Re: [chrony-dev] Seccomp issue on Alpine linux

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On 31/05/2023 16:42, Miroslav Lichvar wrote:
> On Wed, May 31, 2023 at 04:28:51PM +0200, jvoisin wrote:
>> alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log
>> 2023-05-31T14:28:33Z chronyd version DEVELOPMENT starting (+CMDMON +NTP
>> +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6
>> -DEBUG)
>> 2023-05-31T14:28:33Z Wrong owner of /home/jvoisin/chrony/test/system/tmp
>> (GID != 0)
>> 2023-05-31T14:28:33Z Disabled command socket
>> /home/jvoisin/chrony/test/system/tmp/chronyd.sock
> 
> It seems the tmp directory is being created with a different group than 0
> (root). Is it a wheel group?
yes, root is part of wheel:

```
alpine:/home/jvoisin/chrony/test/system# groups
root bin daemon sys adm disk wheel floppy dialout tape video
alpine:/home/jvoisin/chrony/test/system#
```

> 
> Can you please try it again with this patch?
> 
> diff --git a/test/system/test.common b/test/system/test.common
> index 7005c9e1..aa48ac67 100644
> --- a/test/system/test.common
> +++ b/test/system/test.common
> @@ -42,6 +42,8 @@ test_start() {
>                 su "$user" -s /bin/sh -c "touch $TEST_DIR/test" 2> /dev/null || \
>                         test_skip "$user cannot access $TEST_DIR"
>                 rm "$TEST_DIR/test"
> +       else
> +               chown 0:0 "$TEST_DIR" || test_skip "could not chown $TEST_DIR"
>         fi
>  
>         echo "Testing $*:"
> 
```
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal
Testing minimal configuration:
  non-default settings:
    minimal_config=1
  starting chronyd                                      	OK
  stopping chronyd                                      	OK
  checking chronyd messages                             	OK
PASS
alpine:/home/jvoisin/chrony/test/system# ./099-scfilter
Testing system call filter in non-destructive tests:
  level -1:
    001-minimal                                         	OK
    002-extended                                        	BAD
FAIL
alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log
2023-05-31T14:51:14Z chronyd version DEVELOPMENT starting (+CMDMON +NTP
+REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6
-DEBUG)
2023-05-31T14:51:14Z Disabled control of system clock
2023-05-31T14:51:14Z World-readable permissions on
/home/jvoisin/chrony/test/system/tmp/keys
2023-05-31T14:51:14Z Loaded 1 symmetric keys
2023-05-31T14:51:14Z Running with root privileges
2023-05-31T14:51:14Z Frequency 0.000 +/- 10000.000 ppm read from
/home/jvoisin/chrony/test/system/tmp/driftfile
2023-05-31T14:51:14Z Timezone right/UTC failed leap second check, ignoring
2023-05-31T14:51:14Z Loaded seccomp filter (level 1)
alpine:/home/jvoisin/chrony/test/system#
```

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/