busybox: allow ntpd to run as non-root ntpd user (master breakage)

Etienne Champetier champetier.etienne at gmail.com
Sun Oct 25 12:37:50 EDT 2020 

Hello Daniel,

Le dim. 25 oct. 2020 à 09:08, LEDE Commits
<lede-commits at lists.infradead.org> a écrit :
>
> dangole pushed a commit to openwrt/openwrt.git, branch master:
> https://git.openwrt.org/2d34355e16b442fcf51e93786401716dae3c4ea2
>
> commit 2d34355e16b442fcf51e93786401716dae3c4ea2
> Author: Daniel Golle <daniel at makrotopia.org>
> AuthorDate: Mon Oct 19 21:22:30 2020 +0100
>
>     busybox: allow ntpd to run as non-root ntpd user
>
>     Signed-off-by: Daniel Golle <daniel at makrotopia.org>
> ---
>  package/utils/busybox/Makefile                     |  5 ++++-
>  package/utils/busybox/files/ntpd.capabilities      | 22 ++++++++++++++++++++++
>  package/utils/busybox/files/sysntpd                |  7 +++++++
>  .../busybox/patches/600-allow-ntpd-non-root.patch  | 12 ++++++++++++
>  4 files changed, 45 insertions(+), 1 deletion(-)
>
> diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
> index b2de0a852b..6d9a0088e5 100644
> --- a/package/utils/busybox/Makefile
> +++ b/package/utils/busybox/Makefile
> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
>
>  PKG_NAME:=busybox
>  PKG_VERSION:=1.31.1
> -PKG_RELEASE:=4
> +PKG_RELEASE:=5
>  PKG_FLAGS:=essential
>
>  PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
> @@ -50,6 +50,7 @@ define Package/busybox/Default
>    TITLE:=Core utilities for embedded Linux
>    URL:=http://busybox.net/
>    DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter
> +  USERID:=ntpd=123:ntpd=123

ntpd package has
USERID:=ntp=123:ntp=123
and this cause breakage (reports on IRC and
https://github.com/openwrt/openwrt/commit/2d34355e16b442fcf51e93786401716dae3c4ea2#commitcomment-43560876)
Just replace ntpd with ntp should fix it


>  endef
>
>  define Package/busybox
> @@ -144,6 +145,8 @@ endif
>  ifneq ($(CONFIG_BUSYBOX_$(BUSYBOX_SYM)_NTPD),)
>         $(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
>         $(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
> +       $(INSTALL_DIR) $(1)/etc/capabilities/
> +       $(INSTALL_DATA) ./files/ntpd.capabilities $(1)/etc/capabilities/ntpd.json
>  endif
>         -rm -rf $(1)/lib64
>  endef
> diff --git a/package/utils/busybox/files/ntpd.capabilities b/package/utils/busybox/files/ntpd.capabilities
> new file mode 100644
> index 0000000000..8a05dba4bc
> --- /dev/null
> +++ b/package/utils/busybox/files/ntpd.capabilities
> @@ -0,0 +1,22 @@
> +{
> +       "bounding": [
> +               "CAP_NET_BIND_SERVICE",
> +               "CAP_SYS_TIME"
> +       ],
> +       "effective": [
> +               "CAP_NET_BIND_SERVICE",
> +               "CAP_SYS_TIME"
> +       ],
> +       "ambient": [
> +               "CAP_NET_BIND_SERVICE",
> +               "CAP_SYS_TIME"
> +       ],
> +       "permitted": [
> +               "CAP_NET_BIND_SERVICE",
> +               "CAP_SYS_TIME"
> +       ],
> +       "inheritable": [
> +               "CAP_NET_BIND_SERVICE",
> +               "CAP_SYS_TIME"
> +       ]
> +}
> diff --git a/package/utils/busybox/files/sysntpd b/package/utils/busybox/files/sysntpd
> index 52866ba32a..cbc760a48e 100755
> --- a/package/utils/busybox/files/sysntpd
> +++ b/package/utils/busybox/files/sysntpd
> @@ -55,6 +55,13 @@ start_ntpd_instance() {
>                 procd_append_param command -p $peer
>         done
>         procd_set_param respawn
> +       [ -x /sbin/ujail ] && {
> +               procd_add_jail ntpd
> +               procd_set_param capabilities /etc/capabilities/ntpd.json
> +               procd_set_param user ntpd
> +               procd_set_param group ntpd
> +               procd_set_param no_new_privs 1
> +       }
>         procd_close_instance
>  }
>
> diff --git a/package/utils/busybox/patches/600-allow-ntpd-non-root.patch b/package/utils/busybox/patches/600-allow-ntpd-non-root.patch
> new file mode 100644
> index 0000000000..b5d4c2a07d
> --- /dev/null
> +++ b/package/utils/busybox/patches/600-allow-ntpd-non-root.patch
> @@ -0,0 +1,12 @@
> +--- a/networking/ntpd.c
> ++++ b/networking/ntpd.c
> +@@ -2414,9 +2414,6 @@ static NOINLINE void ntp_init(char **arg
> +
> +       srand(getpid());
> +
> +-      if (getuid())
> +-              bb_error_msg_and_die(bb_msg_you_must_be_root);
> +-
> +       /* Set some globals */
> +       G.discipline_jitter = G_precision_sec;
> +       G.stratum = MAXSTRAT;
>
> _______________________________________________
> lede-commits mailing list
> lede-commits at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-commits

More information about the openwrt-devel mailing list