| [chrony-dev] permissions |
[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]
With the latest advent of hacking NTP protocols, the effort should be underway with regard to graceful lockdown of ntp (not NTP, the alternative) administration efforts and their capability set. There are two basic issues with ntp admin: 1. Hackers are easily obtaining basic protocol info in which to mount their NTP skew and source-replacement attacks. 2. Attack remediation through leakage must be done. We need to drop down ntp admin privileges from revealing too much of protocol and infrastructure of time servers and their raw data. What are the unprivileged operation of Chrony? Basic premises: - Provide reduced privilege for observers of security enforcement to examine - Provide users with essential time-syncing data to do their job but NOT to alter the infrastructure. - no _chrony group file are writable... this is important - no _chrony group directory are writable - And to leverage AppArmor (and UNIX file perms) to help with that. Yet, we already have a '_chrony' for an unprivileged user. - underutilized - But the 'chsh _chrony' is still at /usr/bin/nologin - And rightfully so. - If we cannot login as '_chrony' user, what good is '_chrony' username? - if we can 'su _chrony', then we can make file CHANGES!!! - But passwords are not allowed at _chrony user. (CIS?) - if we can 'sudo -u _chrony /bin/bash', then we can make file CHANGES!!! - group-authentication is now shifted to /etc/sudoer* - Easily grouped with 'qa' or 'auditor' group. - Not the best thing, but the next best thing. And as for '_chrony' group being unprivileged. - 'adduser <user> _chrony' is how to join this Chrony 'read-only' group - That is most useful for QA or OSCAP (CIS Security) effort (where it is nearly all read-operation for their verification and validation of overall hardened effort. - Admin of sudoers.conf can then add '_chrony' to their Group alias. - Some files will never be viewable by QA/OSCAP (i.e., DNS private keys) - Chrony NTP keys is one such example, not viewable by QA/OSCAP - Use g-rxw fileperm on that 'keys' file - They'll see be seeing 'authdata', 'serverstats' and 'ntpdata' instead - 'newgrp _chrony', what is it good for? Only good to bypass the group-passwd mechanism (provided by gpasswd(8)). Shifts onus of a group protection to all users' effort by guarding their own user password. Ideal general ntp roles OPERATOR CHRONY CHRONY ROOT CRON ADMIN USER NOBODY operations - client-tool IP, cmdAllowDeny acl - YES - - IP, allow-deny acl - YES - - IP, cyclelogs - YES YES - - IP, reload - YES YES - - IP, online - YES YES - - IP, onoffline - YES YES - - IP, dump - YES YES - - IP, shutdown - acl YES - - IP, reselect - acl YES - - IP, add/delete - acl YES - - IP, local - acl YES - - IP, smoothtime - acl YES - - IP, rekey - acl YES - - IP, refresh - acl YES - - IP, makestep - acl YES - - IP, maxupdateskew - acl YES - - IP, waitsync - acl YES - - IP, manual - acl YES - - IP, maxdelay - - YES - - IP, retries - - YES - - IP, timeout - - YES - - IP, settime - - YES - - IP, polltarget - - YES - - IP, minstratum - - YES - - IP, minpoll - - YES - - IP, maxpoll - - YES - - IP, maxdelay - - YES - - IP, maxdelayratio - - YES - - IP, maxdelaydevratio - YES - - OPERATOR CHRONY CHRONY ROOT CRON ADMIN USER NOBODY monitoring - client-tool IP, activity YES YES YES acl - IP, clients YES YES YES acl - IP, sourcename YES YES YES acl - IP, accheck YES acl YES acl - IP, sources YES acl YES acl - IP, tracking YES acl YES acl - IP, manual list YES acl YES acl - statistics - client-tool IP, sourcesstat - YES YES YES - IP, selectdata - YES YES YES - IP, reselectdata - YES YES YES - IP, authdata - YES YES YES - IP, smoothing - YES YES YES - OPERATOR CHRONY CHRONY ROOT CRON ADMIN USER NOBODY client-tool UNIX-sock, read YES YES YES group - UNIX-sock, modify - - YES acl - daemon-side logs, read YES YES YES YES - logs, move YES YES YES - - logs, create - YES YES - - logs, delete - YES - - - logs, change - - - - - logs, append - - - - - sources, read YES - YES YES - sources, move YES - YES - - sources, create - - YES - - sources, delete - - YES - - sources, change - - YES - - sources, append YES - YES - - config, read YES - YES YES - config, move YES - YES - - config, create - - YES - - config, delete - - YES - - config, change - - YES - - config, append - - YES - - OPERATOR CHRONY CHRONY ROOT CRON ADMIN USER NOBODY keys, read YES - YES - - keys, move YES - YES - - keys, create - - YES - - keys, delete - - YES - - Keys, change - - YES - - keys, append YES - YES - - Control, start YES YES YES YES - Control, restart YES YES YES YES - Control, stop YES* YES* YES - - AppArmor file permissions (translated based on roles listed above): | User-selectable | |ACL default | Account GID root _chrony _chrony/_chrony <GID> Account UID root root _chrony|<UID> <UID> CHRONY CHRONY/ Ideal AppArmor PERMS ROOT ADMIN USER |NOBODY ANYBODY Filesystem permissions executables chronyd rwxca r.x.. .....* .....* r.x..* 0700 root:_chrony* chronyc . . . rwxca r.x.. ..x..* .....* r.x..* 0710 root:_chrony* operation /run/chrony/ rwxc- r.x.- r.x.. ..... r.x.. 0750 _chrony:root chrony.pid . . . rw.ca r.... ..... ..... r.... 0640 root:root chrony.sock rw.c- rw... rw..- ....- r...- 0660 _chrony:_chrony /var/log/chrony/ rwxc- rwxc- r.... ..... r.x.- 0750 _chrony:_chrony /var/lib/chrony/ rwxc- r.x.. ...... ..... r.x.- 0750 _chrony:_chrony drift . . . . . rw.ca r.... ..... ..... r.... 0600 _chrony:_chrony config /etc/chrony/ . . rwxc- r.x.. ..... ..... ..... 0640 _chrony:root chrony/conf.d/ . rwxc- rwxc- ..... ..... ..... 0640 _chrony:root chrony.conf . . rw.ca rw.ca ..... ..... ..... 0640 _chrony:root keys chrony.keys . . rw.ca rw-ca ..... ...... ..... 0600 _chrony:root others (controlled by dhclient) run/chrony-dhcp/ r-x.. r.x.. ..... ..... ..... 0750 root:_chrony+ Legend ------ * Debian/user control the fileperms + can use _chrony:root if dhcp account has _chrony supplemental GID plus dhclient-exit-hooks.d/chrony script does chown/chmod commands - append is not applicable toward a directory or UNIX socket Package changes needed (circa Debian 11 Update+Security): chronyd 0755 root:root -> 0750 _chrony:root chrony/conf.d 0755 root:root -> 0750 _chrony:root chrony/sources.d 0755 root:root -> 0750 _chrony:root chrony.keys 0640 root:root -> 0600 _chrony:root run/chrony 0750 _chrony:_chrony -> 0750 _chrony:root Code patches needed (low priority, protected by its directory) drift 0644 _chrony:_chrony -> 0600 _chrony:_chrony Re-design needed: - Need design clarification as to what Chrony client can do further to discriminate types of end-users (noticed, I did not mention user/group ID/name). i have some auto-configuration and 489* has the file permission checker of Chrony in https://github.com/egberts/easy-admin/tree/main/chrony |
| Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |