Re: [chrony-dev] MacOS X - separation of privileges

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


> On 19/10/2015, at 9:47 PM, Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
> 
> On Mon, Oct 19, 2015 at 10:21:10AM +1300, Bryan Christianson wrote:
>> I've been doing some work on privilege separation and finally have it working, using a small helper program to perform the privileged system calls - see below for some details on what I've done and how it works
> 
>> My question - how to neatly incorporate this into the chrony source tree. The helper program is be MacOS only so should only be built if the target system is MacOS. It also requires codesigning and the person compiling the software must
>> provide their own certificate. chronyd also has to be signed for the mechanism to work.
> 
> Does it have to be a separate program? Would it still work if chronyd
> just forked and the two processes communicated over pipes?

I had looked at doing it using the Apple guidelines, which were written for the more general case of allowing a GUI user app to perform privileged operations. There is no reason to think a fork() with pipes would not work for an already privileged process, although I suspect the latency using pipes might not be as good as using a unix socket.
> 
> If it was implemented in a more general way, it could be used on
> FreeBSD and other systems that don't allow a process to keep the
> capability to adjust the clock without root. I'd prefer that over an
> approach that is specific to one system.

Yes - I can understand that and such a solution would be more maintainable.
> 
>> After chronyd is initialised (as root) the only privileged system calls
>> required are adjtime() and settimeofday(). These can easily be handled
>> with a simple IPC method.
> 
> There is another call that might be needed and which I suspect can't
> be separated that easily. If chronyd is not configured to open the NTP
> server port and the allow command is issued from chronyc, the process
> needs to be able to bind() the socket to the port 123. Anyway, I think
> it'd be an acceptable limitation, which is already present in the
> current NetBSD support for dropping root privileges.

This would usually be done over a unix socket, the descriptor being passed between the processes, but that then raises the issue of security on the unix socket.

I'll check through the apple docs and query their developer forum to find out what caveats apply to using fork() / pipes as you suggest.

Bryan




--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/