[packages/ntp.git] / ntp-4.2.6p1-droproot.patch

diff -up ntp-4.2.6p1/html/ntpdate.html.droproot ntp-4.2.6p1/html/ntpdate.html
--- ntp-4.2.6p1/html/ntpdate.html.droproot	2006-12-28 13:02:58.000000000 +0100
+++ ntp-4.2.6p1/html/ntpdate.html	2010-03-03 15:32:08.000000000 +0100
@@ -18,7 +18,7 @@
 		<hr>
 		<p>Disclaimer: The functionality of this program is now available in the <tt>ntpd</tt> program. See the <tt>-q</tt> command line option in the <a href="ntpd.html"><tt>ntpd</tt> - Network Time Protocol (NTP) daemon</a> page. After a suitable period of mourning, the <tt>ntpdate</tt> program is to be retired from this distribution</p>
 		<h4>Synopsis</h4>
-		<tt>ntpdate [ -bBdoqsuv ] [ -a <i>key</i> ] [ -e <i>authdelay</i> ] [ -k <i>keyfile</i> ] [ -o <i>version</i> ] [ -p <i>samples</i> ] [ -t <i>timeout</i> ] <i>server</i> [ ... ]</tt>
+		<tt>ntpdate [ -bBdoqsuv ] [ -a <i>key</i> ] [ -e <i>authdelay</i> ] [ -k <i>keyfile</i> ] [ -o <i>version</i> ] [ -p <i>samples</i> ] [ -t <i>timeout</i> ] [ -U <i>user_name</i> ] <i>server</i> [ ... ]</tt>
 		<h4>Description</h4>
 		<tt>ntpdate</tt> sets the local date and time by polling the Network Time Protocol (NTP) server(s) given as the <i>server</i> arguments to determine the correct time. It must be run as root on the local host. A number of samples are obtained from each of the servers specified and a subset of the NTP clock filter and selection algorithms are applied to select the best of these. Note that the accuracy and reliability of <tt>ntpdate</tt> depends on the number of servers, the number of polls each time it is run and the interval between runs.
 		<p><tt>ntpdate</tt> can be run manually as necessary to set the host clock, or it can be run from the host startup script to set the clock at boot time. This is useful in some cases to set the clock initially before starting the NTP daemon <tt>ntpd</tt>. It is also possible to run <tt>ntpdate</tt> from a <tt>cron</tt> script. However, it is important to note that <tt>ntpdate</tt> with contrived <tt>cron</tt> scripts is no substitute for the NTP daemon, which uses sophisticated algorithms to maximize accuracy and reliability while minimizing resource use. Finally, since <tt>ntpdate</tt> does not discipline the host clock frequency as does <tt>ntpd</tt>, the accuracy using <tt>ntpdate</tt> is limited.</p>
@@ -58,6 +58,11 @@
 			<dd>Direct <tt>ntpdate</tt> to use an unprivileged port or outgoing packets. This is most useful when behind a firewall that blocks incoming traffic to privileged ports, and you want to synchronise with hosts beyond the firewall. Note that the <tt>-d</tt> option always uses unprivileged ports.
 			<dt><tt>-<i>v</i></tt>
 			<dd>Be verbose. This option will cause <tt>ntpdate</tt>'s version identification string to be logged.
+
+			<dt><tt>-U <i>user_name</i></tt></dt>
+			<dd>ntpdate process drops root privileges and changes user ID to
+			<i>user_name</i> and group ID to the primary group of 
+			<i>server_user</i>.
 		</dl>
 		<h4>Diagnostics</h4>
 		<tt>ntpdate</tt>'s exit status is zero if it finds a server and updates the clock, and nonzero otherwise.
diff -up ntp-4.2.6p1/ntpdate/ntpdate.c.droproot ntp-4.2.6p1/ntpdate/ntpdate.c
--- ntp-4.2.6p1/ntpdate/ntpdate.c.droproot	2009-12-09 08:36:35.000000000 +0100
+++ ntp-4.2.6p1/ntpdate/ntpdate.c	2010-03-03 15:33:06.000000000 +0100
@@ -48,6 +48,12 @@
 
 #include <arpa/inet.h>
 
+/* Linux capabilities */
+#include <sys/capability.h>
+#include <sys/prctl.h>
+#include <pwd.h>
+#include <grp.h>
+
 #ifdef SYS_VXWORKS
 # include "ioLib.h"
 # include "sockLib.h"
@@ -152,6 +158,11 @@ int simple_query = 0;
 int unpriv_port = 0;
 
 /*
+ * Use capabilities to drop privileges and switch uids
+ */
+char *server_user;
+
+/*
  * Program name.
  */
 char *progname;
@@ -293,6 +304,88 @@ void clear_globals()
 static ni_namelist *getnetinfoservers (void);
 #endif
 
+/* This patch is adapted (copied) from Chris Wings drop root patch
+ * for xntpd.
+ */
+void drop_root(uid_t server_uid, gid_t server_gid)
+{
+  cap_t caps;
+
+  if (prctl(PR_SET_KEEPCAPS, 1)) {
+		if (syslogit) {
+			msyslog(LOG_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
+		}
+		else {
+			fprintf(stderr, "prctl(PR_SET_KEEPCAPS, 1) failed.\n");
+		}
+    exit(1);
+  }
+
+  if ( setgroups(0, NULL) == -1 ) {
+		if (syslogit) {
+			msyslog(LOG_ERR, "setgroups failed.");
+		}
+		else {
+			fprintf(stderr, "setgroups failed.\n");
+		}
+    exit(1);
+  }
+
+  if ( setegid(server_gid) == -1 || seteuid(server_uid) == -1 ) {
+		if (syslogit) {
+			msyslog(LOG_ERR, "setegid/seteuid to uid=%d/gid=%d failed.", server_uid,
+							server_gid);
+		}
+		else {
+			fprintf(stderr, "setegid/seteuid to uid=%d/gid=%d failed.\n", server_uid,
+							server_gid);
+		}
+    exit(1);
+  }
+
+  caps = cap_from_text("cap_sys_time=epi");
+  if (caps == NULL) {
+		if (syslogit) {
+			msyslog(LOG_ERR, "cap_from_text failed.");
+		}
+		else {
+			fprintf(stderr, "cap_from_text failed.\n");
+		}
+    exit(1);
+  }
+
+  if (cap_set_proc(caps) == -1) {
+		if (syslogit) {
+			msyslog(LOG_ERR, "cap_set_proc failed.");
+		}
+		else {
+			fprintf(stderr, "cap_set_proc failed.\n");
+		}
+    exit(1);
+  }
+  
+  /* Try to free the memory from cap_from_text */
+  cap_free( caps );
+
+  if ( setregid(server_gid, server_gid) == -1 ||
+       setreuid(server_uid, server_uid) == -1 ) {
+		if (syslogit) {
+			msyslog(LOG_ERR, "setregid/setreuid to uid=%d/gid=%d failed.",
+							server_uid, server_gid);
+		}
+		else {
+			fprintf(stderr, "setregid/setreuid to uid=%d/gid=%d failed.\n",
+							server_uid, server_gid);
+		}
+    exit(1);
+  }
+
+	if (syslogit) {
+		msyslog(LOG_DEBUG, "running as uid(%d)/gid(%d) euid(%d)/egid(%d).",
+						getuid(), getgid(), geteuid(), getegid());
+	}
+}
+
 /*
  * Main program.  Initialize us and loop waiting for I/O and/or
  * timer expiries.
@@ -340,6 +433,8 @@ ntpdatemain (
 
 	init_lib();	/* sets up ipv4_works, ipv6_works */
 
+	server_user = NULL;
+
 	/* Check to see if we have IPv6. Otherwise default to IPv4 */
 	if (!ipv6_works)
 		ai_fam_templ = AF_INET;
@@ -351,7 +446,7 @@ ntpdatemain (
 	/*
 	 * Decode argument list
 	 */
-	while ((c = ntp_getopt(argc, argv, "46a:bBde:k:o:p:qst:uv")) != EOF)
+ 	while ((c = ntp_getopt(argc, argv, "46a:bBde:k:o:p:qst:uvU:")) != EOF)
 		switch (c)
 		{
 		case '4':
@@ -429,6 +524,14 @@ ntpdatemain (
 		case 'u':
 			unpriv_port = 1;
 			break;
+ 		case 'U':
+ 			if (ntp_optarg) {
+ 				server_user = strdup(ntp_optarg);
+ 			}
+ 			else {
+ 				++errflg;
+ 			}
+ 			break;
 		case '?':
 			++errflg;
 			break;
@@ -438,7 +541,7 @@ ntpdatemain (
 	
 	if (errflg) {
 		(void) fprintf(stderr,
-		    "usage: %s [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] server ...\n",
+		    "usage: %s [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] [-U username] server ...\n",
 		    progname);
 		exit(2);
 	}
@@ -544,6 +647,24 @@ ntpdatemain (
 	initializing = 0;
 	was_alarmed = 0;
 
+	if (server_user) {
+		struct passwd *pwd = NULL;
+
+		/* Lookup server_user uid/gid before chroot/chdir */
+		pwd = getpwnam( server_user );
+		if ( pwd == NULL ) {
+			if (syslogit) {
+				msyslog(LOG_ERR, "Failed to lookup user '%s'.", server_user);
+			}
+			else {
+				fprintf(stderr, "Failed to lookup user '%s'.\n", server_user);
+			}
+			exit(1);
+		}
+		drop_root(pwd->pw_uid, pwd->pw_gid);
+	}
+
+
 	while (complete_servers < sys_numservers) {
 #ifdef HAVE_POLL_H
 		struct pollfd* rdfdes;
Commit	Line	Data
a8809dbd ER	1	diff -up ntp-4.2.6p1/html/ntpdate.html.droproot ntp-4.2.6p1/html/ntpdate.html
	2	--- ntp-4.2.6p1/html/ntpdate.html.droproot 2006-12-28 13:02:58.000000000 +0100
	3	+++ ntp-4.2.6p1/html/ntpdate.html 2010-03-03 15:32:08.000000000 +0100
	4	@@ -18,7 +18,7 @@
	5	<hr>
	6	<p>Disclaimer: The functionality of this program is now available in the <tt>ntpd</tt> program. See the <tt>-q</tt> command line option in the <a href="ntpd.html"><tt>ntpd</tt> - Network Time Protocol (NTP) daemon</a> page. After a suitable period of mourning, the <tt>ntpdate</tt> program is to be retired from this distribution</p>
	7	<h4>Synopsis</h4>
	8	- <tt>ntpdate [ -bBdoqsuv ] [ -a <i>key</i> ] [ -e <i>authdelay</i> ] [ -k <i>keyfile</i> ] [ -o <i>version</i> ] [ -p <i>samples</i> ] [ -t <i>timeout</i> ] <i>server</i> [ ... ]</tt>
	9	+ <tt>ntpdate [ -bBdoqsuv ] [ -a <i>key</i> ] [ -e <i>authdelay</i> ] [ -k <i>keyfile</i> ] [ -o <i>version</i> ] [ -p <i>samples</i> ] [ -t <i>timeout</i> ] [ -U <i>user_name</i> ] <i>server</i> [ ... ]</tt>
	10	<h4>Description</h4>
	11	<tt>ntpdate</tt> sets the local date and time by polling the Network Time Protocol (NTP) server(s) given as the <i>server</i> arguments to determine the correct time. It must be run as root on the local host. A number of samples are obtained from each of the servers specified and a subset of the NTP clock filter and selection algorithms are applied to select the best of these. Note that the accuracy and reliability of <tt>ntpdate</tt> depends on the number of servers, the number of polls each time it is run and the interval between runs.
	12	<p><tt>ntpdate</tt> can be run manually as necessary to set the host clock, or it can be run from the host startup script to set the clock at boot time. This is useful in some cases to set the clock initially before starting the NTP daemon <tt>ntpd</tt>. It is also possible to run <tt>ntpdate</tt> from a <tt>cron</tt> script. However, it is important to note that <tt>ntpdate</tt> with contrived <tt>cron</tt> scripts is no substitute for the NTP daemon, which uses sophisticated algorithms to maximize accuracy and reliability while minimizing resource use. Finally, since <tt>ntpdate</tt> does not discipline the host clock frequency as does <tt>ntpd</tt>, the accuracy using <tt>ntpdate</tt> is limited.</p>
	13	@@ -58,6 +58,11 @@
	14	<dd>Direct <tt>ntpdate</tt> to use an unprivileged port or outgoing packets. This is most useful when behind a firewall that blocks incoming traffic to privileged ports, and you want to synchronise with hosts beyond the firewall. Note that the <tt>-d</tt> option always uses unprivileged ports.
	15	<dt><tt>-<i>v</i></tt>
	16	<dd>Be verbose. This option will cause <tt>ntpdate</tt>'s version identification string to be logged.
	17	+
	18	+ <dt><tt>-U <i>user_name</i></tt></dt>
	19	+ <dd>ntpdate process drops root privileges and changes user ID to
	20	+ <i>user_name</i> and group ID to the primary group of
	21	+ <i>server_user</i>.
	22	</dl>
	23	<h4>Diagnostics</h4>
	24	<tt>ntpdate</tt>'s exit status is zero if it finds a server and updates the clock, and nonzero otherwise.
	25	diff -up ntp-4.2.6p1/ntpdate/ntpdate.c.droproot ntp-4.2.6p1/ntpdate/ntpdate.c
	26	--- ntp-4.2.6p1/ntpdate/ntpdate.c.droproot 2009-12-09 08:36:35.000000000 +0100
	27	+++ ntp-4.2.6p1/ntpdate/ntpdate.c 2010-03-03 15:33:06.000000000 +0100
	28	@@ -48,6 +48,12 @@
6fca7355 ER	29
	30	#include <arpa/inet.h>
	31
	32	+/* Linux capabilities */
	33	+#include <sys/capability.h>
	34	+#include <sys/prctl.h>
	35	+#include <pwd.h>
	36	+#include <grp.h>
	37	+
	38	#ifdef SYS_VXWORKS
	39	# include "ioLib.h"
	40	# include "sockLib.h"
a8809dbd	41	@@ -152,6 +158,11 @@ int simple_query = 0;
6fca7355 ER	42	int unpriv_port = 0;
	43
	44	/*
	45	+ * Use capabilities to drop privileges and switch uids
	46	+ */
	47	+char *server_user;
	48	+
	49	+/*
	50	* Program name.
	51	*/
	52	char *progname;
a8809dbd ER	53	@@ -293,6 +304,88 @@ void clear_globals()
a8809dbd ER	54	static ni_namelist *getnetinfoservers (void);
6fca7355 ER	55	#endif
	56
	57	+/* This patch is adapted (copied) from Chris Wings drop root patch
	58	+ * for xntpd.
	59	+ */
	60	+void drop_root(uid_t server_uid, gid_t server_gid)
	61	+{
	62	+ cap_t caps;
	63	+
	64	+ if (prctl(PR_SET_KEEPCAPS, 1)) {
	65	+ if (syslogit) {
	66	+ msyslog(LOG_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
	67	+ }
	68	+ else {
	69	+ fprintf(stderr, "prctl(PR_SET_KEEPCAPS, 1) failed.\n");
	70	+ }
	71	+ exit(1);
	72	+ }
	73	+
	74	+ if ( setgroups(0, NULL) == -1 ) {
	75	+ if (syslogit) {
	76	+ msyslog(LOG_ERR, "setgroups failed.");
	77	+ }
	78	+ else {
	79	+ fprintf(stderr, "setgroups failed.\n");
	80	+ }
	81	+ exit(1);
	82	+ }
	83	+
	84	+ if ( setegid(server_gid) == -1 \|\| seteuid(server_uid) == -1 ) {
	85	+ if (syslogit) {
	86	+ msyslog(LOG_ERR, "setegid/seteuid to uid=%d/gid=%d failed.", server_uid,
	87	+ server_gid);
	88	+ }
	89	+ else {
	90	+ fprintf(stderr, "setegid/seteuid to uid=%d/gid=%d failed.\n", server_uid,
	91	+ server_gid);
	92	+ }
	93	+ exit(1);
	94	+ }
	95	+
	96	+ caps = cap_from_text("cap_sys_time=epi");
	97	+ if (caps == NULL) {
	98	+ if (syslogit) {
	99	+ msyslog(LOG_ERR, "cap_from_text failed.");
	100	+ }
	101	+ else {
	102	+ fprintf(stderr, "cap_from_text failed.\n");
	103	+ }
	104	+ exit(1);
	105	+ }
	106	+
	107	+ if (cap_set_proc(caps) == -1) {
	108	+ if (syslogit) {
	109	+ msyslog(LOG_ERR, "cap_set_proc failed.");
	110	+ }
	111	+ else {
	112	+ fprintf(stderr, "cap_set_proc failed.\n");
	113	+ }
	114	+ exit(1);
	115	+ }
	116	+
	117	+ /* Try to free the memory from cap_from_text */
	118	+ cap_free( caps );
119	+
120	+ if ( setregid(server_gid, server_gid) == -1 \|\|
121	+ setreuid(server_uid, server_uid) == -1 ) {
122	+ if (syslogit) {
123	+ msyslog(LOG_ERR, "setregid/setreuid to uid=%d/gid=%d failed.",
124	+ server_uid, server_gid);
125	+ }
126	+ else {
127	+ fprintf(stderr, "setregid/setreuid to uid=%d/gid=%d failed.\n",
128	+ server_uid, server_gid);
129	+ }
130	+ exit(1);
131	+ }
132	+
133	+ if (syslogit) {
134	+ msyslog(LOG_DEBUG, "running as uid(%d)/gid(%d) euid(%d)/egid(%d).",
135	+ getuid(), getgid(), geteuid(), getegid());
136	+ }
137	+}
138	+
139	/*
140	* Main program. Initialize us and loop waiting for I/O and/or
141	* timer expiries.
a8809dbd ER	142	@@ -340,6 +433,8 @@ ntpdatemain (
	143
	144	init_lib(); /* sets up ipv4_works, ipv6_works */
6fca7355	145
6fca7355	146	+ server_user = NULL;
a8809dbd ER	147	+
	148	/* Check to see if we have IPv6. Otherwise default to IPv4 */
	149	if (!ipv6_works)
6fca7355	150	ai_fam_templ = AF_INET;
a8809dbd	151	@@ -351,7 +446,7 @@ ntpdatemain (
6fca7355 ER	152	/*
	153	* Decode argument list
	154	*/
	155	- while ((c = ntp_getopt(argc, argv, "46a:bBde:k:o:p:qst:uv")) != EOF)
	156	+ while ((c = ntp_getopt(argc, argv, "46a:bBde:k:o:p:qst:uvU:")) != EOF)
	157	switch (c)
	158	{
	159	case '4':
a8809dbd	160	@@ -429,6 +524,14 @@ ntpdatemain (
6fca7355 ER	161	case 'u':
	162	unpriv_port = 1;
	163	break;
	164	+ case 'U':
	165	+ if (ntp_optarg) {
	166	+ server_user = strdup(ntp_optarg);
	167	+ }
	168	+ else {
	169	+ ++errflg;
	170	+ }
	171	+ break;
	172	case '?':
	173	++errflg;
	174	break;
a8809dbd	175	@@ -438,7 +541,7 @@ ntpdatemain (
6fca7355 ER	176
	177	if (errflg) {
	178	(void) fprintf(stderr,
	179	- "usage: %s [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] server ...\n",
	180	+ "usage: %s [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] [-U username] server ...\n",
	181	progname);
	182	exit(2);
	183	}
a8809dbd	184	@@ -544,6 +647,24 @@ ntpdatemain (
6fca7355 ER	185	initializing = 0;
	186	was_alarmed = 0;
	187
	188	+ if (server_user) {
	189	+ struct passwd *pwd = NULL;
	190	+
	191	+ /* Lookup server_user uid/gid before chroot/chdir */
	192	+ pwd = getpwnam( server_user );
	193	+ if ( pwd == NULL ) {
	194	+ if (syslogit) {
	195	+ msyslog(LOG_ERR, "Failed to lookup user '%s'.", server_user);
	196	+ }
	197	+ else {
	198	+ fprintf(stderr, "Failed to lookup user '%s'.\n", server_user);
	199	+ }
	200	+ exit(1);
	201	+ }
	202	+ drop_root(pwd->pw_uid, pwd->pw_gid);
	203	+ }
	204	+
	205	+
	206	while (complete_servers < sys_numservers) {
	207	#ifdef HAVE_POLL_H
	208	struct pollfd* rdfdes;