[chrony-dev] [PATCH] MacOSX - Drop root priviliges

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


Before dropping root privileges, chronyd forks and runs a helper
task that will remain privileged and perform adjtime() and
settimeofday() operations on behalf of the soon to be non-privileged
chronyd. Communication between chronyd and the helper is via UNIX
pipes.
---
 Makefile.in    |   2 +-
 chrony.texi.in |   7 +-
 chronyd.8.in   |   2 +-
 configure      |   1 +
 logging.h      |   1 +
 privops.c      | 372 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 privops.h      |  11 ++
 sys.c          |   2 +
 sys_macosx.c   |  39 +++++-
 sys_macosx.h   |   1 +
 10 files changed, 429 insertions(+), 9 deletions(-)
 create mode 100644 privops.c
 create mode 100644 privops.h

diff --git a/Makefile.in b/Makefile.in
index 6ac0c9e..374d565 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -38,7 +38,7 @@ DESTDIR=
 
 HASH_OBJ = @HASH_OBJ@
 
-OBJS = array.o cmdparse.o conf.o local.o logging.o main.o memory.o \
+OBJS = array.o cmdparse.o conf.o local.o logging.o main.o memory.o privops.o \
        reference.o regress.o rtc.o sched.o sources.o sourcestats.o stubs.o \
        sys.o smooth.o tempcomp.o util.o $(HASH_OBJ)
 
diff --git a/chrony.texi.in b/chrony.texi.in
index b56fb81..3e679bc 100644
--- a/chrony.texi.in
+++ b/chrony.texi.in
@@ -978,7 +978,8 @@ This option sets the name of the system user to which @code{chronyd} will
 switch after start in order to drop root privileges.  It overrides the
 @code{user} directive (default @code{@DEFAULT_USER@}).  It may be set to a
 non-root user only when @code{chronyd} is compiled with support for Linux
-capabilities (libcap) or on NetBSD with the @code{/dev/clockctl} device.
+capabilities (libcap), NetBSD with the @code{/dev/clockctl} device and
+MacOS X.
 @item -F <level>
 This option configures a system call filter when @code{chronyd} is compiled with
 support for the Linux secure computing (seccomp) facility. In level 1 the
@@ -3169,8 +3170,8 @@ Valid measurements with corresponding compensations are logged to the
 The @code{user} directive sets the name of the system user to which
 @code{chronyd} will switch after start in order to drop root privileges.
 It may be set to a non-root user only when @code{chronyd} is compiled with
-support for Linux capabilities (libcap) or on NetBSD with the
-@code{/dev/clockctl} device.
+support for Linux capabilities (libcap), on NetBSD with the
+@code{/dev/clockctl} device amd MacOS X.
 
 The default value is @code{@DEFAULT_USER@}.
 @c }}}
diff --git a/chronyd.8.in b/chronyd.8.in
index b5b0882..9a40007 100644
--- a/chronyd.8.in
+++ b/chronyd.8.in
@@ -103,7 +103,7 @@ This option sets the name of the system user to which \fBchronyd\fR will switch
 after start in order to drop root privileges.  It overrides the \fBuser\fR
 directive (default \fB@DEFAULT_USER@\fR).  It may be set to a non-root user
 only when \fBchronyd\fR is compiled with support for Linux capabilities
-(libcap) or on NetBSD with the \fB/dev/clockctl\fR device.
+(libcap), on NetBSD with the \fB/dev/clockctl\fR device and MacOS X.
 .TP
 \fB\-F\fR \fIlevel\fR
 This option configures a system call filter when \fBchronyd\fR is compiled with
diff --git a/configure b/configure
index e9e596d..4009199 100755
--- a/configure
+++ b/configure
@@ -392,6 +392,7 @@ case $OPERATINGSYSTEM in
         EXTRA_LIBS="-lresolv"
         EXTRA_CLI_LIBS="-lresolv"
         add_def MACOSX
+        add_def FEAT_PRIVDROP
         echo "Configuring for MacOS X (" $SYSTEM "MacOS X version" $VERSION ")"
     ;;
     SunOS)
diff --git a/logging.h b/logging.h
index b480c42..c19a40a 100644
--- a/logging.h
+++ b/logging.h
@@ -100,6 +100,7 @@ typedef enum {
   LOGF_Keys,
   LOGF_Logging,
   LOGF_Nameserv,
+  LOGF_Priv,
   LOGF_Rtc,
   LOGF_Regress,
   LOGF_Sys,
diff --git a/privops.c b/privops.c
new file mode 100644
index 0000000..6369eb8
--- /dev/null
+++ b/privops.c
@@ -0,0 +1,372 @@
+/*
+  chronyd/chronyc - Programs for keeping computer clocks accurate.
+
+ **********************************************************************
+ * Copyright (C) Bryan Christianson 2015
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ **********************************************************************
+
+  =======================================================================
+
+  Perform privileged operations over pipes to a privileged fork.
+
+*/
+#include "config.h"
+
+#if defined(MACOSX) && defined(FEAT_PRIVDROP)
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/time.h>
+
+#include "logging.h"
+#include "privops.h"
+
+#define op_ADJTIME      1024
+#define op_SETTIMEOFDAY 1025
+
+/* daemon request struct */
+#define ARG_SIZE (sizeof(struct timeval) + sizeof(struct timezone))
+typedef struct {
+  int op;
+  int size;
+  char args[ARG_SIZE];
+} priv_request_t;
+
+
+/* helper response struct */
+#define RESPONSE_SIZE sizeof(struct timeval)
+typedef struct {
+  int rc;
+  int res_errno;
+  int size;
+  char response[RESPONSE_SIZE];
+} priv_response_t;
+
+static int fd_read = -1;
+static int fd_write = -1;
+
+/* ======================================================================= */
+
+/* HELPER - read daemon request from the pipe */
+
+static int
+readrequest(int fd, priv_request_t *req)
+{
+  int op;
+  int size;
+  int nbytes;
+
+  nbytes = read(fd, &op, sizeof(op));
+  if (nbytes < sizeof(op)) {
+    return -1;
+  }
+  nbytes = read(fd, &size, sizeof(size));
+  if (nbytes < sizeof(size)) {
+    return -1;
+  }
+  nbytes = read(fd, req->args, size);
+  if (nbytes < size) {
+    return -1;
+  }
+  req->op = op;
+  req->size = size;
+
+  return size;
+}
+
+/* ======================================================================= */
+
+/* HELPER - send response to the pipe */
+
+static int
+sendresponse(int fd, const priv_response_t *res)
+{
+  int nbytes;
+  int size;
+
+  size = (int)sizeof(priv_response_t) - (int)sizeof(res->response) + res->size;
+  nbytes = write(fd, res, size);
+  if (nbytes != size) {
+    // something bad happened
+    return -1;
+  }
+  return 0;
+}
+
+/* ======================================================================= */
+
+/* HELPER - perform adjtime() */
+
+static int
+do_adjtime(int fd, const struct timeval *delta)
+{
+  int rc;
+  struct timeval olddelta;
+  priv_response_t res;
+
+  memset(&res, 0, sizeof(res));
+  rc = adjtime(delta, &olddelta);
+  res.rc = rc;
+  if (rc != 0) {
+    // save errno for use by the daemon
+    res.res_errno = errno;
+  } else {
+    res.size = sizeof(struct timeval);
+    memcpy(res.response, &olddelta, sizeof(struct timeval));
+  }
+  return sendresponse(fd, &res);
+}
+
+/* ======================================================================= */
+
+/* HELPER - perform settimeofday() */
+
+static int
+do_settimeofday(int fd, const struct timeval *tv, const struct timezone *tz)
+{
+  int rc;
+  priv_response_t res;
+
+  memset(&res, 0, sizeof(res));
+  rc = settimeofday(tv, tz);
+  res.rc = rc;
+  if (rc != 0) {
+    // save errno for use by the daemon
+    res.res_errno = errno;
+  }
+  return sendresponse(fd, &res);
+}
+
+/* ======================================================================= */
+
+/* HELPER - main loop - action requests from the daemon */
+
+static void
+runhelper(int fd_in, int fd_out)
+{
+  priv_request_t req;
+  while (1) {
+    int nbytes;
+
+    nbytes = readrequest(fd_in, &req);
+    if (nbytes < 0) {
+      // read error or closed input - we cant recover - give up
+      return;
+    }
+    switch (req.op) {
+    default:
+      LOG_FATAL(LOGF_Priv, "Unexpected operator : %d", req.op);
+      break;
+
+    case op_ADJTIME:
+      if (nbytes == sizeof(struct timeval)) {
+        do_adjtime(fd_out, (struct timeval *)req.args);
+      } else if (nbytes == 0) {
+          // cannot be triggered on MacOS X
+          do_adjtime(fd_out, NULL);
+      }
+      break;
+
+    case op_SETTIMEOFDAY:
+      if (nbytes == sizeof(struct timeval)) {
+        do_settimeofday(fd_out, (struct timeval *)req.args, NULL);
+      } else if (nbytes == sizeof(struct timeval) + sizeof(struct timezone)) {
+        // this is probably never triggered - added for completeness
+        struct timezone *tz = (struct timezone *)(req.args + sizeof(struct timeval));
+        do_settimeofday(fd_out, (struct timeval *)req.args, tz);
+      }
+      break;
+    }
+  }
+}
+
+/* ======================================================================= */
+
+/* DAEMON - read helper response from the pipe */
+
+static int
+readresponse(int fd, priv_response_t *res)
+{
+  int nbytes;
+
+  nbytes = read(fd, res, sizeof(priv_response_t));
+  if (nbytes <= 0) {
+    LOG_FATAL(LOGF_Priv, "Error reading from helper pipe : %s", strerror(errno));
+  }
+
+  // if operation failed in the helper, set errno so daemon can print log message
+  if (res->rc != 0) {
+    errno = res->res_errno;
+    return -1;
+  }
+  return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - send daemon request to the pipe */
+
+static int
+sendrequest(int fd, const priv_request_t *req)
+{
+  int size;
+  int nbytes;
+
+  size = (int)sizeof(priv_request_t) - (int)sizeof(req->args) + req->size;
+  nbytes = write(fd, req, size);
+  if (nbytes != size) {
+    LOG_FATAL(LOGF_Priv, "Error writing to helper pipe : %s", strerror(errno));
+  }
+  return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - request adjtime() */
+
+int
+PRV_adjtime(const struct timeval *delta, struct timeval *olddelta)
+{
+  priv_request_t req;
+  priv_response_t res;
+
+  req.op = op_ADJTIME;
+  req.size = 0;
+
+  if (delta) {
+    req.size = sizeof(struct timeval);
+    memcpy(req.args, delta, sizeof(struct timeval));
+  }
+
+  if (sendrequest(fd_write, &req) != 0) {
+    return -1;
+  }
+
+  if (readresponse(fd_read, &res) != 0) {
+    // something bad happened
+    return -1;
+  }
+
+  if (res.size != sizeof(struct timeval)) {
+    return -1;
+  }
+  if (olddelta) {
+    memcpy(olddelta, res.response, sizeof(struct timeval));
+  }
+  return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - request settimeofday() */
+
+int
+PRV_settimeofday(const struct timeval *tp, const struct timezone *tzp)
+{
+  priv_request_t req;
+  priv_response_t res;
+
+  req.op = op_SETTIMEOFDAY;
+  req.size = sizeof(struct timeval);
+  memcpy(req.args, tp, sizeof(struct timeval));
+
+  if (tzp) {
+    req.size += sizeof(struct timezone);
+    memcpy(req.args + sizeof(struct timeval), tzp, sizeof(struct timezone));
+  }
+
+  if (sendrequest(fd_write, &req) != 0) {
+    return -1;
+  }
+
+  if (readresponse(fd_read, &res) != 0) {
+    // something bad happened
+    return -1;
+  }
+
+  return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - setup pipes then fork to run the helper */
+/* must be called before privileges are dropped */
+
+void
+PRV_start(void)
+{
+  pid_t pid;
+  int fd_response[2];
+  int fd_request[2];
+
+  if (fd_read >= 0 || fd_write >= 0) {
+    LOG_FATAL(LOGF_Priv, "PRV_start, helper is already running");
+  }
+
+  if (pipe(fd_response)) {
+    LOG_FATAL(LOGF_Priv, "PRV_start, response pipe failed : %s", strerror(errno));
+  }
+  if (pipe(fd_request)) {
+    LOG_FATAL(LOGF_Priv, "PRV_start, request pipe failed : %s", strerror(errno));
+  }
+
+  pid = fork();
+  if (pid == -1) {
+    LOG_FATAL(LOGF_Priv, "PRV_start, fork failed : %s", strerror(errno));
+  }
+
+  if (pid == 0) {
+    // child process
+    close(fd_response[0]);
+    close(fd_request[1]);
+
+    runhelper(fd_request[0], fd_response[1]);
+
+    // cleanup before exit
+    close(fd_request[0]);
+    close(fd_response[1]);
+
+    exit(0);
+
+  } else {
+    // parent process
+    close(fd_response[1]);
+    close(fd_request[0]);
+    fd_read = fd_response[0];
+    fd_write = fd_request[1];
+  }
+}
+
+/* ======================================================================= */
+
+/* DAEMON - graceful shutdown of the helper */
+
+void
+PRV_stop(void)
+{
+  int status;
+  close(fd_read);
+  close(fd_write);
+  fd_read = -1;
+  fd_write = -1;
+  wait(&status);
+}
+
+#endif
diff --git a/privops.h b/privops.h
new file mode 100644
index 0000000..a1bf57e
--- /dev/null
+++ b/privops.h
@@ -0,0 +1,11 @@
+#ifndef _PRIVOPS_H_
+#define _PRIVOPS_H_
+
+int PRV_adjtime(const struct timeval *delta, struct timeval *olddelta);
+
+int PRV_settimeofday(const struct timeval *tp, const struct timezone *tzp);
+
+void PRV_start(void);
+
+void PRV_stop(void);
+#endif
\ No newline at end of file
diff --git a/sys.c b/sys.c
index 4009796..f3844c6 100644
--- a/sys.c
+++ b/sys.c
@@ -92,6 +92,8 @@ void SYS_DropRoot(uid_t uid, gid_t gid)
   SYS_Linux_DropRoot(uid, gid);
 #elif defined(NETBSD) && defined(FEAT_PRIVDROP)
   SYS_NetBSD_DropRoot(uid, gid);
+#elif defined(MACOSX) && defined(FEAT_PRIVDROP)
+  SYS_MacOSX_DropRoot(uid, gid);
 #else
   LOG_FATAL(LOGF_Sys, "dropping root privileges not supported");
 #endif
diff --git a/sys_macosx.c b/sys_macosx.c
index 200b62c..558c1c3 100644
--- a/sys_macosx.c
+++ b/sys_macosx.c
@@ -50,6 +50,7 @@
 #include "localp.h"
 #include "sched.h"
 #include "logging.h"
+#include "privops.h"
 #include "util.h"
 
 /* ================================================== */
@@ -96,6 +97,11 @@ static struct timeval Tdrift;
 
 #define NANOS_PER_MSEC (1000000ULL)
 
+/* use native adjtime and settimeofday when running as root */
+static int drop_priv = 0;
+static int (*sys_adjtime)(const struct timeval *, struct timeval *) = adjtime;
+static int (*sys_settimeofday)(const struct timeval *, const struct timezone *) = settimeofday;
+
 /* ================================================== */
 
 static void
@@ -117,7 +123,7 @@ clock_initialise(void)
   newadj.tv_sec = 0;
   newadj.tv_usec = 0;
 
-  if (adjtime(&newadj, &oldadj) < 0) {
+  if (sys_adjtime(&newadj, &oldadj) < 0) {
     LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
   }
 }
@@ -169,7 +175,7 @@ start_adjust(void)
   UTI_TimevalToDouble(&newadj, &adjustment_requested);
   rounding_error = adjust_required - adjustment_requested;
 
-  if (adjtime(&newadj, &oldadj) < 0) {
+  if (sys_adjtime(&newadj, &oldadj) < 0) {
     LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
   }
 
@@ -193,7 +199,7 @@ stop_adjust(void)
   zeroadj.tv_sec = 0;
   zeroadj.tv_usec = 0;
 
-  if (adjtime(&zeroadj, &remadj) < 0) {
+  if (sys_adjtime(&zeroadj, &remadj) < 0) {
     LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
   }
 
@@ -244,7 +250,7 @@ apply_step_offset(double offset)
 
   UTI_AddDoubleToTimeval(&old_time, -offset, &new_time);
 
-  if (settimeofday(&new_time, NULL) < 0) {
+  if (sys_settimeofday(&new_time, NULL) < 0) {
     DEBUG_LOG(LOGF_SysMacOSX, "settimeofday() failed");
     return 0;
   }
@@ -427,8 +433,33 @@ SYS_MacOSX_Finalise(void)
   }
 
   clock_finalise();
+  if (drop_priv) {
+    PRV_stop();
+  }
 }
 
 /* ================================================== */
 
+void
+SYS_MacOSX_DropRoot(uid_t uid, gid_t gid)
+{
+  PRV_start();
+
+  if (setgroups(0, NULL))
+    LOG_FATAL(LOGF_SysMacOSX, "setgroups() failed : %s", strerror(errno));
+
+  if (setgid(gid))
+    LOG_FATAL(LOGF_SysMacOSX, "setgid(%d) failed : %s", gid, strerror(errno));
+
+  if (setuid(uid))
+    LOG_FATAL(LOGF_SysMacOSX, "setuid(%d) failed : %s", uid, strerror(errno));
+
+  DEBUG_LOG(LOGF_SysMacOSX, "Root dropped to uid %d gid %d", uid, gid);
+
+  /* use privileged helper adjtime and settimeofday */
+  sys_adjtime = PRV_adjtime;
+  sys_settimeofday = PRV_settimeofday;
+  drop_priv = 1;
+}
+
 #endif
diff --git a/sys_macosx.h b/sys_macosx.h
index 707700d..64be5e7 100644
--- a/sys_macosx.h
+++ b/sys_macosx.h
@@ -33,5 +33,6 @@
 void SYS_MacOSX_SetScheduler(int SchedPriority);
 void SYS_MacOSX_Initialise(void);
 void SYS_MacOSX_Finalise(void);
+void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid);
 
 #endif
-- 
2.3.8 (Apple Git-58)


-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/