Page MenuHomeFreeBSD

Make it possible to run ntpd as a non-root user, add ntpd uid and gid.
ClosedPublic

Authored by ian on Jul 15 2018, 8:47 PM.

Details

Summary

Code analysis and runtime analysis using truss(8) indicate that the only privileged operations performed by ntpd are adjusting system time, and (re-)binding to privileged UDP port 123. These changes add a new mac(4) policy module, mac_ntpd(4), which grants just those privileges to any process running with uid 123.

This also adds a new user and group, ntpd:ntpd, (uid:gid 123:123), and makes them the owner of the /var/db/ntp directory, so that it can be used as a location where the non-privileged daemon can write files such as the driftfile, and any optional logfile or stats files.

Because there are so many ways to configure ntpd, the question of how to configure it to run without root privs can be a bit complex, so that is addressed separately in D16050. These changes are just what's required to grant the limited subset of privs to ntpd, and the small change to ntpd to prevent it from exiting with an error if running as non-root.

These changes were originally part of D16050, but have been split out to separate the complexity of the rc.d/ntpd changes from the basic facility for running non-privileged.

Test Plan

Tested by setting ntpd_user=ntpd in rc.conf, configuring the driftfile for a dir that user ntpd has write access to, and running ntpd that way.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

usr.sbin/ntp/config.h
1122–1124 ↗(On Diff #45330)

Isn't there a source file this needs to be updated in as well?

Looks good. I see no issues.

ntpd.c and config.h patches should be added to both ntp ports.

This revision is now accepted and ready to land.Jul 16 2018, 4:46 AM
usr.sbin/ntp/config.h
1122–1124 ↗(On Diff #45330)

Yes, it's on line 126 of ntpd.c, above.

sys/security/mac_ntpd/mac_ntpd.c
45 ↗(On Diff #45330)

Just a note for the record that when committed, security.mac.ntpd.enabled will be CTLFLAG_RWTUN instead of just RW (doesn't seem worth uploading a whole new diff just for that).

This revision was automatically updated to reflect the committed changes.

Sorry to have missed this when it first came in; the mdoc could use some changes.

head/share/man/man4/mac_ntpd.4
26

Perhaps this could have been tweaked closer to commit, though it's not terribly important.

49

The formulation used in (e.g.) mac_none.4 with .Bd -literal might be less annoying than counting quotes here.

61

Ugh.
.Sq Fl u Ar user
here and elsewhere, please.
Also, is it user:group?

80

Should these all be .It Dv PRIV_blah?

In D16281#347193, @bjk wrote:

Sorry to have missed this when it first came in; the mdoc could use some changes.

This was originally part of D16050 and the manpage part had been accepted there before I split it out to a separate diff. Everything I know about manpage markup can be summarized as: 1) search for something similar in an existing page, 2) copy and paste it. :)

I'll get these changes applied, thanks.