| [chrony-dev] [PATCH] Privilege Separation - Add helper process |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: [chrony-dev] [PATCH] Privilege Separation - Add helper process
- From: Bryan Christianson <bryan@xxxxxxxxxxxxx>
- Date: Sat, 7 Nov 2015 07:33:00 +1300
- Cc: Bryan Christianson <bryan@xxxxxxxxxxxxx>
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smtpcorp.com; s=a0-2; h=Feedback-ID:X-Smtpcorp-Track:Message-Id:Date: Subject:To:From; bh=Kdlt/HUxR1hAnhplvD946Oy5Sh2Wv6FQ6cERasUxuk4=; b=s3pYmGt+q yGRLWYdiy6+lpdgBXOWzKGhhXz8v4bNDlk/aq8TUzbswXxrFMJUA6KkmOkT//Rcv7jQ6H8cCnY2sj SqdHbl6rOq3BuLXwGb5mcPEpfG7mCQA3yU/re6kqPL08wB8ugVRN65jwb1eAt/XEFw2YJJnSSNagx g2NUB5q8HkbReZK4JLJK7DYbpAaEKxafOo5CL84xIAUAL6N6ytT5fg0J0dybdYr0yIp6qdy4nJcAm w3yyUY7o736c0kgzlNiOVq6rC4Watnqz+t5bWvn5qVNtYyEvvMtq9BnGwdTo7Jm6LV7NA5NF+BvVB m9/WoX1arVPxh9MHYJ2wUBW1w==;
- Feedback-id: 149811m:149811acx33YQ:149811sQ5mGNHpUA:SMTPCORP
Privileged helper that will perform adjtime(), settimeofday(), bind() on
behalf of chronyd when running as non-root user.
---
Makefile.in | 2 +-
logging.h | 1 +
privops.c | 598 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
privops.h | 48 +++++
4 files changed, 648 insertions(+), 1 deletion(-)
create mode 100644 privops.c
create mode 100644 privops.h
diff --git a/Makefile.in b/Makefile.in
index 6ac0c9e..374d565 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -38,7 +38,7 @@ DESTDIR=
HASH_OBJ = @HASH_OBJ@
-OBJS = array.o cmdparse.o conf.o local.o logging.o main.o memory.o \
+OBJS = array.o cmdparse.o conf.o local.o logging.o main.o memory.o privops.o \
reference.o regress.o rtc.o sched.o sources.o sourcestats.o stubs.o \
sys.o smooth.o tempcomp.o util.o $(HASH_OBJ)
diff --git a/logging.h b/logging.h
index b480c42..3f24b21 100644
--- a/logging.h
+++ b/logging.h
@@ -100,6 +100,7 @@ typedef enum {
LOGF_Keys,
LOGF_Logging,
LOGF_Nameserv,
+ LOG_PrivOps,
LOGF_Rtc,
LOGF_Regress,
LOGF_Sys,
diff --git a/privops.c b/privops.c
new file mode 100644
index 0000000..0b9785b
--- /dev/null
+++ b/privops.c
@@ -0,0 +1,598 @@
+/*
+ chronyd/chronyc - Programs for keeping computer clocks accurate.
+
+ **********************************************************************
+ * Copyright (C) Bryan Christianson 2015
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ **********************************************************************
+
+ =======================================================================
+
+ Perform privileged operations over a unix socket to a privileged fork.
+
+*/
+#include "config.h"
+#if defined(FEAT_PRIVHELPER)
+
+#include "sysincl.h"
+#include "conf.h"
+#include "logging.h"
+#include "privops.h"
+#include "util.h"
+
+#define op_ADJTIME 1024
+#define op_SETTIMEOFDAY 1025
+#define op_BINDSOCKET 1026
+
+union sockaddr_in46 {
+ struct sockaddr_in in4;
+#ifdef FEAT_IPV6
+ struct sockaddr_in6 in6;
+#endif
+ struct sockaddr u;
+};
+
+typedef struct {
+ struct timeval tv;
+} req_adjust;
+
+typedef struct {
+ struct timeval tv;
+} req_settime;
+
+typedef struct {
+ socklen_t sa_len;
+ union sockaddr_in46 sa;
+} req_sockaddr;
+
+/* daemon request struct */
+typedef struct {
+ int op;
+ union {
+ req_adjust adj_tv;
+ req_settime settime_tv;
+ req_sockaddr sa;
+ } u;
+} priv_request_t;
+
+typedef struct {
+ struct timeval tv;
+} res_adjust;
+
+/* helper response struct */
+typedef struct {
+ int rc;
+ int res_errno;
+ union { /* make it a union so other functions can be added in future */
+ res_adjust adj_tv;
+ } u;
+} priv_response_t;
+
+static int fd_unix = -1;
+
+static inline int
+havehelper(void)
+{
+ return fd_unix >= 0;
+}
+
+/* ======================================================================= */
+
+/* send a file descriptor over a a unix socket */
+
+static const char kDummyData = 'D';
+static const int kAcknowledgement = 'chrn';
+
+static int
+send_fd(int fd, int fdtowrite)
+{
+ int ack;
+ int err = -1;
+ int nbytes;
+
+ struct msghdr msg;
+ struct iovec iov;
+ struct {
+ struct cmsghdr hdr;
+ int fd;
+ } control;
+
+ ssize_t bytesSent;
+
+ control.hdr.cmsg_len = sizeof(control);
+ control.hdr.cmsg_level = SOL_SOCKET;
+ control.hdr.cmsg_type = SCM_RIGHTS;
+ control.fd = fdtowrite;
+
+ iov.iov_base = (char *)&kDummyData;
+ iov.iov_len = sizeof(kDummyData);
+
+ msg.msg_name = NULL;
+ msg.msg_namelen = 0;
+ msg.msg_iov = &iov;
+ msg.msg_iovlen = 1;
+ msg.msg_control = (caddr_t) &control;
+ msg.msg_controllen = control.hdr.cmsg_len;
+ msg.msg_flags = 0;
+
+ bytesSent = sendmsg(fd, &msg, 0);
+ if (bytesSent == sizeof(kDummyData)) {
+ err = 0;
+ }
+
+ if(!err) {
+ /* wait for acknowlegement from the receiver */
+ nbytes = read(fd, &ack, sizeof(ack));
+ if (nbytes != sizeof(ack)) {
+ return -1;
+ }
+ if (ack != kAcknowledgement) {
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+/* ======================================================================= */
+/* receive a file descriptor over file descriptor fd */
+
+static int
+receive_fd(int fd)
+{
+ int ack = kAcknowledgement;
+
+ int fd_acquired = -1;
+
+ struct msghdr msg;
+ struct iovec iov;
+ struct {
+ struct cmsghdr hdr;
+ int fd;
+ } control;
+
+ char dummyData;
+ ssize_t bytesReceived;
+
+ iov.iov_base = (char *) &dummyData;
+ iov.iov_len = sizeof(dummyData);
+
+ msg.msg_name = NULL;
+ msg.msg_namelen = 0;
+ msg.msg_iov = &iov;
+ msg.msg_iovlen = 1;
+ msg.msg_control = (caddr_t) &control;
+ msg.msg_controllen = sizeof(control);
+ msg.msg_flags = MSG_WAITALL;
+
+ bytesReceived = recvmsg(fd, &msg, 0);
+ if (bytesReceived != sizeof(dummyData)) {
+ return -1;
+ }
+
+ if ((dummyData != kDummyData)
+ || (msg.msg_flags != 0)
+ || (msg.msg_control == NULL)
+ || (msg.msg_controllen != sizeof(control))
+ || (control.hdr.cmsg_len != sizeof(control))
+ || (control.hdr.cmsg_level != SOL_SOCKET)
+ || (control.hdr.cmsg_type != SCM_RIGHTS)
+ || (control.fd < 0) ) {
+ return -1;
+ } else {
+ fd_acquired = control.fd;
+ }
+
+ /* receiver now has the socket - wakeup the sender */
+ if (write(fd, &ack, sizeof(ack)) != sizeof(ack)) {
+ return -1;
+ }
+ return fd_acquired;
+}
+
+/* ======================================================================= */
+
+/* HELPER - read daemon request from the fd */
+
+static int
+readrequest(int fd, priv_request_t *req)
+{
+ int nbytes;
+
+ nbytes = read(fd, req, sizeof(priv_request_t));
+ if (nbytes < sizeof(priv_request_t)) {
+ return -1;
+ }
+ return nbytes;
+}
+
+/* ======================================================================= */
+
+/* HELPER - send response to the fd */
+
+static int
+sendresponse(int fd, const priv_response_t *res)
+{
+ int nbytes;
+ nbytes = write(fd, res, sizeof(priv_response_t));
+ if (nbytes != sizeof(priv_response_t)) {
+ /* something bad happened */
+ return -1;
+ }
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* HELPER - perform adjtime() */
+
+static int
+do_adjtime(int fd, const struct timeval *delta)
+{
+ int rc;
+ struct timeval olddelta;
+ priv_response_t res;
+
+ memset(&res, 0, sizeof(res));
+ rc = adjtime(delta, &olddelta);
+ res.rc = rc;
+ if (rc != 0) {
+ /* save errno for use by the daemon */
+ res.res_errno = errno;
+ } else {
+ res.u.adj_tv.tv = olddelta;
+ }
+ return sendresponse(fd, &res);
+}
+
+/* ======================================================================= */
+
+/* HELPER - perform settimeofday() */
+
+static int
+do_settimeofday(int fd, const struct timeval *tv, const struct timezone *tz)
+{
+ int rc;
+ priv_response_t res;
+
+ memset(&res, 0, sizeof(res));
+ rc = settimeofday(tv, tz);
+ res.rc = rc;
+ if (rc != 0) {
+ /* save errno for use by the daemon */
+ res.res_errno = errno;
+ }
+ return sendresponse(fd, &res);
+}
+
+/* ======================================================================= */
+
+/* HELPER - bind reserved port to a socket */
+static int
+do_bindsocket(int fd, int sock, const struct sockaddr *sa, socklen_t sa_len)
+{
+ int rc;
+ priv_response_t res;
+
+ memset(&res, 0, sizeof(res));
+ rc = bind(sock, sa, sa_len);
+
+ res.rc = rc;
+ res.res_errno = errno;
+ return sendresponse(fd, &res);
+}
+
+/* ======================================================================= */
+
+/* HELPER - main loop - action requests from the daemon */
+
+static void
+helpermain(int fd)
+{
+ priv_request_t req;
+
+ while (1) {
+ int nbytes;
+
+ nbytes = readrequest(fd, &req);
+ if (nbytes < 0) {
+ /* read error or closed input - we cannot recover - give up */
+ return;
+ }
+ switch (req.op) {
+ default:
+ LOG_FATAL(LOG_PrivOps, "Unexpected operator : %d", req.op);
+ break;
+
+ case op_ADJTIME:
+ do_adjtime(fd, &req.u.adj_tv.tv);
+ break;
+
+ case op_SETTIMEOFDAY:
+ do_settimeofday(fd, &req.u.settime_tv.tv, NULL);
+ break;
+
+ case op_BINDSOCKET:
+ {
+ priv_response_t res;
+ int sock;
+
+ struct sockaddr *sa = &req.u.sa.sa.u;
+ socklen_t sa_len = req.u.sa.sa_len;
+
+ // wakeup the daemon then wait for a socket descriptor
+ memset(&res, 0, sizeof(res));
+ sendresponse(fd, &res);
+
+ sock = receive_fd(fd);
+
+ do_bindsocket(fd, sock, sa, sa_len);
+ }
+ break;
+ }
+ }
+}
+
+/* ======================================================================= */
+
+/* DAEMON - read helper response from fd */
+
+static int
+readresponse(int fd, priv_response_t *res)
+{
+ int nbytes;
+
+ nbytes = read(fd, res, sizeof(priv_response_t));
+ if (nbytes <= 0) {
+ LOG_FATAL(LOG_PrivOps, "Error reading from helper fd : %s", strerror(errno));
+ }
+
+ /* if operation failed in the helper, set errno so daemon can print log message */
+ if (res->rc != 0) {
+ errno = res->res_errno;
+ return -1;
+ }
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - send daemon request to fd */
+
+static int
+sendrequest(int fd, const priv_request_t *req)
+{
+ int nbytes;
+
+ nbytes = write(fd, req, sizeof(priv_request_t));
+ if (nbytes != sizeof(priv_request_t)) {
+ LOG_FATAL(LOG_PrivOps, "Error writing to helper fd : %s", strerror(errno));
+ }
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - send daemon request to fd and wait for response */
+
+static int
+sendtohelper(int fd, const priv_request_t *req, priv_response_t *res)
+{
+
+ if (sendrequest(fd, req) != 0) {
+ return -1;
+ }
+
+ return readresponse(fd, res);
+}
+
+/* ======================================================================= */
+/* validate address in case some bad guy is tring to get to a privileged port */
+
+static int
+getportfromaddress(const struct sockaddr *address, socklen_t address_len, int *ip_port)
+{
+ int port = 0;
+ int len = 0;
+
+ *ip_port = 0;
+
+ switch(address->sa_family) {
+ default:
+ /* unsupported address family */
+ return 0;
+
+ case AF_INET:
+ len = sizeof(struct sockaddr_in);
+ port = ntohs(((struct sockaddr_in *)address)->sin_port);
+ break;
+
+#ifdef FEAT_IPV6
+ case AF_INET6:
+ len = sizeof(struct sockaddr_in6);
+ port = ntohs(((struct sockaddr_in6 *)address)->sin6_port);
+ break;
+#endif
+ }
+
+ if (len != address_len) {
+ return 0;
+ }
+
+ if (port != 0 && port != CNF_GetNTPPort()) {
+ return 0;
+ }
+
+ *ip_port = port;
+ return 1;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - bind socket to reserved port */
+
+int
+PRV_BindSocket(int sock, const struct sockaddr *address, socklen_t address_len)
+{
+ priv_request_t req;
+ priv_response_t res;
+ int port;
+
+ if (!getportfromaddress(address, address_len, &port)) {
+ LOG_FATAL(LOG_PrivOps, "PRV_BindSocket, invalid socket address");
+ }
+
+ if (!havehelper() || port == 0 || port >= 1024) {
+ /* dont use the helper if not required */
+ return bind(sock, address, address_len);
+ }
+
+ req.op = op_BINDSOCKET;
+ req.u.sa.sa_len = address_len;
+ memcpy(&req.u.sa.sa.u, address, address_len);
+
+ if (sendtohelper(fd_unix, &req, &res) != 0) {
+ // something went wrong sending the sockaddr
+ return -1;
+ }
+
+ // helper is now waiting for the socket
+ if (send_fd(fd_unix, sock) != 0) {
+ return -1;
+ }
+
+ // helper has attempted bind() and returned result
+ return readresponse(fd_unix, &res);
+}
+
+/* ======================================================================= */
+
+/* DAEMON - request adjtime() */
+
+int
+PRV_AdjustTime(const struct timeval *delta, struct timeval *olddelta)
+{
+ priv_request_t req;
+ priv_response_t res;
+
+ if (!havehelper() || delta == NULL) {
+ /* helper is not running or read adjustment call */
+ return adjtime(delta, olddelta);
+ }
+
+ req.op = op_ADJTIME;
+ req.u.adj_tv.tv = *delta;
+
+ if (sendtohelper(fd_unix, &req, &res) != 0) {
+ return -1;
+ }
+
+ if (olddelta) {
+ *olddelta = res.u.adj_tv.tv;
+ }
+ return 0;
+}
+
+/* ======================================================================= */
+
+/* DAEMON - request settimeofday() */
+
+int
+PRV_SetTime(const struct timeval *tp, const struct timezone *tzp)
+{
+ priv_request_t req;
+ priv_response_t res;
+
+ /* only support setting the time */
+ assert(tp != NULL);
+ assert(tzp == NULL);
+
+ if (!havehelper()) {
+ /* helper is not running - this will fail if not privileged */
+ return settimeofday(tp, NULL);
+ }
+
+ req.op = op_SETTIMEOFDAY;
+ req.u.settime_tv.tv = *tp;
+
+ return sendtohelper(fd_unix, &req, &res);
+}
+
+/* ======================================================================= */
+
+/* DAEMON - setup socket(s) then fork to run the helper */
+/* must be called before privileges are dropped */
+
+void
+PRV_Start(void)
+{
+ pid_t pid;
+ int sock_pair[2];
+
+ if (havehelper()) {
+ LOG_FATAL(LOG_PrivOps, "PRV_start, helper is already running");
+ }
+
+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, sock_pair) != 0) {
+ LOG_FATAL(LOG_PrivOps, "PRV_start, socketpair() failed : %s", strerror(errno));
+ }
+
+ UTI_FdSetCloexec(sock_pair[0]);
+ UTI_FdSetCloexec(sock_pair[1]);
+
+ pid = fork();
+ if (pid == -1) {
+ LOG_FATAL(LOG_PrivOps, "PRV_start, fork failed : %s", strerror(errno));
+ }
+
+ if (pid == 0) {
+ /* child process */
+ int fd;
+ close(sock_pair[0]);
+
+ /* close other descriptors inherited from the parent process */
+ for (fd = 0; fd < 1024; fd++) {
+ if (fd != sock_pair[1]) {
+ close(fd);
+ }
+ }
+
+ helpermain(sock_pair[1]);
+
+ close(sock_pair[1]);
+ exit(0);
+
+ } else {
+ /* parent process */
+ close(sock_pair[1]);
+ fd_unix = sock_pair[0];
+ }
+}
+
+/* ======================================================================= */
+
+/* DAEMON - graceful shutdown of the helper */
+
+void
+PRV_Stop(void)
+{
+ int status;
+ close(fd_unix);
+ fd_unix = -1;
+ wait(&status);
+}
+
+#endif /* defined(FEAT_PRIVHELPER) */
diff --git a/privops.h b/privops.h
new file mode 100644
index 0000000..ef5293e
--- /dev/null
+++ b/privops.h
@@ -0,0 +1,48 @@
+/*
+ chronyd/chronyc - Programs for keeping computer clocks accurate.
+
+ **********************************************************************
+ * Copyright (C) Bryan Christianson 2015
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ **********************************************************************
+
+ =======================================================================
+
+ Perform privileged operations over a unix socket to a privileged fork.
+
+*/
+
+#ifndef _PRIVOPS_H_
+#define _PRIVOPS_H_
+
+#if defined(FEAT_PRIVHELPER)
+/* use privileged function wrappers */
+int PRV_AdjustTime(const struct timeval *delta, struct timeval *olddelta);
+int PRV_BindSocket(int sock, const struct sockaddr *address, socklen_t address_len);
+int PRV_SetTime(const struct timeval *tp, const struct timezone *tzp);
+
+void PRV_Start(void);
+void PRV_Stop(void);
+
+#else
+/* use native system calls */
+#define PRV_AdjustTime adjtime
+#define PRV_BindSocket bind
+#define PRV_SetTime settimeofday
+
+#endif /* defined(FEAT_PRIVHELPER) */
+
+#endif
\ No newline at end of file
--
2.4.9 (Apple Git-60)
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.