busybox: allow ntpd to run as non-root ntpd user (master breakage)
Etienne Champetier
champetier.etienne at gmail.com
Sun Oct 25 12:37:50 EDT 2020
Hello Daniel,
Le dim. 25 oct. 2020 à 09:08, LEDE Commits
<lede-commits at lists.infradead.org> a écrit :
>
> dangole pushed a commit to openwrt/openwrt.git, branch master:
> https://git.openwrt.org/2d34355e16b442fcf51e93786401716dae3c4ea2
>
> commit 2d34355e16b442fcf51e93786401716dae3c4ea2
> Author: Daniel Golle <daniel at makrotopia.org>
> AuthorDate: Mon Oct 19 21:22:30 2020 +0100
>
> busybox: allow ntpd to run as non-root ntpd user
>
> Signed-off-by: Daniel Golle <daniel at makrotopia.org>
> ---
> package/utils/busybox/Makefile | 5 ++++-
> package/utils/busybox/files/ntpd.capabilities | 22 ++++++++++++++++++++++
> package/utils/busybox/files/sysntpd | 7 +++++++
> .../busybox/patches/600-allow-ntpd-non-root.patch | 12 ++++++++++++
> 4 files changed, 45 insertions(+), 1 deletion(-)
>
> diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
> index b2de0a852b..6d9a0088e5 100644
> --- a/package/utils/busybox/Makefile
> +++ b/package/utils/busybox/Makefile
> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
>
> PKG_NAME:=busybox
> PKG_VERSION:=1.31.1
> -PKG_RELEASE:=4
> +PKG_RELEASE:=5
> PKG_FLAGS:=essential
>
> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
> @@ -50,6 +50,7 @@ define Package/busybox/Default
> TITLE:=Core utilities for embedded Linux
> URL:=http://busybox.net/
> DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter
> + USERID:=ntpd=123:ntpd=123
ntpd package has
USERID:=ntp=123:ntp=123
and this cause breakage (reports on IRC and
https://github.com/openwrt/openwrt/commit/2d34355e16b442fcf51e93786401716dae3c4ea2#commitcomment-43560876)
Just replace ntpd with ntp should fix it
> endef
>
> define Package/busybox
> @@ -144,6 +145,8 @@ endif
> ifneq ($(CONFIG_BUSYBOX_$(BUSYBOX_SYM)_NTPD),)
> $(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
> $(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
> + $(INSTALL_DIR) $(1)/etc/capabilities/
> + $(INSTALL_DATA) ./files/ntpd.capabilities $(1)/etc/capabilities/ntpd.json
> endif
> -rm -rf $(1)/lib64
> endef
> diff --git a/package/utils/busybox/files/ntpd.capabilities b/package/utils/busybox/files/ntpd.capabilities
> new file mode 100644
> index 0000000000..8a05dba4bc
> --- /dev/null
> +++ b/package/utils/busybox/files/ntpd.capabilities
> @@ -0,0 +1,22 @@
> +{
> + "bounding": [
> + "CAP_NET_BIND_SERVICE",
> + "CAP_SYS_TIME"
> + ],
> + "effective": [
> + "CAP_NET_BIND_SERVICE",
> + "CAP_SYS_TIME"
> + ],
> + "ambient": [
> + "CAP_NET_BIND_SERVICE",
> + "CAP_SYS_TIME"
> + ],
> + "permitted": [
> + "CAP_NET_BIND_SERVICE",
> + "CAP_SYS_TIME"
> + ],
> + "inheritable": [
> + "CAP_NET_BIND_SERVICE",
> + "CAP_SYS_TIME"
> + ]
> +}
> diff --git a/package/utils/busybox/files/sysntpd b/package/utils/busybox/files/sysntpd
> index 52866ba32a..cbc760a48e 100755
> --- a/package/utils/busybox/files/sysntpd
> +++ b/package/utils/busybox/files/sysntpd
> @@ -55,6 +55,13 @@ start_ntpd_instance() {
> procd_append_param command -p $peer
> done
> procd_set_param respawn
> + [ -x /sbin/ujail ] && {
> + procd_add_jail ntpd
> + procd_set_param capabilities /etc/capabilities/ntpd.json
> + procd_set_param user ntpd
> + procd_set_param group ntpd
> + procd_set_param no_new_privs 1
> + }
> procd_close_instance
> }
>
> diff --git a/package/utils/busybox/patches/600-allow-ntpd-non-root.patch b/package/utils/busybox/patches/600-allow-ntpd-non-root.patch
> new file mode 100644
> index 0000000000..b5d4c2a07d
> --- /dev/null
> +++ b/package/utils/busybox/patches/600-allow-ntpd-non-root.patch
> @@ -0,0 +1,12 @@
> +--- a/networking/ntpd.c
> ++++ b/networking/ntpd.c
> +@@ -2414,9 +2414,6 @@ static NOINLINE void ntp_init(char **arg
> +
> + srand(getpid());
> +
> +- if (getuid())
> +- bb_error_msg_and_die(bb_msg_you_must_be_root);
> +-
> + /* Set some globals */
> + G.discipline_jitter = G_precision_sec;
> + G.stratum = MAXSTRAT;
>
> _______________________________________________
> lede-commits mailing list
> lede-commits at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-commits
More information about the openwrt-devel
mailing list