| [chrony-dev] [PATCH] MacOSX - Drop root privileges |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: [chrony-dev] [PATCH] MacOSX - Drop root privileges
- From: Bryan Christianson <bryan@xxxxxxxxxxxxx>
- Date: Sun, 1 Nov 2015 18:29:06 +1300
- Cc: Bryan Christianson <bryan@xxxxxxxxxxxxx>
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smtpcorp.com; s=a0-2; h=Feedback-ID:X-Smtpcorp-Track:Message-Id:Date: Subject:To:From; bh=2jubZ7Yv4CYC98YSPNMxPsa0ieTE1YkT7StWXtQODfU=; b=3CY9cP/pI ntuW6Myz1mUeldD6s6Z+Iylx0j7vxpHDhNDLrmEcs805poOHnrzkJ5YfEEKL70kbgZXaYNGUcYjiO shSYDdzJWDxQYf9lg44aV0rzKxDIEMm7win+CdbWbeELJkPDTM9BcCf6N0zV+G926D4FkVfyssH7O o7DTp9lKh4vT1U8YgCcVlSiyFFtBjeU4/Lw6BjqJ6JGmKMqNYOnl3xgLE36X1yYSjTDSx1Fa0N6my Rr+o3NTyiGo7VnrxKxww59EY2uFuNiy5TAE2FciMcZAnnptT1CDrUmhMx4IUtwhyrQ8Cok1C7y853 QKOoxR2XNmYgzdusBG56xXFQQ==;
- Feedback-id: 149811m:149811acx33YQ:149811sX2vBvoz1y:SMTPCORP
Before dropping root privileges, chronyd forks and runs a helper
process that will remain privileged and perform bind(), adjtime() and
settimeofday() operations on behalf of the soon to be non-privileged
chronyd. Use an AF_UNIX socket pair as a full duplex channel between
the privileged helper and chronyd.
---
Makefile.in | 2 +-
chrony.texi.in | 7 +-
chronyd.8.in | 2 +-
configure | 1 +
logging.h | 1 +
ntp_io.c | 148 +++++++++-----
ntp_io.h | 5 +
privops.c | 595 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
privops.h | 38 ++++
sys.c | 2 +
sys_macosx.c | 43 ++++-
sys_macosx.h | 1 +
12 files changed, 783 insertions(+), 62 deletions(-)
create mode 100644 privops.c
create mode 100644 privops.h
diff --git a/Makefile.in b/Makefile.in
index 6ac0c9e..374d565 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -38,7 +38,7 @@ DESTDIR=
HASH_OBJ = @HASH_OBJ@
-OBJS = array.o cmdparse.o conf.o local.o logging.o main.o memory.o \
+OBJS = array.o cmdparse.o conf.o local.o logging.o main.o memory.o privops.o \
reference.o regress.o rtc.o sched.o sources.o sourcestats.o stubs.o \
sys.o smooth.o tempcomp.o util.o $(HASH_OBJ)
diff --git a/chrony.texi.in b/chrony.texi.in
index b56fb81..3e679bc 100644
--- a/chrony.texi.in
+++ b/chrony.texi.in
@@ -978,7 +978,8 @@ This option sets the name of the system user to which @code{chronyd} will
switch after start in order to drop root privileges. It overrides the
@code{user} directive (default @code{@DEFAULT_USER@}). It may be set to a
non-root user only when @code{chronyd} is compiled with support for Linux
-capabilities (libcap) or on NetBSD with the @code{/dev/clockctl} device.
+capabilities (libcap), NetBSD with the @code{/dev/clockctl} device and
+MacOS X.
@item -F <level>
This option configures a system call filter when @code{chronyd} is compiled with
support for the Linux secure computing (seccomp) facility. In level 1 the
@@ -3169,8 +3170,8 @@ Valid measurements with corresponding compensations are logged to the
The @code{user} directive sets the name of the system user to which
@code{chronyd} will switch after start in order to drop root privileges.
It may be set to a non-root user only when @code{chronyd} is compiled with
-support for Linux capabilities (libcap) or on NetBSD with the
-@code{/dev/clockctl} device.
+support for Linux capabilities (libcap), on NetBSD with the
+@code{/dev/clockctl} device amd MacOS X.
The default value is @code{@DEFAULT_USER@}.
@c }}}
diff --git a/chronyd.8.in b/chronyd.8.in
index b5b0882..9a40007 100644
--- a/chronyd.8.in
+++ b/chronyd.8.in
@@ -103,7 +103,7 @@ This option sets the name of the system user to which \fBchronyd\fR will switch
after start in order to drop root privileges. It overrides the \fBuser\fR
directive (default \fB@DEFAULT_USER@\fR). It may be set to a non-root user
only when \fBchronyd\fR is compiled with support for Linux capabilities
-(libcap) or on NetBSD with the \fB/dev/clockctl\fR device.
+(libcap), on NetBSD with the \fB/dev/clockctl\fR device and MacOS X.
.TP
\fB\-F\fR \fIlevel\fR
This option configures a system call filter when \fBchronyd\fR is compiled with
diff --git a/configure b/configure
index e9e596d..4009199 100755
--- a/configure
+++ b/configure
@@ -392,6 +392,7 @@ case $OPERATINGSYSTEM in
EXTRA_LIBS="-lresolv"
EXTRA_CLI_LIBS="-lresolv"
add_def MACOSX
+ add_def FEAT_PRIVDROP
echo "Configuring for MacOS X (" $SYSTEM "MacOS X version" $VERSION ")"
;;
SunOS)
diff --git a/logging.h b/logging.h
index b480c42..c19a40a 100644
--- a/logging.h
+++ b/logging.h
@@ -100,6 +100,7 @@ typedef enum {
LOGF_Keys,
LOGF_Logging,
LOGF_Nameserv,
+ LOGF_Priv,
LOGF_Rtc,
LOGF_Regress,
LOGF_Sys,
diff --git a/ntp_io.c b/ntp_io.c
index 24b1190..6204e16 100644
--- a/ntp_io.c
+++ b/ntp_io.c
@@ -37,6 +37,7 @@
#include "local.h"
#include "logging.h"
#include "conf.h"
+#include "privops.h"
#include "util.h"
#define INVALID_SOCK_FD -1
@@ -80,16 +81,15 @@ static int initialised=0;
/* Forward prototypes */
static void read_from_socket(void *anything);
+static int nio_bind_socket(int family, int port_number, int client_only, struct sockaddr *sa, socklen_t sa_len);
+static int (*bind_socket)(int, int, int, struct sockaddr *, socklen_t) = nio_bind_socket;
/* ================================================== */
static int
-prepare_socket(int family, int port_number, int client_only)
+nio_bind_socket(int family, int port_number, int client_only, struct sockaddr *sa, socklen_t sa_len)
{
- union sockaddr_in46 my_addr;
- socklen_t my_addr_len;
int sock_fd;
- IPAddr bind_address;
int on_off = 1;
/* Open Internet domain UDP socket for NTP message transmissions */
@@ -110,54 +110,6 @@ prepare_socket(int family, int port_number, int client_only)
/* Close on exec */
UTI_FdSetCloexec(sock_fd);
- /* Prepare local address */
- memset(&my_addr, 0, sizeof (my_addr));
- my_addr_len = 0;
-
- switch (family) {
- case AF_INET:
- if (!client_only)
- CNF_GetBindAddress(IPADDR_INET4, &bind_address);
- else
- CNF_GetBindAcquisitionAddress(IPADDR_INET4, &bind_address);
-
- if (bind_address.family == IPADDR_INET4)
- my_addr.in4.sin_addr.s_addr = htonl(bind_address.addr.in4);
- else if (port_number)
- my_addr.in4.sin_addr.s_addr = htonl(INADDR_ANY);
- else
- break;
-
- my_addr.in4.sin_family = family;
- my_addr.in4.sin_port = htons(port_number);
- my_addr_len = sizeof (my_addr.in4);
-
- break;
-#ifdef FEAT_IPV6
- case AF_INET6:
- if (!client_only)
- CNF_GetBindAddress(IPADDR_INET6, &bind_address);
- else
- CNF_GetBindAcquisitionAddress(IPADDR_INET6, &bind_address);
-
- if (bind_address.family == IPADDR_INET6)
- memcpy(my_addr.in6.sin6_addr.s6_addr, bind_address.addr.in6,
- sizeof (my_addr.in6.sin6_addr.s6_addr));
- else if (port_number)
- my_addr.in6.sin6_addr = in6addr_any;
- else
- break;
-
- my_addr.in6.sin6_family = family;
- my_addr.in6.sin6_port = htons(port_number);
- my_addr_len = sizeof (my_addr.in6);
-
- break;
-#endif
- default:
- assert(0);
- }
-
/* Make the socket capable of re-using an old address if binding to a specific port */
if (port_number &&
setsockopt(sock_fd, SOL_SOCKET, SO_REUSEADDR, (char *)&on_off, sizeof(on_off)) < 0) {
@@ -221,13 +173,81 @@ prepare_socket(int family, int port_number, int client_only)
#endif
/* Bind the socket if a port or address was specified */
- if (my_addr_len > 0 && bind(sock_fd, &my_addr.u, my_addr_len) < 0) {
+ if (sa_len > 0 && bind(sock_fd, sa, sa_len) < 0) {
LOG(LOGS_ERR, LOGF_NtpIO, "Could not bind %s NTP socket : %s",
UTI_SockaddrFamilyToString(family), strerror(errno));
close(sock_fd);
return INVALID_SOCK_FD;
}
+ return sock_fd;
+}
+
+/* ================================================== */
+
+static int
+prepare_socket(int family, int port_number, int client_only)
+{
+ int sock_fd;
+ union sockaddr_in46 my_addr;
+ socklen_t my_addr_len;
+ IPAddr bind_address;
+
+ /* Prepare local address */
+ memset(&my_addr, 0, sizeof (my_addr));
+ my_addr_len = 0;
+
+ switch (family) {
+ case AF_INET:
+ if (!client_only)
+ CNF_GetBindAddress(IPADDR_INET4, &bind_address);
+ else
+ CNF_GetBindAcquisitionAddress(IPADDR_INET4, &bind_address);
+
+ if (bind_address.family == IPADDR_INET4)
+ my_addr.in4.sin_addr.s_addr = htonl(bind_address.addr.in4);
+ else if (port_number)
+ my_addr.in4.sin_addr.s_addr = htonl(INADDR_ANY);
+ else
+ break;
+
+ my_addr.in4.sin_family = family;
+ my_addr.in4.sin_port = htons(port_number);
+ my_addr_len = sizeof (my_addr.in4);
+
+ break;
+#ifdef FEAT_IPV6
+ case AF_INET6:
+ if (!client_only)
+ CNF_GetBindAddress(IPADDR_INET6, &bind_address);
+ else
+ CNF_GetBindAcquisitionAddress(IPADDR_INET6, &bind_address);
+
+ if (bind_address.family == IPADDR_INET6)
+ memcpy(my_addr.in6.sin6_addr.s6_addr, bind_address.addr.in6,
+ sizeof (my_addr.in6.sin6_addr.s6_addr));
+ else if (port_number)
+ my_addr.in6.sin6_addr = in6addr_any;
+ else
+ break;
+
+ my_addr.in6.sin6_family = family;
+ my_addr.in6.sin6_port = htons(port_number);
+ my_addr_len = sizeof (my_addr.in6);
+
+ break;
+#endif
+ default:
+ assert(0);
+ }
+
+ /* if privileges have been dropped use privileged helper */
+ sock_fd = bind_socket(family, port_number, client_only, &my_addr.u, my_addr_len);
+
+ if (sock_fd < 0) {
+ return INVALID_SOCK_FD;
+ }
+
/* Register handler for read events on the socket */
SCH_AddInputFileHandler(sock_fd, read_from_socket, (void *)(long)sock_fd);
@@ -696,3 +716,25 @@ NIO_SendPacket(NTP_Packet *packet, NTP_Remote_Address *remote_addr, NTP_Local_Ad
{
return send_packet((void *) packet, length, remote_addr, local_addr);
}
+
+/* ================================================== */
+/* prepare an NTP socket */
+
+int
+NIO_bind_socket(int family, int port_number, int client_only, struct sockaddr *sa, socklen_t sa_len)
+{
+ return nio_bind_socket(family, port_number, client_only, sa, sa_len);
+}
+
+/* ================================================== */
+/* Enable/Disable entry point for privileged helper */
+
+void
+NIO_setup_priv_helper(int enable)
+{
+ if (enable) {
+ bind_socket = PRV_bind_socket;
+ } else {
+ bind_socket = nio_bind_socket;
+ }
+}
diff --git a/ntp_io.h b/ntp_io.h
index cbdee56..4e5f8b6 100644
--- a/ntp_io.h
+++ b/ntp_io.h
@@ -56,4 +56,9 @@ extern int NIO_IsServerSocket(int sock_fd);
/* Function to transmit a packet */
extern int NIO_SendPacket(NTP_Packet *packet, NTP_Remote_Address *remote_addr, NTP_Local_Address *local_addr, int length);
+/* expose socket preparation to privileged helper */
+extern int NIO_bind_socket(int family, int port_number, int client_only, struct sockaddr *sa, socklen_t sa_len);
+
+/* Setup entry points for priviliged helper */
+extern void NIO_setup_priv_helper(int enable);
#endif /* GOT_NTP_IO_H */
diff --git a/privops.c b/privops.c
new file mode 100644
index 0000000..e4141af
--- /dev/null
+++ b/privops.c
@@ -0,0 +1,595 @@
+/*
+ chronyd/chronyc - Programs for keeping computer clocks accurate.
+
+ **********************************************************************
+ * Copyright (C) Bryan Christianson 2015
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ **********************************************************************
+
+ =======================================================================
+
+ Perform privileged operations over a unix socket to a privileged fork.
+
+*/
+#include "config.h"
+
+#if defined(MACOSX) && defined(FEAT_PRIVDROP)
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/time.h>
+
+#include "conf.h"
+#include "logging.h"
+#include "ntp_io.h"
+#include "privops.h"
+#include "util.h"
+
+#define op_ADJTIME 1024
+#define op_SETTIMEOFDAY 1025
+#define op_BINDSOCKET 1026
+
+/* daemon request struct */
+#define ARG_SIZE 64
+typedef struct {
+ int op;
+ int arg_size;
+ char args[ARG_SIZE];
+} priv_request_t;
+
+
+/* helper response struct */
+#define RESPONSE_SIZE 64
+typedef struct {
+ int rc;
+ int res_errno;
+ int res_size;
+ char response[RESPONSE_SIZE];
+} priv_response_t;
+
+static int fd_unix = -1;
+
+/* ======================================================================= */
+
+/* HELPER - send a file descriptor over a a unix socket */
+
+static const char kDummyData = 'D';
+static const int kAcknowledgement = 'chrn';
+
+static int
+send_fd(int fd, int fdtowrite)
+{
+ int ack;
+ int err = -1;
+
+ struct msghdr msg;
+ struct iovec iov;
+ struct {
+ struct cmsghdr hdr;
+ int fd;
+ } control;
+
+ ssize_t bytesSent;
+
+ control.hdr.cmsg_len = sizeof(control);
+ control.hdr.cmsg_level = SOL_SOCKET;
+ control.hdr.cmsg_type = SCM_RIGHTS;
+ control.fd = fdtowrite;
+
+ iov.iov_base = (char *)&kDummyData;
+ iov.iov_len = sizeof(kDummyData);
+
+ msg.msg_name = NULL;
+ msg.msg_namelen = 0;
+ msg.msg_iov = &iov;
+ msg.msg_iovlen = 1;
+ msg.msg_control = (caddr_t) &control;
+ msg.msg_controllen = control.hdr.cmsg_len;
+ msg.msg_flags = 0;
+
+ bytesSent = sendmsg(fd, &msg, 0);
+ if (bytesSent == sizeof(kDummyData)) {
+ err = 0;
+ }
+
+ if(!err) {
+ /* wait for acknowlegement from the daemon */
+ err = read(fd, &ack, sizeof(ack));
+ if (!err && ack != kAcknowledgement) {
+ err = -1;
+ }
+ }
+
+ return err;
+}
+
+/* ======================================================================= */
+/* DAEMON - receive a file descriptor over file descriptor fd */
+
+static int
+receive_fd(int fd)
+{
+ int ack = kAcknowledgement;
+
+ int fd_acquired = -1;
+
+ struct msghdr msg;
+ struct iovec iov;
+ struct {
+ struct cmsghdr hdr;
+ int fd;
+ } control;
+
+ char dummyData;
+ ssize_t bytesReceived;
+
+ iov.iov_base = (char *) &dummyData;
+ iov.iov_len = sizeof(dummyData);
+
+ msg.msg_name = NULL;
+ msg.msg_namelen = 0;
+ msg.msg_iov = &iov;
+ msg.msg_iovlen = 1;
+ msg.msg_control = (caddr_t) &control;
+ msg.msg_controllen = sizeof(control);
+ msg.msg_flags = MSG_WAITALL;
+
+ bytesReceived = recvmsg(fd, &msg, 0);
+ if (bytesReceived != sizeof(dummyData)) {
+ return -1;
+ }
+
+ if ((dummyData != kDummyData)
+ || (msg.msg_flags != 0)
+ || (msg.msg_control == NULL)
+ || (msg.msg_controllen != sizeof(control))
+ || (control.hdr.cmsg_len != sizeof(control))
+ || (control.hdr.cmsg_level != SOL_SOCKET)
+ || (control.hdr.cmsg_type != SCM_RIGHTS)
+ || (control.fd < 0) ) {
+ return -1;
+ } else {
+ fd_acquired = control.fd;
+ }
+
+ /* daemon now has the socket - wakeup the helper */
+ if (write(fd, &ack, sizeof(ack)) != sizeof(ack)) {
+ return -1;
+ }
+ return fd_acquired;
+}
+
+/* ======================================================================= */
+
+/* HELPER - read daemon request from the fd */
+
+static int
+readrequest(int fd, priv_request_t *req)
+{
+ int op;
+ int size;
+ int nbytes;
+
+ nbytes = read(fd, &op, sizeof(op));
+ if (nbytes < sizeof(op)) {
+ return -1;
+ }
+ nbytes = read(fd, &size, sizeof(size));
+ if (nbytes < sizeof(size)) {
+ return -1;
+ }
+ nbytes = read(fd, req->args, size);
+ if (nbytes < size) {
+ return -1;
+ }
+ req->op = op;
+ req->arg_size = size;
+
+ return size;
+}
+
+/* ======================================================================= */
+
+/* HELPER - send response to the fd */
+
+static int
+sendresponse(int fd, const priv_response_t *res)
+{
+ int nbytes;
+ int size;
+
+ size = (int)sizeof(priv_response_t) - (int)sizeof(res->response) + res->res_size;
+ nbytes = write(fd, res, size);
+ if (nbytes != size) {
+ /* something bad happened */
+ return -1;
+ }
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* HELPER - perform adjtime() */
+
+static int
+do_adjtime(int fd, const struct timeval *delta)
+{
+ int rc;
+ struct timeval olddelta;
+ priv_response_t res;
+
+ memset(&res, 0, sizeof(res));
+ rc = adjtime(delta, &olddelta);
+ res.rc = rc;
+ if (rc != 0) {
+ /* save errno for use by the daemon */
+ res.res_errno = errno;
+ } else {
+ res.res_size = sizeof(struct timeval);
+ memcpy(res.response, &olddelta, sizeof(struct timeval));
+ }
+ return sendresponse(fd, &res);
+}
+
+/* ======================================================================= */
+
+/* HELPER - perform settimeofday() */
+
+static int
+do_settimeofday(int fd, const struct timeval *tv, const struct timezone *tz)
+{
+ int rc;
+ priv_response_t res;
+
+ memset(&res, 0, sizeof(res));
+ rc = settimeofday(tv, tz);
+ res.rc = rc;
+ if (rc != 0) {
+ /* save errno for use by the daemon */
+ res.res_errno = errno;
+ }
+ return sendresponse(fd, &res);
+}
+
+/* ======================================================================= */
+
+/* HELPER - bind reserved port to a socket */
+static int
+do_bind_socket(int fd, int family, int port_number, int client_only, struct sockaddr *sa, socklen_t sa_len)
+{
+ int sock;
+ int rc;
+ priv_response_t res;
+
+ memset(&res, 0, sizeof(res));
+
+ sock = NIO_bind_socket(family, port_number, client_only, sa, sa_len);
+
+ if (sock < 0) {
+ res.rc = -1;
+ res.res_errno = errno;
+ return sendresponse(fd, &res);
+ }
+
+ res.res_size = sizeof(sock);
+ memcpy(res.response, &sock, sizeof(sock));
+ rc = sendresponse(fd, &res);
+ if (rc != 0) {
+ return rc;
+ }
+
+ rc = send_fd(fd, sock);
+
+ /* socket belongs to the daemon now so is closed in the helper */
+ close(sock);
+ return rc;
+}
+
+/* ======================================================================= */
+
+/* HELPER - main loop - action requests from the daemon */
+
+static void
+runhelper(int fd)
+{
+ priv_request_t req;
+
+ while (1) {
+ int nbytes;
+
+ nbytes = readrequest(fd, &req);
+ if (nbytes < 0) {
+ /* read error or closed input - we cannot recover - give up */
+ return;
+ }
+ switch (req.op) {
+ default:
+ LOG_FATAL(LOGF_Priv, "Unexpected operator : %d", req.op);
+ break;
+
+ case op_ADJTIME:
+ if (nbytes == sizeof(struct timeval)) {
+ do_adjtime(fd, (struct timeval *)req.args);
+ } else if (nbytes == 0) {
+ /* cannot be triggered on MacOS X */
+ do_adjtime(fd, NULL);
+ }
+ break;
+
+ case op_SETTIMEOFDAY:
+ if (nbytes == sizeof(struct timeval)) {
+ do_settimeofday(fd, (struct timeval *)req.args, NULL);
+ } else if (nbytes == sizeof(struct timeval) + sizeof(struct timezone)) {
+ /* this is probably never triggered - added for completeness */
+ struct timezone *tz = (struct timezone *)(req.args + sizeof(struct timeval));
+ do_settimeofday(fd, (struct timeval *)req.args, tz);
+ }
+ break;
+
+ case op_BINDSOCKET:
+ {
+ int family;
+ int port_number;
+ int client_only;
+ struct sockaddr *sa = NULL;
+ char *argp = req.args;
+ socklen_t sa_len = req.arg_size;
+
+ memcpy(&family, argp, sizeof(family));
+ argp += sizeof(family);
+ sa_len -= sizeof(family);
+
+ memcpy(&port_number, argp, sizeof(port_number));
+ argp += sizeof(port_number);
+ sa_len -= sizeof(port_number);
+
+ memcpy(&client_only, argp, sizeof(client_only));
+ argp += sizeof(client_only);
+ sa_len -= sizeof(client_only);
+
+ if (sa_len > 0) {
+ sa = (struct sockaddr *)argp;
+ }
+ do_bind_socket(fd, family, port_number, client_only, sa, sa_len);
+ }
+ break;
+ }
+ }
+}
+
+/* ======================================================================= */
+
+/* DAEMON - read helper response from fd */
+
+static int
+readresponse(int fd, priv_response_t *res)
+{
+ int nbytes;
+
+ nbytes = read(fd, res, sizeof(priv_response_t));
+ if (nbytes <= 0) {
+ LOG_FATAL(LOGF_Priv, "Error reading from helper fd : %s", strerror(errno));
+ }
+
+ /* if operation failed in the helper, set errno so daemon can print log message */
+ if (res->rc != 0) {
+ errno = res->res_errno;
+ return -1;
+ }
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - send daemon request to fd */
+
+static int
+sendrequest(int fd, const priv_request_t *req)
+{
+ int size;
+ int nbytes;
+
+ size = (int)sizeof(priv_request_t) - (int)sizeof(req->args) + req->arg_size;
+ nbytes = write(fd, req, size);
+ if (nbytes != size) {
+ LOG_FATAL(LOGF_Priv, "Error writing to helper fd : %s", strerror(errno));
+ }
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - request socket bound to reserved port */
+
+int
+PRV_bind_socket(int family, int port_number, int client_only, struct sockaddr *sa, socklen_t sa_len)
+{
+ int sock = -1;
+ priv_request_t req;
+ priv_response_t res;
+ int helper_sock;
+ char *argp;
+
+ /* dont use helper if port is not reserved */
+ if (port_number == 0 || port_number >= 1024) {
+ return NIO_bind_socket(family, port_number, client_only, sa, sa_len);
+ }
+
+ /* helper will create a socket and bind it to the specified port */
+ argp = req.args;
+
+ req.op = op_BINDSOCKET;
+ req.arg_size = sizeof(family);
+ memcpy(argp, &family, sizeof(family));
+ argp += sizeof(family);
+
+ req.arg_size += sizeof(port_number);
+ memcpy(argp, &port_number, sizeof(port_number));
+ argp += sizeof(port_number);
+
+ req.arg_size += sizeof(client_only);
+ memcpy(argp, &client_only, sizeof(client_only));
+ argp += sizeof(client_only);
+
+ if (sa_len > 0) {
+ req.arg_size += sa_len;
+ memcpy(argp, sa, sa_len);
+ argp += sa_len;
+ }
+
+ if (sendrequest(fd_unix, &req) != 0) {
+ return -1;
+ }
+
+ if (readresponse(fd_unix, &res) != 0) {
+ /* something bad happened */
+ return -1;
+ }
+
+ /* helper has returned value of its socket descriptor which implies */
+ /* successful preparation */
+ if (res.res_size != sizeof(helper_sock)) {
+ return -1;
+ }
+ memcpy(&helper_sock, res.response, sizeof(helper_sock));
+
+ /* wait for cloned socket from the helper */
+ sock = receive_fd(fd_unix);
+ return sock;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - request adjtime() */
+
+int
+PRV_adjtime(const struct timeval *delta, struct timeval *olddelta)
+{
+ priv_request_t req;
+ priv_response_t res;
+
+ req.op = op_ADJTIME;
+ req.arg_size = 0;
+
+ if (delta) {
+ req.arg_size = sizeof(struct timeval);
+ memcpy(req.args, delta, sizeof(struct timeval));
+ }
+
+ if (sendrequest(fd_unix, &req) != 0) {
+ return -1;
+ }
+
+ if (readresponse(fd_unix, &res) != 0) {
+ /* something bad happened */
+ return -1;
+ }
+
+ if (res.res_size != sizeof(struct timeval)) {
+ return -1;
+ }
+ if (olddelta) {
+ memcpy(olddelta, res.response, sizeof(struct timeval));
+ }
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - request settimeofday() */
+
+int
+PRV_settimeofday(const struct timeval *tp, const struct timezone *tzp)
+{
+ priv_request_t req;
+ priv_response_t res;
+
+ req.op = op_SETTIMEOFDAY;
+ req.arg_size = sizeof(struct timeval);
+ memcpy(req.args, tp, sizeof(struct timeval));
+
+ if (tzp) {
+ req.arg_size += sizeof(struct timezone);
+ memcpy(req.args + sizeof(struct timeval), tzp, sizeof(struct timezone));
+ }
+
+ if (sendrequest(fd_unix, &req) != 0) {
+ return -1;
+ }
+
+ if (readresponse(fd_unix, &res) != 0) {
+ /* something bad happened */
+ return -1;
+ }
+
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - setup socket(s) then fork to run the helper */
+/* must be called before privileges are dropped */
+
+void
+PRV_start(void)
+{
+ pid_t pid;
+ int sock_pair[2];
+
+ if (fd_unix >= 0) {
+ LOG_FATAL(LOGF_Priv, "PRV_start, helper is already running");
+ }
+
+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, sock_pair) != 0) {
+ LOG_FATAL(LOGF_Priv, "PRV_start, socketpair() failed : %s", strerror(errno));
+ }
+
+ pid = fork();
+ if (pid == -1) {
+ LOG_FATAL(LOGF_Priv, "PRV_start, fork failed : %s", strerror(errno));
+ }
+
+ if (pid == 0) {
+ /* child process */
+ close(sock_pair[0]);
+ runhelper(sock_pair[1]);
+ close(sock_pair[1]);
+ exit(0);
+
+ } else {
+ /* parent process */
+ close(sock_pair[1]);
+ fd_unix = sock_pair[0];
+ }
+}
+
+/* ======================================================================= */
+
+/* DAEMON - graceful shutdown of the helper */
+
+void
+PRV_stop(void)
+{
+ int status;
+ close(fd_unix);
+ fd_unix = -1;
+ wait(&status);
+}
+
+#endif
diff --git a/privops.h b/privops.h
new file mode 100644
index 0000000..fce5e8f
--- /dev/null
+++ b/privops.h
@@ -0,0 +1,38 @@
+/*
+ chronyd/chronyc - Programs for keeping computer clocks accurate.
+
+ **********************************************************************
+ * Copyright (C) Bryan Christianson 2015
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ **********************************************************************
+
+ =======================================================================
+
+ Perform privileged operations over a unix socket to a privileged fork.
+
+*/
+
+#ifndef _PRIVOPS_H_
+#define _PRIVOPS_H_
+
+int PRV_bind_socket(int family, int port_number, int client_only, struct sockaddr *sa, socklen_t sa_len);
+int PRV_adjtime(const struct timeval *delta, struct timeval *olddelta);
+int PRV_settimeofday(const struct timeval *tp, const struct timezone *tzp);
+
+void PRV_start(void);
+void PRV_stop(void);
+
+#endif
\ No newline at end of file
diff --git a/sys.c b/sys.c
index 4009796..f3844c6 100644
--- a/sys.c
+++ b/sys.c
@@ -92,6 +92,8 @@ void SYS_DropRoot(uid_t uid, gid_t gid)
SYS_Linux_DropRoot(uid, gid);
#elif defined(NETBSD) && defined(FEAT_PRIVDROP)
SYS_NetBSD_DropRoot(uid, gid);
+#elif defined(MACOSX) && defined(FEAT_PRIVDROP)
+ SYS_MacOSX_DropRoot(uid, gid);
#else
LOG_FATAL(LOGF_Sys, "dropping root privileges not supported");
#endif
diff --git a/sys_macosx.c b/sys_macosx.c
index 200b62c..bc8824f 100644
--- a/sys_macosx.c
+++ b/sys_macosx.c
@@ -48,8 +48,10 @@
#include "sys_macosx.h"
#include "localp.h"
+#include "ntp_io.h"
#include "sched.h"
#include "logging.h"
+#include "privops.h"
#include "util.h"
/* ================================================== */
@@ -96,6 +98,11 @@ static struct timeval Tdrift;
#define NANOS_PER_MSEC (1000000ULL)
+/* use native adjtime and settimeofday when running as root */
+static int drop_priv = 0;
+static int (*sys_adjtime)(const struct timeval *, struct timeval *) = adjtime;
+static int (*sys_settimeofday)(const struct timeval *, const struct timezone *) = settimeofday;
+
/* ================================================== */
static void
@@ -117,7 +124,7 @@ clock_initialise(void)
newadj.tv_sec = 0;
newadj.tv_usec = 0;
- if (adjtime(&newadj, &oldadj) < 0) {
+ if (sys_adjtime(&newadj, &oldadj) < 0) {
LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
}
}
@@ -169,7 +176,7 @@ start_adjust(void)
UTI_TimevalToDouble(&newadj, &adjustment_requested);
rounding_error = adjust_required - adjustment_requested;
- if (adjtime(&newadj, &oldadj) < 0) {
+ if (sys_adjtime(&newadj, &oldadj) < 0) {
LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
}
@@ -193,7 +200,7 @@ stop_adjust(void)
zeroadj.tv_sec = 0;
zeroadj.tv_usec = 0;
- if (adjtime(&zeroadj, &remadj) < 0) {
+ if (sys_adjtime(&zeroadj, &remadj) < 0) {
LOG_FATAL(LOGF_SysMacOSX, "adjtime() failed");
}
@@ -244,7 +251,7 @@ apply_step_offset(double offset)
UTI_AddDoubleToTimeval(&old_time, -offset, &new_time);
- if (settimeofday(&new_time, NULL) < 0) {
+ if (sys_settimeofday(&new_time, NULL) < 0) {
DEBUG_LOG(LOGF_SysMacOSX, "settimeofday() failed");
return 0;
}
@@ -427,8 +434,36 @@ SYS_MacOSX_Finalise(void)
}
clock_finalise();
+ if (drop_priv) {
+ PRV_stop();
+
+ NIO_setup_priv_helper(0);
+ }
}
/* ================================================== */
+void
+SYS_MacOSX_DropRoot(uid_t uid, gid_t gid)
+{
+ PRV_start();
+
+ if (setgroups(0, NULL))
+ LOG_FATAL(LOGF_SysMacOSX, "setgroups() failed : %s", strerror(errno));
+
+ if (setgid(gid))
+ LOG_FATAL(LOGF_SysMacOSX, "setgid(%d) failed : %s", gid, strerror(errno));
+
+ if (setuid(uid))
+ LOG_FATAL(LOGF_SysMacOSX, "setuid(%d) failed : %s", uid, strerror(errno));
+
+ DEBUG_LOG(LOGF_SysMacOSX, "Root dropped to uid %d gid %d", uid, gid);
+
+ /* use privileged helper functions */
+ sys_adjtime = PRV_adjtime;
+ sys_settimeofday = PRV_settimeofday;
+ NIO_setup_priv_helper(1);
+ drop_priv = 1;
+}
+
#endif
diff --git a/sys_macosx.h b/sys_macosx.h
index 707700d..64be5e7 100644
--- a/sys_macosx.h
+++ b/sys_macosx.h
@@ -33,5 +33,6 @@
void SYS_MacOSX_SetScheduler(int SchedPriority);
void SYS_MacOSX_Initialise(void);
void SYS_MacOSX_Finalise(void);
+void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid);
#endif
--
2.4.9 (Apple Git-60)
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.