aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--package/utils/busybox/Makefile5
-rw-r--r--package/utils/busybox/files/ntpd.capabilities22
-rwxr-xr-xpackage/utils/busybox/files/sysntpd7
-rw-r--r--package/utils/busybox/patches/600-allow-ntpd-non-root.patch12
4 files changed, 45 insertions, 1 deletions
diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index b2de0a852b..6d9a0088e5 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=busybox
PKG_VERSION:=1.31.1
-PKG_RELEASE:=4
+PKG_RELEASE:=5
PKG_FLAGS:=essential
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
@@ -50,6 +50,7 @@ define Package/busybox/Default
TITLE:=Core utilities for embedded Linux
URL:=http://busybox.net/
DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter
+ USERID:=ntpd=123:ntpd=123
endef
define Package/busybox
@@ -144,6 +145,8 @@ endif
ifneq ($(CONFIG_BUSYBOX_$(BUSYBOX_SYM)_NTPD),)
$(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
$(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
+ $(INSTALL_DIR) $(1)/etc/capabilities/
+ $(INSTALL_DATA) ./files/ntpd.capabilities $(1)/etc/capabilities/ntpd.json
endif
-rm -rf $(1)/lib64
endef
diff --git a/package/utils/busybox/files/ntpd.capabilities b/package/utils/busybox/files/ntpd.capabilities
new file mode 100644
index 0000000000..8a05dba4bc
--- /dev/null
+++ b/package/utils/busybox/files/ntpd.capabilities
@@ -0,0 +1,22 @@
+{
+ "bounding": [
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_TIME"
+ ],
+ "effective": [
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_TIME"
+ ],
+ "ambient": [
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_TIME"
+ ],
+ "permitted": [
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_TIME"
+ ],
+ "inheritable": [
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_TIME"
+ ]
+}
diff --git a/package/utils/busybox/files/sysntpd b/package/utils/busybox/files/sysntpd
index 52866ba32a..cbc760a48e 100755
--- a/package/utils/busybox/files/sysntpd
+++ b/package/utils/busybox/files/sysntpd
@@ -55,6 +55,13 @@ start_ntpd_instance() {
procd_append_param command -p $peer
done
procd_set_param respawn
+ [ -x /sbin/ujail ] && {
+ procd_add_jail ntpd
+ procd_set_param capabilities /etc/capabilities/ntpd.json
+ procd_set_param user ntpd
+ procd_set_param group ntpd
+ procd_set_param no_new_privs 1
+ }
procd_close_instance
}
diff --git a/package/utils/busybox/patches/600-allow-ntpd-non-root.patch b/package/utils/busybox/patches/600-allow-ntpd-non-root.patch
new file mode 100644
index 0000000000..b5d4c2a07d
--- /dev/null
+++ b/package/utils/busybox/patches/600-allow-ntpd-non-root.patch
@@ -0,0 +1,12 @@
+--- a/networking/ntpd.c
++++ b/networking/ntpd.c
+@@ -2414,9 +2414,6 @@ static NOINLINE void ntp_init(char **arg
+
+ srand(getpid());
+
+- if (getuid())
+- bb_error_msg_and_die(bb_msg_you_must_be_root);
+-
+ /* Set some globals */
+ G.discipline_jitter = G_precision_sec;
+ G.stratum = MAXSTRAT;