Index: contrib/ntp/ntpd/ntpd.c =================================================================== --- contrib/ntp/ntpd/ntpd.c +++ contrib/ntp/ntpd/ntpd.c @@ -123,6 +123,9 @@ #if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS) # include #endif /* HAVE_PRIV_H */ +#if defined(HAVE_TRUSTEDBSD_MAC) +# include +#endif /* HAVE_TRUSTEDBSD_MAC */ #endif /* HAVE_DROPROOT */ #if defined (LIBSECCOMP) && (KERN_SECCOMP) @@ -1082,7 +1085,17 @@ exit (-1); } -# if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) +# if defined(HAVE_TRUSTEDBSD_MAC) + /* + * To manipulate system time and (re-)bind to NTP_PORT as needed + * following interface changes, we must either run as uid 0 or + * the mac_ntpd policy module must be enabled. + */ + if (sw_uid != 0 && mac_is_present("ntpd") != 1) { + msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to drop root privileges"); + exit (-1); + } +# elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) /* * for now assume that the privilege to bind to privileged ports * is associated with running with uid 0 - should be refined on Index: etc/defaults/rc.conf =================================================================== --- etc/defaults/rc.conf +++ etc/defaults/rc.conf @@ -373,9 +373,10 @@ ntpd_enable="NO" # Run ntpd Network Time Protocol (or NO). ntpd_program="/usr/sbin/ntpd" # path to ntpd, if you want a different one. ntpd_config="/etc/ntp.conf" # ntpd(8) configuration file +ntpd_usergroup="ntpd:ntpd" # user:group ntpd switches to for dropping privs +ntpd_chrootdir="/var/db/ntp" # ntpd will chroot to here before dropping privs ntpd_sync_on_start="NO" # Sync time on ntpd startup, even if offset is high -ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntpd.drift" - # Flags to ntpd (if enabled). +ntpd_flags="" # Flags to ntpd (if enabled). ntp_src_leapfile="/etc/ntp/leap-seconds" # Initial source for ntpd leapfile ntp_db_leapfile="/var/db/ntpd.leap-seconds.list" Index: etc/group =================================================================== --- etc/group +++ etc/group @@ -29,6 +29,7 @@ network:*:69: audit:*:77: www:*:80: +ntpd:*:123: _ypldap:*:160: hast:*:845: nogroup:*:65533: Index: etc/master.passwd =================================================================== --- etc/master.passwd +++ etc/master.passwd @@ -22,6 +22,7 @@ pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin +ntpd:*:123:123::0:0:NTP Daemon:/var/db/ntp:/usr/sbin/nologin _ypldap:*:160:160::0:0:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin Index: etc/mtree/BSD.var.dist =================================================================== --- etc/mtree/BSD.var.dist +++ etc/mtree/BSD.var.dist @@ -46,7 +46,7 @@ .. ipf mode=0700 .. - ntp mode=0700 + ntp uname=ntpd gname=ntpd mode=0700 .. pkg .. Index: etc/rc.d/ntpd =================================================================== --- etc/rc.d/ntpd +++ etc/rc.d/ntpd @@ -20,47 +20,122 @@ needfetch_cmd="ntpd_needfetch_leapfile" start_precmd="ntpd_precmd" -ntp_tmp_leapfile="/var/run/ntpd.leap-seconds.list" +_ntp_tmp_leapfile="/var/run/ntpd.leap-seconds.list" +_ntp_chroot_cookiefile=".chroot_autosetup_done" +_ntp_default_driftfile="/var/db/ntpd.drift" +_ntp_default_chrootdir="/var/db/ntp" +_ntp_default_user="ntpd:ntpd" load_rc_config $name +ntpd_mac_setup() +{ + # Attempt to automatically set up the the MAC ntpd policy so that + # ntpd can run with reduced privileges. MAC has to be compiled + # into the kernel, which we detect using security.mac.version. + # If it's available, check whether the ntpd policy is already + # loaded, and attempt to load the module if not. Then check + # whether the policy has been specifically disabled via tunable + # or sysctl. If loaded and not disabled we can run as non-root, + # so return success, otherwise indicate we must run as root by + # returning an error. + + if [ -n "$(sysctl -qn security.mac.version)" ]; then + sysctl -qn security.mac.ntpd >/dev/null || kldload mac_ntpd || return + if [ "$(sysctl -qn security.mac.ntpd.enabled)" = "1" ]; then + return 0 + fi + fi + return 1 +} + +ntpd_default_chroot_setup() +{ + # When $ntpd_chrootdir points to our default location, this function + # prepares it for use. If the admin overrides ntpd_chrootdir, setup + # is not our responsibility. If we get any errors doing the setup, + # we just return the error code, making us run without the chroot. + + # The chroot requires nullfs, so make sure that's available first. + + kldload -qn tmpfs || return + + # If there is no setup-done cookie file in the chroot, we need to do + # one-time setup, which consists of... + # - Create an /etc dir. + # - Create the dir(s) that hold the driftfile and leapfile. + # - Move existing drift and leap files (if any) into the chroot. + # - Make symlinks outside the chroot that point to the drift + # and leap files inside the chroot. This is required because + # ntpd reads these files both before and after calling chroot(). + + if [ ! -e "${ntpd_chrootdir}/${_ntp_chroot_cookiefile}" ]; then + mkdir -p "${ntpd_chrootdir}/etc" || return + mkdir -p "${ntpd_chrootdir}/$(dirname ${_ntp_default_driftfile})" || return + mkdir -p "${ntpd_chrootdir}/$(dirname ${ntp_db_leapfile})" || return + if [ -f "${_ntp_default_driftfile}" ]; then + mv "${_ntp_default_driftfile}" "${ntpd_chrootdir}/${_ntp_default_driftfile}" || return + fi + if [ -f "${ntp_db_leapfile}" ]; then + mv "${ntp_db_leapfile}" "${ntpd_chrootdir}/${ntp_db_leapfile}" || return + fi + ln -fhs "${ntpd_chrootdir}/${_ntp_default_driftfile}" "${_ntp_default_driftfile}" || return + ln -fhs "${ntpd_chrootdir}/${ntp_db_leapfile}" "${ntp_db_leapfile}" || return + touch "${ntpd_chrootdir}/${_ntp_chroot_cookiefile}" + chown -R ${ntpd_usergroup} "${ntpd_chrootdir}" + fi + + # Ntpd needs to read several files from /etc, including resolv.conf + # which can change on the fly, so we can't just copy it in. Instead + # we nullfs-mount /etc into the chroot if it isn't already mounted. + # It's mounted readonly because ntpd only reads files from etc. + + if ! df -t nullfs "${ntpd_chrootdir}/etc" >/dev/null 2>&1; then + mount -r -t nullfs /etc "${ntpd_chrootdir}/etc" || return + fi +} + ntpd_precmd() { - rc_flags="-c ${ntpd_config} ${ntpd_flags}" + command_args="-c ${ntpd_config} -p ${pidfile} -f ${_ntp_default_driftfile}" if checkyesno ntpd_sync_on_start; then - rc_flags="-g $rc_flags" + command_args="${command_args} -g" fi - ntpd_init_leapfile - - if [ ! -f $ntp_db_leapfile ]; then - ntpd_fetch_leapfile + # If $ntpd_usergroup is set, pass it to ntpd using -u. If it has the + # default value of ntpd:ntpd, attempt to automatically set up the MAC + # policy that allows unprivileged ntpd to change kernel time. If it + # has any other value, we assume the admin has set everything up. + + if [ -n "${ntpd_usergroup}" ]; then + local nuser="-u ${ntpd_usergroup}" + if [ "${ntpd_usergroup}" = "${_ntp_default_user}" ]; then + ntpd_mac_setup || nuser="-u root:wheel" + fi + command_args="${command_args} ${nuser}" fi - if [ -z "$ntpd_chrootdir" ]; then - return 0; + # If $ntpd_chrootdir is set, pass it along to ntpd on the command + # line using -i. If it has the default value, attempt to set up + # the chroot automatically. If it has a non-default value, assume + # the admin has created and populated the chroot and established + # any outside->inside symlinks needed for ntpd startup. + + if [ -n "${ntpd_chrootdir}" ]; then + local cdir="-i ${ntpd_chrootdir}" + if [ "${ntpd_chrootdir}" = "${_ntp_default_chrootdir}" ]; then + ntpd_default_chroot_setup || cdir="" + fi + command_args="${command_args} ${cdir}" fi - # If running in a chroot cage, ensure that the appropriate files - # exist inside the cage, as well as helper symlinks into the cage - # from outside. - # - # As this is called after the is_running and required_dir checks - # are made in run_rc_command(), we can safely assume ${ntpd_chrootdir} - # exists and ntpd isn't running at this point (unless forcestart - # is used). - # - if [ ! -c "${ntpd_chrootdir}/dev/clockctl" ]; then - rm -f "${ntpd_chrootdir}/dev/clockctl" - ( cd /dev ; /bin/pax -rw -pe clockctl "${ntpd_chrootdir}/dev" ) - fi - ln -fs "${ntpd_chrootdir}/var/db/ntp.drift" /var/db/ntp.drift - ln -fs "${ntpd_chrootdir}${ntp_tmp_leapfile}" ${ntp_tmp_leapfile} - - # Change run_rc_commands()'s internal copy of $ntpd_flags - # - rc_flags="-u ntpd:ntpd -i ${ntpd_chrootdir} $rc_flags" + # Make sure the leapfile is ready to use. + + ntpd_init_leapfile + if [ ! -f "${ntp_db_leapfile}" ]; then + ntpd_fetch_leapfile + fi } current_ntp_ts() { @@ -106,8 +181,8 @@ ntp_expiry_src=$(get_ntp_leapfile_expiry $ntp_src_leapfile) ntp_ver_no_db=$(get_ntp_leapfile_ver $ntp_db_leapfile) ntp_expiry_db=$(get_ntp_leapfile_expiry $ntp_db_leapfile) - $verbose ntp_src_leapfile version is $ntp_ver_no_src - $verbose ntp_db_leapfile version is $ntp_ver_no_db + $verbose ntp_src_leapfile version is $ntp_ver_no_src expires $ntp_expiry_src + $verbose ntp_db_leapfile version is $ntp_ver_no_db expires $ntp_expiry_db if [ "$ntp_ver_no_src" -gt "$ntp_ver_no_db" -o \ "$ntp_ver_no_src" -eq "$ntp_ver_no_db" -a \ @@ -140,15 +215,15 @@ if ntpd_needfetch_leapfile ; then for url in $ntp_leapfile_sources ; do $verbose fetching $url - fetch $ntp_leapfile_fetch_opts -o $ntp_tmp_leapfile $url && break + fetch $ntp_leapfile_fetch_opts -o $_ntp_tmp_leapfile $url && break done - ntp_ver_no_tmp=$(get_ntp_leapfile_ver $ntp_tmp_leapfile) - ntp_expiry_tmp=$(get_ntp_leapfile_expiry $ntp_tmp_leapfile) + ntp_ver_no_tmp=$(get_ntp_leapfile_ver $_ntp_tmp_leapfile) + ntp_expiry_tmp=$(get_ntp_leapfile_expiry $_ntp_tmp_leapfile) if [ "$ntp_expiry_tmp" -gt "$ntp_expiry_db" -o \ "$ntp_expiry_tmp" -eq "$ntp_expiry_db" -a \ "$ntp_ver_no_tmp" -gt "$ntp_ver_no_db" ]; then $verbose using $url as $ntp_db_leapfile - mv -f $ntp_tmp_leapfile $ntp_db_leapfile || + mv -f $_ntp_tmp_leapfile $ntp_db_leapfile || $verbose "warning: cannot replace $ntp_db_leapfile (read-only fs?)" else $verbose using existing $ntp_db_leapfile Index: share/man/man4/mac_ntpd.4 =================================================================== --- share/man/man4/mac_ntpd.4 +++ share/man/man4/mac_ntpd.4 @@ -0,0 +1,116 @@ +.\" Copyright (c) 2018 Ian Lepore +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd June 28, 2018 +.Dt MAC_NTPD 4 +.Os +.Sh NAME +.Nm mac_ntpd +.Nd "policy allowing ntpd to run as non-root user" +.Sh SYNOPSIS +To compile the ntpd policy into your kernel, place the following lines +in your kernel configuration file: +.Bd -ragged -offset indent +.Cd "options MAC" +.Cd "options MAC_NTPD" +.Ed +.Pp +Alternately, to load the ntpd policy module at boot time, +place the following line in your kernel configuration file: +.Bd -ragged -offset indent +.Cd "options MAC" +.Ed +.Pp +and in +.Xr loader.conf 5 : +.Pp +.Dl "mac_ntpd_load=""YES""" +.Sh DESCRIPTION +The +.Nm +policy grants any process running as user +.Sq ntpd +(uid 123) the privileges needed to manipulate +system time, and to (re-)bind to the privileged NTP port. +.Pp +When +.Xr ntpd 8 +is started with +.Sq -u\ +on the command line, it performs all initializations requiring root +privileges, then drops root privileges by switching to the given user id. +From that point on, the only privileges it requires are the ability +to manipulate system time, and the ability to re-bind a UDP socket +to the NTP port (port 123) after a network interface change. +By default, +.Fx +starts +.Xr ntpd 8 +with +.Sq -u\ ntpd:ntpd +on the command line, if the mac_ntpd policy is available to grant +the required privileges. +.Pp +.Ss Privileges Granted +The exact set of kernel privileges granted to any process running +with the configured uid is: +.Bl -inset -compact -offset indent +.It PRIV_ADJTIME +.It PRIV_CLOCK_SETTIME +.It PRIV_NTP_ADJTIME +.It PRIV_NETINET_RESERVEDPORT +.It PRIV_NETINET_REUSEPORT +.El +.Pp +.Ss Runtime Configuration +The following +.Xr sysctl 8 +MIBs are available for fine-tuning this MAC policy. +All +.Xr sysctl 8 +variables can also be set as +.Xr loader 8 +tunables in +.Xr loader.conf 5 . +.Bl -tag -width indent +.It Va security.mac.ntpd.enabled +Enable the +.Nm +policy. +(Default: 1). +.It Va security.mac.ntpd.uid +The numeric uid of the ntpd user. +(Default: 123). +.El +.Sh SEE ALSO +.Xr mac 4 , +.Xr ntpd 8 +.Sh HISTORY +MAC first appeared in +.Fx 5.0 +and +.Nm +first appeared in +.Fx 12.0 . Index: sys/conf/files =================================================================== --- sys/conf/files +++ sys/conf/files @@ -4888,6 +4888,7 @@ security/mac_lomac/mac_lomac.c optional mac_lomac security/mac_mls/mac_mls.c optional mac_mls security/mac_none/mac_none.c optional mac_none +security/mac_ntpd/mac_ntpd.c optional mac_ntpd security/mac_partition/mac_partition.c optional mac_partition security/mac_portacl/mac_portacl.c optional mac_portacl security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids Index: sys/conf/options =================================================================== --- sys/conf/options +++ sys/conf/options @@ -158,6 +158,7 @@ MAC_LOMAC opt_dontuse.h MAC_MLS opt_dontuse.h MAC_NONE opt_dontuse.h +MAC_NTPD opt_dontuse.h MAC_PARTITION opt_dontuse.h MAC_PORTACL opt_dontuse.h MAC_SEEOTHERUIDS opt_dontuse.h Index: sys/modules/Makefile =================================================================== --- sys/modules/Makefile +++ sys/modules/Makefile @@ -232,6 +232,7 @@ mac_lomac \ mac_mls \ mac_none \ + mac_ntpd \ mac_partition \ mac_portacl \ mac_seeotheruids \ Index: sys/modules/mac_ntpd/Makefile =================================================================== --- sys/modules/mac_ntpd/Makefile +++ sys/modules/mac_ntpd/Makefile @@ -0,0 +1,8 @@ +# $FreeBSD$ + +.PATH: ${SRCTOP}/sys/security/mac_ntpd + +KMOD= mac_ntpd +SRCS= mac_ntpd.c + +.include Index: sys/security/mac_ntpd/mac_ntpd.c =================================================================== --- sys/security/mac_ntpd/mac_ntpd.c +++ sys/security/mac_ntpd/mac_ntpd.c @@ -0,0 +1,77 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2018 Ian Lepore + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include +#include +#include +#include + +#include + +SYSCTL_DECL(_security_mac); + +static SYSCTL_NODE(_security_mac, OID_AUTO, ntpd, CTLFLAG_RW, 0, + "mac_ntpd policy controls"); + +static int ntpd_enabled = 1; +SYSCTL_INT(_security_mac_ntpd, OID_AUTO, enabled, CTLFLAG_RW, + &ntpd_enabled, 0, "Enable mac_ntpd policy"); + +static int ntpd_uid = 123; +SYSCTL_INT(_security_mac_ntpd, OID_AUTO, uid, CTLFLAG_RWTUN, + &ntpd_uid, 0, "User id for ntpd user"); + +static int +ntpd_priv_grant(struct ucred *cred, int priv) +{ + + if (ntpd_enabled && cred->cr_uid == ntpd_uid) { + switch (priv) { + case PRIV_ADJTIME: + case PRIV_CLOCK_SETTIME: + case PRIV_NTP_ADJTIME: + case PRIV_NETINET_RESERVEDPORT: + case PRIV_NETINET_REUSEPORT: + return (0); + default: + break; + } + } + return (EPERM); +} + +static struct mac_policy_ops ntpd_ops = +{ + .mpo_priv_grant = ntpd_priv_grant, +}; + +MAC_POLICY_SET(&ntpd_ops, mac_ntpd, "MAC/ntpd", + MPC_LOADTIME_FLAG_UNLOADOK, NULL); Index: usr.sbin/ntp/config.h =================================================================== --- usr.sbin/ntp/config.h +++ usr.sbin/ntp/config.h @@ -392,7 +392,10 @@ /* #undef HAVE_DOPRNT */ /* Can we drop root privileges? */ -/* #undef HAVE_DROPROOT */ +#define HAVE_DROPROOT + +/* Define to 1 to use TrustedBSD MAC 'ntpd' privileges policy. */ +#define HAVE_TRUSTEDBSD_MAC 1 /* Define to 1 if you have the header file. */ #define HAVE_ERRNO_H 1