diff options
author | Daniel Golle <daniel@makrotopia.org> | 2020-10-19 21:22:30 +0100 |
---|---|---|
committer | Daniel Golle <daniel@makrotopia.org> | 2020-10-25 13:01:35 +0000 |
commit | 2d34355e16b442fcf51e93786401716dae3c4ea2 (patch) | |
tree | 1fe6e9c20153a6f76d5baf7a48480c93a0537b06 | |
parent | ccb283c71cce2248eea3afd42624f626cdc3a4f2 (diff) | |
download | upstream-2d34355e16b442fcf51e93786401716dae3c4ea2.tar.gz upstream-2d34355e16b442fcf51e93786401716dae3c4ea2.tar.bz2 upstream-2d34355e16b442fcf51e93786401716dae3c4ea2.zip |
busybox: allow ntpd to run as non-root ntpd user
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
-rw-r--r-- | package/utils/busybox/Makefile | 5 | ||||
-rw-r--r-- | package/utils/busybox/files/ntpd.capabilities | 22 | ||||
-rwxr-xr-x | package/utils/busybox/files/sysntpd | 7 | ||||
-rw-r--r-- | package/utils/busybox/patches/600-allow-ntpd-non-root.patch | 12 |
4 files changed, 45 insertions, 1 deletions
diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile index b2de0a852b..6d9a0088e5 100644 --- a/package/utils/busybox/Makefile +++ b/package/utils/busybox/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=busybox PKG_VERSION:=1.31.1 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_FLAGS:=essential PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 @@ -50,6 +50,7 @@ define Package/busybox/Default TITLE:=Core utilities for embedded Linux URL:=http://busybox.net/ DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter + USERID:=ntpd=123:ntpd=123 endef define Package/busybox @@ -144,6 +145,8 @@ endif ifneq ($(CONFIG_BUSYBOX_$(BUSYBOX_SYM)_NTPD),) $(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd $(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug + $(INSTALL_DIR) $(1)/etc/capabilities/ + $(INSTALL_DATA) ./files/ntpd.capabilities $(1)/etc/capabilities/ntpd.json endif -rm -rf $(1)/lib64 endef diff --git a/package/utils/busybox/files/ntpd.capabilities b/package/utils/busybox/files/ntpd.capabilities new file mode 100644 index 0000000000..8a05dba4bc --- /dev/null +++ b/package/utils/busybox/files/ntpd.capabilities @@ -0,0 +1,22 @@ +{ + "bounding": [ + "CAP_NET_BIND_SERVICE", + "CAP_SYS_TIME" + ], + "effective": [ + "CAP_NET_BIND_SERVICE", + "CAP_SYS_TIME" + ], + "ambient": [ + "CAP_NET_BIND_SERVICE", + "CAP_SYS_TIME" + ], + "permitted": [ + "CAP_NET_BIND_SERVICE", + "CAP_SYS_TIME" + ], + "inheritable": [ + "CAP_NET_BIND_SERVICE", + "CAP_SYS_TIME" + ] +} diff --git a/package/utils/busybox/files/sysntpd b/package/utils/busybox/files/sysntpd index 52866ba32a..cbc760a48e 100755 --- a/package/utils/busybox/files/sysntpd +++ b/package/utils/busybox/files/sysntpd @@ -55,6 +55,13 @@ start_ntpd_instance() { procd_append_param command -p $peer done procd_set_param respawn + [ -x /sbin/ujail ] && { + procd_add_jail ntpd + procd_set_param capabilities /etc/capabilities/ntpd.json + procd_set_param user ntpd + procd_set_param group ntpd + procd_set_param no_new_privs 1 + } procd_close_instance } diff --git a/package/utils/busybox/patches/600-allow-ntpd-non-root.patch b/package/utils/busybox/patches/600-allow-ntpd-non-root.patch new file mode 100644 index 0000000000..b5d4c2a07d --- /dev/null +++ b/package/utils/busybox/patches/600-allow-ntpd-non-root.patch @@ -0,0 +1,12 @@ +--- a/networking/ntpd.c ++++ b/networking/ntpd.c +@@ -2414,9 +2414,6 @@ static NOINLINE void ntp_init(char **arg + + srand(getpid()); + +- if (getuid()) +- bb_error_msg_and_die(bb_msg_you_must_be_root); +- + /* Set some globals */ + G.discipline_jitter = G_precision_sec; + G.stratum = MAXSTRAT; |