MSG_RESULT([$ntp_have_solarisprivs])
+
+case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs" in
  *yes*)
     AC_DEFINE([HAVE_DROPROOT], [1],
 	[Can we drop root privileges?])