| Re: [chrony-dev] [PATCH] MacOSX - Drop root privileges |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-dev] [PATCH] MacOSX - Drop root privileges
- From: Bryan Christianson <bryan@xxxxxxxxxxxxx>
- Date: Thu, 5 Nov 2015 21:57:45 +1300
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smtpcorp.com; s=a0-2; h=Feedback-ID:X-Smtpcorp-Track:To:Message-Id:Date: From:Subject; bh=jticxPcTWoK8tpMoYWOM4Q65c7gxYNtjmLQMXjIs2Y4=; b=ltGqXjzVMXLh yAyOf/xHIQ0w4IyZspecZcaxTa2Uatr0I0qCyef89HGorHlQb3wX4BiUxt1VSQ0xsq8jQk2X5EOG/ 28Y69G1zvQgGSic5TtXQsJyaPCBJa6+F0r231s/SSj2rlK+a6BmXhgg8FzQ93S9CmnlOuE70tFrFt bAR72h8tvy8iNv0jb97pxlYxUNjC/3Kp436VFSzy7At5y2ShHIvSi6NRGS2Qww+j45CyYHPVGRyZv bYzZ8Wr6ZmUyd4wUF2KVXta9wc6L6rEX7sCtNfPJt0bx9YjFnSZjWLRV/rxsCVlWRffk4NRS6/D46 A7EmOM5HSjK4bzIzEO/87g==;
- Feedback-id: 149811m:149811acx33YQ:149811sXlxMMBX8r:SMTPCORP
> On 5/11/2015, at 8:31 PM, Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
>
> On Thu, Nov 05, 2015 at 06:02:14PM +1300, Bryan Christianson wrote:
>> PRV_BindSocket() has to create the socket, unless we create the socket in the daemon, pass it in, bind() and then send it back. I'm not sure sending the socket in 2 directions is a good idea. That's why I call nio_bind_socket() from the privileged helper rather just factoring out the call to bind().
>
> Hm, why would the descriptor need to be sent back from the helper
> after binding? If possible I'd rather keep the creation of the socket
> in the main process and send it to the helper just for the binding
> operation.
OK - I'll try this and let you know how it goes.
>>> I'd rather see the selection between making a call to the privileged
>>> process or calling the function directly in PRV_BindSocket() and
>>> ntp_io.c always calling that function.
>>
>> Should the code I factored out in ntp_io.c as nio_bind_socket() be moved to privops.c ? I had thought it was better to leave it where it was and just expose it through PRV_bind_socket.
>
> If it's really not possible to have a privileged call that binds only
> and does nothing else, then I guess yes, the code would be easier to
> read I think. But the function name would need to be different, it
> does much more than just binding.
Lets see if I can get bind(socket_from_parent, ...) to work first
>
>> We do have the case where some of the function arguments are optionally NULL (adjtime() and settimeofday()). Currently I set up a single operator for each function call, but maybe I should use a separate operator for each combination of args. The union for adjtime would then have either one or two struct timeval members.
>>
>> e.g.
>> op_ADJTIME_first ==> adjtime(tv, NULL);
>> op_ADJTIME_second ==> adjtime(NULL, res); // not on MacOS - it segfaults
>> op_ADJTIME_both ==> adjtime(tv, res);
>
> Would the second form need to be run in the helper? I think at least
> on Linux it doesn't require root privileges as it's a read-only
> operation. The first one is a special case of the third, so I'd just
> add one operator for the third case and ignore the result if the
> caller passed NULL.
Second case is not relevant to MacOS so I'll leave it for now and implement it if it is actually required,
>
>> and similarly for settimeofday();
>
> I think it's perfectly find to support only the case when tv is not
> NULL and tz is NULL.
>
> You can add assert() calls for the unsupported cases to make it clear
> they are not supported and abort cleanly if some code tries to use
> them.
Cool - that makes life easier :)
Thanks for your help
--
Bryan
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.