[chrony-users] Re: [PATCH] main: imply -x if time can't be set

[Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>]

I beg your pardon, I initially intended to file a bug (this list) but eventually wrote a patch.

I just submitted to -dev where a patch is more correct, so ignore this mail over here in favor of the one on the -dev list.

On Wed, Mar 7, 2018 at 12:34 PM, Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> wrote:

In unprivileged containers even after e8096330 "sys_linux: don't keep
CAP_SYS_TIME with -x option" default installations
will still run without an explicit -x being set and therefore fail by
missing CAP_SYS_TIME.

Usually users want services to "just work" which in a non-CAP_SYS_TIME
environment means that chrony will fulfil just the NTP serving task but
not the local time control.

Therefore imply -x in those environments.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 main.c      |  5 +++++
 sys.c       | 11 +++++++++++
 sys.h       |  3 +++
 sys_linux.c | 10 ++++++++++
 sys_linux.h |  2 ++
 5 files changed, 31 insertions(+)

diff --git a/main.c b/main.c
index a2202e9..7a6f61c 100644
--- a/main.c
+++ b/main.c
@@ -499,6 +499,11 @@ int main
   if (getuid() && !client_only)
     LOG_FATAL("Not superuser");

+  if (clock_control && !SYS_IsTimeAdjustable()) {
+    LOG(LOGS_WARN, "Time not adjustable, implying -x (do not set system clock)");
+    clock_control = 0;
+  }
+
   /* Turn into a daemon */
   if (!nofork) {
     go_daemon();
diff --git a/sys.c b/sys.c
index 4d68b37..4581a66 100644
--- a/sys.c
+++ b/sys.c
@@ -94,6 +94,17 @@ SYS_Finalise(void)

 /* ================================================== */

+int SYS_IsTimeAdjustable()
+{
+#if defined(LINUX) && defined (FEAT_PRIVDROP)
+  return SYS_Linux_IsTimeAdjustable();
+#elif
+  return true;
+#endif
+}
+
+/* ================================================== */
+
 void SYS_DropRoot(uid_t uid, gid_t gid)
 {
 #if defined(LINUX) && defined (FEAT_PRIVDROP)
diff --git a/sys.h b/sys.h
index cb726f2..a40ea96 100644
--- a/sys.h
+++ b/sys.h
@@ -38,6 +38,9 @@ extern void SYS_Finalise(void);
 /* Drop root privileges to the specified user and group */
 extern void SYS_DropRoot(uid_t uid, gid_t gid);

+/* Check if time is adjustable, e.g. lack of CAP_SYS_TIME on linux containers */
+extern int SYS_IsTimeAdjustable(void);
+
 /* Enable a system call filter to allow only system calls
    which chronyd normally needs after initialization */
 extern void SYS_EnableSystemCallFilter(int level);
diff --git a/sys_linux.c b/sys_linux.c
index f445727..695d3d4 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -413,6 +413,16 @@ SYS_Linux_Finalise(void)

 /* ================================================== */

+int SYS_Linux_IsTimeAdjustable(void)
+{
+  if (CAP_IS_SUPPORTED(CAP_SYS_TIME) && cap_get_bound(CAP_SYS_TIME))
+    return 1;
+  else
+    return 0;
+}
+
+/* ================================================== */
+
 #ifdef FEAT_PRIVDROP
 void
 SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control)
diff --git a/sys_linux.h b/sys_linux.h
index 799ae9a..301d025 100644
--- a/sys_linux.h
+++ b/sys_linux.h
@@ -31,6 +31,8 @@ extern void SYS_Linux_Initialise(void);

 extern void SYS_Linux_Finalise(void);

+extern int SYS_Linux_IsTimeAdjustable(void);
+
 extern void SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control);

 extern void SYS_Linux_EnableSystemCallFilter(int level);
--
2.7.4

--

Christian Ehrhardt

Software Engineer, Ubuntu Server

Canonical Ltd