[openwrt/openwrt] busybox: allow ntpd to run as non-root ntpd user

Sun Oct 25 09:08:26 EDT 2020

dangole pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/2d34355e16b442fcf51e93786401716dae3c4ea2

commit 2d34355e16b442fcf51e93786401716dae3c4ea2
Author: Daniel Golle <daniel at makrotopia.org>
AuthorDate: Mon Oct 19 21:22:30 2020 +0100

    busybox: allow ntpd to run as non-root ntpd user
    
    Signed-off-by: Daniel Golle <daniel at makrotopia.org>
---
 package/utils/busybox/Makefile                     |  5 ++++-
 package/utils/busybox/files/ntpd.capabilities      | 22 ++++++++++++++++++++++
 package/utils/busybox/files/sysntpd                |  7 +++++++
 .../busybox/patches/600-allow-ntpd-non-root.patch  | 12 ++++++++++++
 4 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index b2de0a852b..6d9a0088e5 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=busybox
 PKG_VERSION:=1.31.1
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 PKG_FLAGS:=essential
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
@@ -50,6 +50,7 @@ define Package/busybox/Default
   TITLE:=Core utilities for embedded Linux
   URL:=http://busybox.net/
   DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter
+  USERID:=ntpd=123:ntpd=123
 endef
 
 define Package/busybox
@@ -144,6 +145,8 @@ endif
 ifneq ($(CONFIG_BUSYBOX_$(BUSYBOX_SYM)_NTPD),)
 	$(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
 	$(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
+	$(INSTALL_DIR) $(1)/etc/capabilities/
+	$(INSTALL_DATA) ./files/ntpd.capabilities $(1)/etc/capabilities/ntpd.json
 endif
 	-rm -rf $(1)/lib64
 endef
diff --git a/package/utils/busybox/files/ntpd.capabilities b/package/utils/busybox/files/ntpd.capabilities
new file mode 100644
index 0000000000..8a05dba4bc
--- /dev/null
+++ b/package/utils/busybox/files/ntpd.capabilities
@@ -0,0 +1,22 @@
+{
+	"bounding": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"effective": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"ambient": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"permitted": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"inheritable": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	]
+}
diff --git a/package/utils/busybox/files/sysntpd b/package/utils/busybox/files/sysntpd
index 52866ba32a..cbc760a48e 100755
--- a/package/utils/busybox/files/sysntpd
+++ b/package/utils/busybox/files/sysntpd
@@ -55,6 +55,13 @@ start_ntpd_instance() {
 		procd_append_param command -p $peer
 	done
 	procd_set_param respawn
+	[ -x /sbin/ujail ] && {
+		procd_add_jail ntpd
+		procd_set_param capabilities /etc/capabilities/ntpd.json
+		procd_set_param user ntpd
+		procd_set_param group ntpd
+		procd_set_param no_new_privs 1
+	}
 	procd_close_instance
 }
 
diff --git a/package/utils/busybox/patches/600-allow-ntpd-non-root.patch b/package/utils/busybox/patches/600-allow-ntpd-non-root.patch
new file mode 100644
index 0000000000..b5d4c2a07d
--- /dev/null
+++ b/package/utils/busybox/patches/600-allow-ntpd-non-root.patch
@@ -0,0 +1,12 @@
+--- a/networking/ntpd.c
++++ b/networking/ntpd.c
+@@ -2414,9 +2414,6 @@ static NOINLINE void ntp_init(char **arg
+ 
+ 	srand(getpid());
+ 
+-	if (getuid())
+-		bb_error_msg_and_die(bb_msg_you_must_be_root);
+-
+ 	/* Set some globals */
+ 	G.discipline_jitter = G_precision_sec;
+ 	G.stratum = MAXSTRAT;

