Change Details

Ntpd supports commandline options to chroot into an arbitrary directory, then drop root privileges by changing its uid and/or gid to some non-root value. For that to work, there must be some OS mechanism available for ntpd to retain the small subset of privileges it needs after changing uid to non-root. Specifically it needs the ability to manipulate system time, and to re-bind to a privileged UDP port after interface changes. These changes add a new user and group, ntpd:ntpd, (uid:gid 123:123), and a new mac(4) policy module, mac_ntpd(4), which grants just the privileges needed by ntpd to any process running with uid 123. The rc.d/ntpd script checks whether the mac_ntpd policy is available and enabled (loading the module if needed), and if so, instructs ntpd to drop root privs by switching to ntpd:ntpd. If the policy is not available or is disabled, ntpd runs as root:wheel as it historically has. If the new rcvar ntpd_usergroup is set to some non-default value, rc.d/ntpd script passes the option to ntpd, but assumes that the sysadmin has done anything necessary to grant the needed privs to ntpd. In addition, if ntpd_chrootdir is set, the option to chroot into that dir is passed to ntpd. If the variable has the default value (/var/db/ntp), the rc.d/ntpd script attempts to automatically configure the chroot by creating needed directories and symlinks, and nullfs-mounting /etc into it so ntpd can read various files such as resolv.conf and nsswitch.conf. If the variable is set to a non-default value, the option is passed to ntpd, but the script assumes the sysadmin has already done everything necessary to set up the chroot. The net effect is that the default options now cause ntpd to run in a chroot with reduced privs out of the box, on both new and updated existing installations, unless the ntpd-related rcvars have been changed to non-default options, in which case things keep working the way they used to (runs as root, no chroot). Ntpd itself gets a very minimal change to check whether the MAC ntpd policy is enabled if it's instructed to drop root privs, since it won't be able to run correctly otherwise. Given that the change is minimally invasive, I hope it will be quickly accepted when pushed back upstream. Note that these changes also address PR 199127 by using the command_args technique suggested in the patch. They also tangentially address PR 113552, which is primarily about inconsistent filenames in documentation, but some of the inconsistancy was caused by old code in rc.d/ntpd which is leftover from the intial import from netbsd. There was code to do chroot setup which required the use of the netbsd clockctl(4) device; that code never had any effect on freebsd, because we lack that device and don't build ntpd with the options that would allow using it.

Ntpd needs only a subset of full root privileges to do its job. Specifically it needs the ability to manipulate system time, and to re-bind to a privileged UDP port after interface changes. The mac_ntpd(4) policy module (see D16281) can grant these privs. These changes detect the availability of mac_ntpd(4). If enabled, and if the ntpd configuration is fairly vanilla, it automatically runs ntpd as the non-root user 'ntpd' (uid 123). "Vanilla" means the config doesn't include command line or ntp.conf options changing the location of files or usling any files/dirs likely to be inaccessible to user ntpd. Note that these changes also address PR 199127 by using the command_args technique suggested in the patch. They also tangentially address PR 113552, which is primarily about inconsistent filenames in documentation, but some of the inconsistancy was caused by old code in rc.d/ntpd which is leftover from the intial import from netbsd. There was code to do chroot setup which required the use of the netbsd clockctl(4) device; that code never had any effect on freebsd, because we lack that device and don't build ntpd with the options that would allow using it.

Ntpd supports commandline options to chroot into an arbitrary directory, then drop root privileges by changing its uid and/or gid to some non-root valueneeds only a subset of full root privileges to do its job. For that to workSpecifically it needs the ability to manipulate system time, there must be some OS mechanism available for ntpd to retain the small subset of privileges it needs after changing uid to non-rootand to re-bind to a privileged UDP port after interface changes. Specifically it needs the ability to manipulate system time, and to re-bind to a privileged UDP port after interface changesThe mac_ntpd(4) policy module (see D16281) can grant these privs. These changes add a new user and group, ntpd:ntpd, (uid:gid 123:123), and a new mac(4) policy module, mac_ntpd(4), which grants just the privileges needed by ntpd to any process running with uid 123. The rc.d/ntpd script checks whether the mac_ntpd policy is available and enabled (loading the module if needed), and if so, instructs ntpd to drop root privs by switching to ntpd:ntpd. If the policy is not available or is disabled, ntpd runs as root:wheel as it historically has. If the new rcvar ntpd_usergroup is set to some non-default value, rc.d/ntpd script passes the option to ntpd, but assumes that the sysadmin has done anything necessary to grant the needed privs to ntpd. In addition, if ntpd_chrootdir is set, the option to chroot into that dir is passed to ntpd. If the variable has the default value (/var/db/ntp), the rc.d/ntpd script attempts to automatically configure the chroot by creating needed directories and symlinks, and nullfs-mounting /etc into it so ntpd can read various files such as resolv.conf and nsswitch.confdetect the availability of mac_ntpd(4). If the variable is set to a non-default value, the option is passed to ntpd, but the script assumes the sysadmin has already done everything necessary to set up the chroot. The net effect is that the default options now cause ntpd to run in a chroot with reduced privs out of the box, on both new and updated existing installations, unless the ntpd-related rcvars have been changed to non-default options, in which case things keep working the way they used to (runs as rootenabled, no chroot). Ntpd itself gets a very minimal change to check whether the MAC ntpd policy is enabled if it's instructed to drop root privsand if the ntpd configuration is fairly vanilla, since it won't be able to run correctly otherwiseit automatically runs ntpd as the non-root user 'ntpd' (uid 123). Given that the change is minimally invasive, I hope it will be quickly accepted when pushed back upstream."Vanilla" means the config doesn't include command line or ntp.conf options changing the location of files or usling any files/dirs likely to be inaccessible to user ntpd. Note that these changes also address PR 199127 by using the command_args technique suggested in the patch. They also tangentially address PR 113552, which is primarily about inconsistent filenames in documentation, but some of the inconsistancy was caused by old code in rc.d/ntpd which is leftover from the intial import from netbsd. There was code to do chroot setup which required the use of the netbsd clockctl(4) device; that code never had any effect on freebsd, because we lack that device and don't build ntpd with the options that would allow using it.