Re: [chrony-dev] MacOS X - separation of privileges

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On Mon, Oct 19, 2015 at 10:21:10AM +1300, Bryan Christianson wrote:
> I've been doing some work on privilege separation and finally have it working, using a small helper program to perform the privileged system calls - see below for some details on what I've done and how it works

> My question - how to neatly incorporate this into the chrony source tree. The helper program is be MacOS only so should only be built if the target system is MacOS. It also requires codesigning and the person compiling the software must
> provide their own certificate. chronyd also has to be signed for the mechanism to work.

Does it have to be a separate program? Would it still work if chronyd
just forked and the two processes communicated over pipes?

If it was implemented in a more general way, it could be used on
FreeBSD and other systems that don't allow a process to keep the
capability to adjust the clock without root. I'd prefer that over an
approach that is specific to one system.

> After chronyd is initialised (as root) the only privileged system calls
> required are adjtime() and settimeofday(). These can easily be handled
> with a simple IPC method.

There is another call that might be needed and which I suspect can't
be separated that easily. If chronyd is not configured to open the NTP
server port and the allow command is issued from chronyc, the process
needs to be able to bind() the socket to the port 123. Anyway, I think
it'd be an acceptable limitation, which is already present in the
current NetBSD support for dropping root privileges.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/