| [chrony-dev] [PATCH] MacOSX - Drop root priviliges |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: [chrony-dev] [PATCH] MacOSX - Drop root priviliges
- From: Bryan Christianson <bryan@xxxxxxxxxxxxx>
- Date: Thu, 22 Oct 2015 12:26:15 +1300
- Cc: Bryan Christianson <bryan@xxxxxxxxxxxxx>
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smtpcorp.com; s=a0-2; h=Feedback-ID:X-Smtpcorp-Track:Message-Id:Date: Subject:To:From; bh=KRvkW0LjNvNSkVwcSCUFDqakcqkj3cnnDLjldkPSOPU=; b=0BDjvlrHz qYevLo66sgGaG2HsGT93eWxW7R9SfrUcLAPptkIuVRaaQpS5rwiTlJAzY97Xwqstcr0f3bfCLRJkP Sk0CA9Q78W5VE8fiJbT0E+gUPCqSPaSUx1M19HczULPaa5yRQ7bl3gbI/Cv6L77aIw1NqXhQ9H1fu D9jb56dMByvjywZk/C7NYbwbMiKLKmWKrTZtuhRZdA0wtRQXuNjpO/UIK5E+XxuBpyNhpMqatN3rq gdvYPAFj0b1sLpu/fAjF+clpLMb+D9Z8Rmrrt0Chj9Iv6C37VXgRICyu7e4E9DdfFeJmXdUa365BL I0StO2+Zv+sFseNFKBkaMbRSg==;
- Feedback-id: 149811m:149811acx33YQ:149811s2GAGMqiPf:SMTPCORP
Before dropping root privileges, chronyd forks and runs a helper
task that will remain privileged and perform adjtime() and
settimeofday() operations on behalf of the soon to be non-privileged
chronyd. Communication between chronyd and the helper is via UNIX
pipes.
---
Makefile.in | 2 +-
chrony.texi.in | 7 +-
chronyd.8.in | 2 +-
configure | 1 +
logging.h | 1 +
privops.c | 372 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
privops.h | 11 ++
sys.c | 2 +
sys_macosx.c | 39 +++++-
sys_macosx.h | 1 +
10 files changed, 429 insertions(+), 9 deletions(-)
create mode 100644 privops.c
create mode 100644 privops.h
diff --git a/Makefile.in b/Makefile.in
index 6ac0c9e..374d565 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -38,7 +38,7 @@ DESTDIR=
HASH_OBJ = @HASH_OBJ@
-OBJS = array.o cmdparse.o conf.o local.o logging.o main.o memory.o \
+OBJS = array.o cmdparse.o conf.o local.o logging.o main.o memory.o privops.o \
reference.o regress.o rtc.o sched.o sources.o sourcestats.o stubs.o \
sys.o smooth.o tempcomp.o util.o $(HASH_OBJ)
diff --git a/chrony.texi.in b/chrony.texi.in
index b56fb81..3e679bc 100644
--- a/chrony.texi.in
+++ b/chrony.texi.in
@@ -978,7 +978,8 @@ This option sets the name of the system user to which @code{chronyd} will
switch after start in order to drop root privileges. It overrides the
@code{user} directive (default @code{@DEFAULT_USER@}). It may be set to a
non-root user only when @code{chronyd} is compiled with support for Linux
-capabilities (libcap) or on NetBSD with the @code{/dev/clockctl} device.
+capabilities (libcap), NetBSD with the @code{/dev/clockctl} device and
+MacOS X.
@item -F <level>
This option configures a system call filter when @code{chronyd} is compiled with
support for the Linux secure computing (seccomp) facility. In level 1 the
@@ -3169,8 +3170,8 @@ Valid measurements with corresponding compensations are logged to the
The @code{user} directive sets the name of the system user to which
@code{chronyd} will switch after start in order to drop root privileges.
It may be set to a non-root user only when @code{chronyd} is compiled with
-support for Linux capabilities (libcap) or on NetBSD with the
-@code{/dev/clockctl} device.
+support for Linux capabilities (libcap), on NetBSD with the
+@code{/dev/clockctl} device amd MacOS X.
The default value is @code{@DEFAULT_USER@}.
@c }}}
diff --git a/chronyd.8.in b/chronyd.8.in
index b5b0882..9a40007 100644
--- a/chronyd.8.in
+++ b/chronyd.8.in
@@ -103,7 +103,7 @@ This option sets the name of the system user to which \fBchronyd\fR will switch
after start in order to drop root privileges. It overrides the \fBuser\fR
directive (default \fB@DEFAULT_USER@\fR). It may be set to a non-root user
only when \fBchronyd\fR is compiled with support for Linux capabilities
-(libcap) or on NetBSD with the \fB/dev/clockctl\fR device.
+(libcap), on NetBSD with the \fB/dev/clockctl\fR device and MacOS X.
.TP
\fB\-F\fR \fIlevel\fR
This option configures a system call filter when \fBchronyd\fR is compiled with
diff --git a/configure b/configure
index e9e596d..4009199 100755
--- a/configure
+++ b/configure
@@ -392,6 +392,7 @@ case $OPERATINGSYSTEM in
EXTRA_LIBS="-lresolv"
EXTRA_CLI_LIBS="-lresolv"
add_def MACOSX
+ add_def FEAT_PRIVDROP
echo "Configuring for MacOS X (" $SYSTEM "MacOS X version" $VERSION ")"
;;
SunOS)
diff --git a/logging.h b/logging.h
index b480c42..c19a40a 100644
--- a/logging.h
+++ b/logging.h
@@ -100,6 +100,7 @@ typedef enum {
LOGF_Keys,
LOGF_Logging,
LOGF_Nameserv,
+ LOGF_Priv,
LOGF_Rtc,
LOGF_Regress,
LOGF_Sys,
diff --git a/privops.c b/privops.c
new file mode 100644
index 0000000..6369eb8
--- /dev/null
+++ b/privops.c
@@ -0,0 +1,372 @@
+/*
+ chronyd/chronyc - Programs for keeping computer clocks accurate.
+
+ **********************************************************************
+ * Copyright (C) Bryan Christianson 2015
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ **********************************************************************
+
+ =======================================================================
+
+ Perform privileged operations over pipes to a privileged fork.
+
+*/
+#include "config.h"
+
+#if defined(MACOSX) && defined(FEAT_PRIVDROP)
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/time.h>
+
+#include "logging.h"
+#include "privops.h"
+
+#define op_ADJTIME 1024
+#define op_SETTIMEOFDAY 1025
+
+/* daemon request struct */
+#define ARG_SIZE (sizeof(struct timeval) + sizeof(struct timezone))
+typedef struct {
+ int op;
+ int size;
+ char args[ARG_SIZE];
+} priv_request_t;
+
+
+/* helper response struct */
+#define RESPONSE_SIZE sizeof(struct timeval)
+typedef struct {
+ int rc;
+ int res_errno;
+ int size;
+ char response[RESPONSE_SIZE];
+} priv_response_t;
+
+static int fd_read = -1;
+static int fd_write = -1;
+
+/* ======================================================================= */
+
+/* HELPER - read daemon request from the pipe */
+
+static int
+readrequest(int fd, priv_request_t *req)
+{
+ int op;
+ int size;
+ int nbytes;
+
+ nbytes = read(fd, &op, sizeof(op));
+ if (nbytes < sizeof(op)) {
+ return -1;
+ }
+ nbytes = read(fd, &size, sizeof(size));
+ if (nbytes < sizeof(size)) {
+ return -1;
+ }
+ nbytes = read(fd, req->args, size);
+ if (nbytes < size) {
+ return -1;
+ }
+ req->op = op;
+ req->size = size;
+
+ return size;
+}
+
+/* ======================================================================= */
+
+/* HELPER - send response to the pipe */
+
+static int
+sendresponse(int fd, const priv_response_t *res)
+{
+ int nbytes;
+ int size;
+
+ size = (int)sizeof(priv_response_t) - (int)sizeof(res->response) + res->size;
+ nbytes = write(fd, res, size);
+ if (nbytes != size) {
+ // something bad happened
+ return -1;
+ }
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* HELPER - perform adjtime() */
+
+static int
+do_adjtime(int fd, const struct timeval *delta)
+{
+ int rc;
+ struct timeval olddelta;
+ priv_response_t res;
+
+ memset(&res, 0, sizeof(res));
+ rc = adjtime(delta, &olddelta);
+ res.rc = rc;
+ if (rc != 0) {
+ // save errno for use by the daemon
+ res.res_errno = errno;
+ } else {
+ res.size = sizeof(struct timeval);
+ memcpy(res.response, &olddelta, sizeof(struct timeval));
+ }
+ return sendresponse(fd, &res);
+}
+
+/* ======================================================================= */
+
+/* HELPER - perform settimeofday() */
+
+static int
+do_settimeofday(int fd, const struct timeval *tv, const struct timezone *tz)
+{
+ int rc;
+ priv_response_t res;
+
+ memset(&res, 0, sizeof(res));
+ rc = settimeofday(tv, tz);
+ res.rc = rc;
+ if (rc != 0) {
+ // save errno for use by the daemon
+ res.res_errno = errno;
+ }
+ return sendresponse(fd, &res);
+}
+
+/* ======================================================================= */
+
+/* HELPER - main loop - action requests from the daemon */
+
+static void
+runhelper(int fd_in, int fd_out)
+{
+ priv_request_t req;
+ while (1) {
+ int nbytes;
+
+ nbytes = readrequest(fd_in, &req);
+ if (nbytes < 0) {
+ // read error or closed input - we cant recover - give up
+ return;
+ }
+ switch (req.op) {
+ default:
+ LOG_FATAL(LOGF_Priv, "Unexpected operator : %d", req.op);
+ break;
+
+ case op_ADJTIME:
+ if (nbytes == sizeof(struct timeval)) {
+ do_adjtime(fd_out, (struct timeval *)req.args);
+ } else if (nbytes == 0) {
+ // cannot be triggered on MacOS X
+ do_adjtime(fd_out, NULL);
+ }
+ break;
+
+ case op_SETTIMEOFDAY:
+ if (nbytes == sizeof(struct timeval)) {
+ do_settimeofday(fd_out, (struct timeval *)req.args, NULL);
+ } else if (nbytes == sizeof(struct timeval) + sizeof(struct timezone)) {
+ // this is probably never triggered - added for completeness
+ struct timezone *tz = (struct timezone *)(req.args + sizeof(struct timeval));
+ do_settimeofday(fd_out, (struct timeval *)req.args, tz);
+ }
+ break;
+ }
+ }
+}
+
+/* ======================================================================= */
+
+/* DAEMON - read helper response from the pipe */
+
+static int
+readresponse(int fd, priv_response_t *res)
+{
+ int nbytes;
+
+ nbytes = read(fd, res, sizeof(priv_response_t));
+ if (nbytes <= 0) {
+ LOG_FATAL(LOGF_Priv, "Error reading from helper pipe : %s", strerror(errno));
+ }
+
+ // if operation failed in the helper, set errno so daemon can print log message
+ if (res->rc != 0) {
+ errno = res->res_errno;
+ return -1;
+ }
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - send daemon request to the pipe */
+
+static int
+sendrequest(int fd, const priv_request_t *req)
+{
+ int size;
+ int nbytes;
+
+ size = (int)sizeof(priv_request_t) - (int)sizeof(req->args) + req->size;
+ nbytes = write(fd, req, size);
+ if (nbytes != size) {
+ LOG_FATAL(LOGF_Priv, "Error writing to helper pipe : %s", strerror(errno));
+ }
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - request adjtime() */
+
+int
+PRV_adjtime(const struct timeval *delta, struct timeval *olddelta)
+{
+ priv_request_t req;
+ priv_response_t res;
+
+ req.op = op_ADJTIME;
+ req.size = 0;
+
+ if (delta) {
+ req.size = sizeof(struct timeval);
+ memcpy(req.args, delta, sizeof(struct timeval));
+ }
+
+ if (sendrequest(fd_write, &req) != 0) {
+ return -1;
+ }
+
+ if (readresponse(fd_read, &res) != 0) {
+ // something bad happened
+ return -1;
+ }
+
+ if (res.size != sizeof(struct timeval)) {
+ return -1;
+ }
+ if (olddelta) {
+ memcpy(olddelta, res.response, sizeof(struct timeval));
+ }
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - request settimeofday() */
+
+int
+PRV_settimeofday(const struct timeval *tp, const struct timezone *tzp)
+{
+ priv_request_t req;
+ priv_response_t res;
+
+ req.op = op_SETTIMEOFDAY;
+ req.size = sizeof(struct timeval);
+ memcpy(req.args, tp, sizeof(struct timeval));
+
+ if (tzp) {
+ req.size += sizeof(struct timezone);
+ memcpy(req.args + sizeof(struct timeval), tzp, sizeof(struct timezone));
+ }
+
+ if (sendrequest(fd_write, &req) != 0) {
+ return -1;
+ }
+
+ if (readresponse(fd_read, &res) != 0) {
+ // something bad happened
+ return -1;
+ }
+
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - setup pipes then fork to run the helper */
+/* must be called before privileges are dropped */
+
+void
+PRV_start(void)
+{
+ pid_t pid;
+ int fd_response[2];
+ int fd_request[2];
+
+ if (fd_read >= 0 || fd_write >= 0) {
+ LOG_FATAL(LOGF_Priv, "PRV_start, helper is already running");
+ }
+
+ if (pipe(fd_response)) {
+ LOG_FATAL(LOGF_Priv, "PRV_start, response pipe failed : %s", strerror(errno));
+ }
+ if (pipe(fd_request)) {
+ LOG_FATAL(LOGF_Priv, "PRV_start, request pipe failed : %s", strerror(errno));
+ }
+
+ pid = fork();
+ if (pid == -1) {
+ LOG_FATAL(LOGF_Priv, "PRV_start, fork failed : %s", strerror(errno));
+ }
+
+ if (pid == 0) {
+ // child process
+ close(fd_response[0]);
+ close(fd_request[1]);
+
+ runhelper(fd_request[0], fd_response[1]);
+
+ // cleanup before exit
+ close(fd_request[0]);
+ close(fd_response[1]);
+
+ exit(0);
+
+ } else {
+ // parent process
+ close(fd_response[1]);
+ close(fd_request[0]);
+ fd_read = fd_response[0];
+ fd_write = fd_request[1];
+ }
+}
+
+/* ======================================================================= */
+
+/* DAEMON - graceful shutdown of the helper */
+
+void
+PRV_stop(void)
+{
+ int status;
+ close(fd_read);
+ close(fd_write);
+ fd_read = -1;
+ fd_write = -1;
+ wait(&status);
+}
+
+#endif
diff --git a/privops.h b/privops.h
new file mode 100644
index 0000000..a1bf57e
--- /dev/null
+++ b/privops.h
@@ -0,0 +1,11 @@
+#ifndef _PRIVOPS_H_
+#define _PRIVOPS_H_
+
+int PRV_adjtime(const struct timeval *delta, struct timeval *olddelta);
+
+int PRV_settimeofday(const struct timeval *tp, const struct timezone *tzp);
+
+void PRV_start(void);
+
+void PRV_stop(void);
+#endif
\ No newline at end of file
diff --git a/sys.c b/sys.c
index 4009796..f3844c6 100644
--- a/sys.c
+++ b/sys.c
@@ -92,6 +92,8 @@ void SYS_DropRoot(uid_t uid, gid_t gid)
SYS_Linux_DropRoot(uid, gid);
#elif defined(NETBSD) && defined(FEAT_PRIVDROP)
SYS_NetBSD_DropRoot(uid, gid);
+#elif defined(MACOSX) && defined(FEAT_PRIVDROP)
+ SYS_MacOSX_DropRoot(uid, gid);
#else
LOG_FATAL(LOGF_Sys, "dropping root privileges not supported");
#endif
diff --git a/sys_macosx.c b/sys_macosx.c
index 200b62c..558c1c3 100644
--- a/sys_macosx.c
+++ b/sys_macosx.c
@@ -50,6 +50,7 @@
#include "localp.h"
#include "sched.h"
#include "logging.h"
+#include "privops.h"
#include "util.h"
/* ================================================== */
@@ -96,6 +97,11 @@ static struct timeval Tdrift;
#define NANOS_PER_MSEC (1000000ULL)
+/* use native adjtime and settimeofday when running as root */
+static int drop_priv = 0;
+static int (*sys_adjtime)(const struct timeval *, struct timeval *) = adjtime;
+static int (*sys_settimeofday)(const struct timeval *, const struct timezone *) = settimeofday;
+
/* ================================================== */
static void
@@ -117,7 +123,7 @@ clock_initialise(void)
newadj.tv_sec = 0;
newadj.tv_usec = 0;
- if (adjtime(&newadj, &oldadj) < 0) {
+ if (sys_adjtime(&newadj, &oldadj) < 0) {
LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
}
}
@@ -169,7 +175,7 @@ start_adjust(void)
UTI_TimevalToDouble(&newadj, &adjustment_requested);
rounding_error = adjust_required - adjustment_requested;
- if (adjtime(&newadj, &oldadj) < 0) {
+ if (sys_adjtime(&newadj, &oldadj) < 0) {
LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
}
@@ -193,7 +199,7 @@ stop_adjust(void)
zeroadj.tv_sec = 0;
zeroadj.tv_usec = 0;
- if (adjtime(&zeroadj, &remadj) < 0) {
+ if (sys_adjtime(&zeroadj, &remadj) < 0) {
LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
}
@@ -244,7 +250,7 @@ apply_step_offset(double offset)
UTI_AddDoubleToTimeval(&old_time, -offset, &new_time);
- if (settimeofday(&new_time, NULL) < 0) {
+ if (sys_settimeofday(&new_time, NULL) < 0) {
DEBUG_LOG(LOGF_SysMacOSX, "settimeofday() failed");
return 0;
}
@@ -427,8 +433,33 @@ SYS_MacOSX_Finalise(void)
}
clock_finalise();
+ if (drop_priv) {
+ PRV_stop();
+ }
}
/* ================================================== */
+void
+SYS_MacOSX_DropRoot(uid_t uid, gid_t gid)
+{
+ PRV_start();
+
+ if (setgroups(0, NULL))
+ LOG_FATAL(LOGF_SysMacOSX, "setgroups() failed : %s", strerror(errno));
+
+ if (setgid(gid))
+ LOG_FATAL(LOGF_SysMacOSX, "setgid(%d) failed : %s", gid, strerror(errno));
+
+ if (setuid(uid))
+ LOG_FATAL(LOGF_SysMacOSX, "setuid(%d) failed : %s", uid, strerror(errno));
+
+ DEBUG_LOG(LOGF_SysMacOSX, "Root dropped to uid %d gid %d", uid, gid);
+
+ /* use privileged helper adjtime and settimeofday */
+ sys_adjtime = PRV_adjtime;
+ sys_settimeofday = PRV_settimeofday;
+ drop_priv = 1;
+}
+
#endif
diff --git a/sys_macosx.h b/sys_macosx.h
index 707700d..64be5e7 100644
--- a/sys_macosx.h
+++ b/sys_macosx.h
@@ -33,5 +33,6 @@
void SYS_MacOSX_SetScheduler(int SchedPriority);
void SYS_MacOSX_Initialise(void);
void SYS_MacOSX_Finalise(void);
+void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid);
#endif
--
2.3.8 (Apple Git-58)
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.