Re: [chrony-dev] [PATCH] MacOS X - Drop root privileges

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


> On 14/09/2015, at 9:35 pm, Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
> 
> On Sat, Sep 12, 2015 at 10:30:05PM +1200, Bryan Christianson wrote:
>> When a user is specified to chronyd (command line or config file), chronyd
>> will drop privileges, restoring them when required for privileged system
>> calls.
> 
> If chronyd is allowed to restore the root privileges (i.e. set the
> effective UID/GID back to root) to make the adjtime() or
> settimeofday() system call and the chronyd process is compromised,
> the attacker can simply call seteuid() to get the root privileges at
> any time, or not?

Yes - thats true. However the alternative is to run as root and life for the attacker is simpler.

> 
> On systems where it's not possible to adjust the clock without the
> root privileges, there is a possibility to separate the privileges in
> multiple processes, like openntpd does for instance. One process keeps
> the root privileges to adjust the clock and the other processes send
> commands to it over pipe or socket. Of course, the protocol the
> processes use to communicate with each other needs to be simple and
> carefully implemented so the root process can't be exploited through
> it.

That is Apple's preferred method - a separate privileged process (helper in Apple terminology) controlled by launchd and communicating via their XPC protocol. I got that answer from one of the engineers in their developer support forum. Apple attempted something similar with ntpd and OSX 10.9 introduced a program called pacemaker to do the privileged work. It didn't work (at all) and was dropped in OSX 10.10.

> 
> Implementing that in chronyd is possible, but it may require some
> major changes in the design. If chronyd did this on Mac OS X, which
> doesn't have readonly adjtime(), the clock precision would probably
> get much worse as every reading of the remaining adjustment would
> require a context switch to the root process and back.

Yes - I think the overhead would be pretty bad and introduce a lot of jitter, plus a lot of complications in building/installing/initiating the helper process.

I investigated to see if it would be possible to implement /dev/clockctl as on xxxBSD. Apple don't export the required symbols from the kernel to make this possible and the only interface they have are the system calls. These check that the calling process is running as root before calling the private kernel time functions. It would be possible to work around this but would require the use of private kernel data structures which is just not maintainable.

Anyway - I had some spare time over the weekend and just floated this idea to see what you thought. At the moment chrony is running very well as root.

B



--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/