| Re: [chrony-dev] Seccomp issue on Alpine linux |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-dev] Seccomp issue on Alpine linux
- From: jvoisin <julien.voisin@xxxxxxxxxx>
- Date: Wed, 31 May 2023 16:54:09 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dustri.org; s=gm1; t=1685544849; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sw93oUQ0JYiRhC0qrVzfyHuV24/9QbQ1LNYNVpbViVI=; b=CZiw7Id/UiuA0Lx47NXBC4OS0E1BV8qxU2NhGzgH8e+GmbsMSFfblwaYA5FpEXNmT8AP42 mcXid+lDHmxUnlCu21G1qm6Ws5tM6jl587vNyWVS83fgbPkj9BS2GFeBrPqD2Z65pUCblW ld1ClNEBfwEG6Ymsfm7DF22Pks18yiDOJ8m6bk1ufyn+DCzZDp13F4Q877kECTS5xIx3k1 Nnjjx2mXcPihyC6khna3sSyvIgazPBGuxMA67aPKJc5HxSuMu7tN9WAGTYmFyMEWJAqqLX qFLTO6qTqPruBWBVEP2adXKZJEth/1S2Ru4vpsQ10Q/k8R3pC3JIKgh3jcYn3g==
On 31/05/2023 16:42, Miroslav Lichvar wrote:
> On Wed, May 31, 2023 at 04:28:51PM +0200, jvoisin wrote:
>> alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log
>> 2023-05-31T14:28:33Z chronyd version DEVELOPMENT starting (+CMDMON +NTP
>> +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6
>> -DEBUG)
>> 2023-05-31T14:28:33Z Wrong owner of /home/jvoisin/chrony/test/system/tmp
>> (GID != 0)
>> 2023-05-31T14:28:33Z Disabled command socket
>> /home/jvoisin/chrony/test/system/tmp/chronyd.sock
>
> It seems the tmp directory is being created with a different group than 0
> (root). Is it a wheel group?
yes, root is part of wheel:
```
alpine:/home/jvoisin/chrony/test/system# groups
root bin daemon sys adm disk wheel floppy dialout tape video
alpine:/home/jvoisin/chrony/test/system#
```
>
> Can you please try it again with this patch?
>
> diff --git a/test/system/test.common b/test/system/test.common
> index 7005c9e1..aa48ac67 100644
> --- a/test/system/test.common
> +++ b/test/system/test.common
> @@ -42,6 +42,8 @@ test_start() {
> su "$user" -s /bin/sh -c "touch $TEST_DIR/test" 2> /dev/null || \
> test_skip "$user cannot access $TEST_DIR"
> rm "$TEST_DIR/test"
> + else
> + chown 0:0 "$TEST_DIR" || test_skip "could not chown $TEST_DIR"
> fi
>
> echo "Testing $*:"
>
```
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal
Testing minimal configuration:
non-default settings:
minimal_config=1
starting chronyd OK
stopping chronyd OK
checking chronyd messages OK
PASS
alpine:/home/jvoisin/chrony/test/system# ./099-scfilter
Testing system call filter in non-destructive tests:
level -1:
001-minimal OK
002-extended BAD
FAIL
alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log
2023-05-31T14:51:14Z chronyd version DEVELOPMENT starting (+CMDMON +NTP
+REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6
-DEBUG)
2023-05-31T14:51:14Z Disabled control of system clock
2023-05-31T14:51:14Z World-readable permissions on
/home/jvoisin/chrony/test/system/tmp/keys
2023-05-31T14:51:14Z Loaded 1 symmetric keys
2023-05-31T14:51:14Z Running with root privileges
2023-05-31T14:51:14Z Frequency 0.000 +/- 10000.000 ppm read from
/home/jvoisin/chrony/test/system/tmp/driftfile
2023-05-31T14:51:14Z Timezone right/UTC failed leap second check, ignoring
2023-05-31T14:51:14Z Loaded seccomp filter (level 1)
alpine:/home/jvoisin/chrony/test/system#
```
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.