Re: [chrony-dev] [PATCH] MacOS X - Drop root privileges

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On Tue, Sep 15, 2015 at 08:15:47AM +1200, Bryan Christianson wrote:
> 
> > On 14/09/2015, at 9:35 pm, Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
> > If chronyd is allowed to restore the root privileges (i.e. set the
> > effective UID/GID back to root) to make the adjtime() or
> > settimeofday() system call and the chronyd process is compromised,
> > the attacker can simply call seteuid() to get the root privileges at
> > any time, or not?
> 
> Yes - thats true. However the alternative is to run as root and life for the attacker is simpler.

I don't think it would be a significant obstacle for an attacker that
can run arbitrary code. It's just one system call. When the root
privileges are dropped, it should be permanent.

> That is Apple's preferred method - a separate privileged process (helper in Apple terminology) controlled by launchd and communicating via their XPC protocol. I got that answer from one of the engineers in their developer support forum. Apple attempted something similar with ntpd and OSX 10.9 introduced a program called pacemaker to do the privileged work. It didn't work (at all) and was dropped in OSX 10.10.

Interesting. I didn't know it was dropped. I thought it was at least
partially invented to address the problem with ntpd that it wakes up
every second to adjust the clock and it was supposed to improve the
power saving.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/