Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/dist/ntp Added code to run ntpd as a non root user and in a ...
details: https://anonhg.NetBSD.org/src/rev/65c01f410ee9
branches: trunk
changeset: 515067:65c01f410ee9
user: manu <manu%NetBSD.org@localhost>
date: Sun Sep 16 07:51:54 2001 +0000
description:
Added code to run ntpd as a non root user and in a chroot jail. This should
be used with the new clockctl device which enable clock setting by non root
users on behalf of the /dev/clockctl write rights.
This code have not been commited yet to the main ntp tree.
diffstat:
dist/ntp/include/ntpd.h | 7 +++-
dist/ntp/ntpd/ntp_config.c | 31 ++++++++++++++++-
dist/ntp/ntpd/ntpd.c | 78 ++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 110 insertions(+), 6 deletions(-)
diffs (201 lines):
diff -r 31cf41a5317c -r 65c01f410ee9 dist/ntp/include/ntpd.h
--- a/dist/ntp/include/ntpd.h Sun Sep 16 07:41:56 2001 +0000
+++ b/dist/ntp/include/ntpd.h Sun Sep 16 07:51:54 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ntpd.h,v 1.1.1.2 2000/04/22 14:52:45 simonb Exp $ */
+/* $NetBSD: ntpd.h,v 1.2 2001/09/16 07:51:54 manu Exp $ */
/*
* ntpd.h - Prototypes for ntpd.
@@ -384,6 +384,11 @@
extern volatile int debug; /* debugging flag */
extern int nofork; /* no-fork flag */
extern int initializing; /* initializing flag */
+#ifdef HAVE_CLOCKCTL
+extern char *user; /* user to switch to */
+extern char *group; /* group to switch to */
+extern char *chrootdir; /* directory to chroot to */
+#endif
/* refclock_conf.c */
#ifdef REFCLOCK
diff -r 31cf41a5317c -r 65c01f410ee9 dist/ntp/ntpd/ntp_config.c
--- a/dist/ntp/ntpd/ntp_config.c Sun Sep 16 07:41:56 2001 +0000
+++ b/dist/ntp/ntpd/ntp_config.c Sun Sep 16 07:51:54 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ntp_config.c,v 1.2 2000/04/22 15:49:32 simonb Exp $ */
+/* $NetBSD: ntp_config.c,v 1.3 2001/09/16 07:51:54 manu Exp $ */
/*
* ntp_config.c - read and apply configuration information
@@ -477,7 +477,11 @@
int config_priority;
#endif
+#ifndef HAVE_CLOCKCTL
static const char *ntp_options = "aAbc:dD:f:gk:l:Lmnp:P:r:s:t:v:V:x";
+#else
+static const char *ntp_options = "aAbc:dD:f:gi:k:l:Lmnp:P:r:s:t:u:v:V:x";
+#endif
#ifdef HAVE_NETINFO
/*
@@ -676,6 +680,9 @@
#if defined(HAVE_SCHED_SETSCHEDULER)
(void) fprintf(stderr, "\t\t[ -P fixed_process_priority ]\n");
#endif
+#ifdef HAVE_CLOCKCTL
+ (void) fprintf(stderr, "\t\t[ -u user[:group] ] [ -i chrootdir ]\n");
+#endif
exit(2);
}
ntp_optind = 0; /* reset ntp_optind to restart ntp_getopt */
@@ -830,7 +837,14 @@
case 'g':
correct_any = TRUE;
break;
-
+#ifdef HAVE_CLOCKCTL
+ case 'i':
+ if (!ntp_optarg)
+ errflg++;
+ else
+ chrootdir = ntp_optarg;
+ break;
+#endif
case 'k':
getauthkeys(ntp_optarg);
break;
@@ -892,7 +906,17 @@
}
} while (0);
break;
-
+#ifdef HAVE_CLOCKCTL
+ case 'u':
+ user = malloc(strlen(ntp_optarg) + 1);
+ if ((user == NULL) || (ntp_optarg == NULL))
+ errflg++;
+ (void) strncpy (user, ntp_optarg, strlen(ntp_optarg));
+ group = rindex (user, ':');
+ if (group)
+ *group++ = '\0'; /* get rid of the ':' */
+ break;
+#endif
case 'v':
case 'V':
set_sys_var(ntp_optarg, strlen(ntp_optarg)+1,
@@ -1979,6 +2003,7 @@
*/
do_resolve_internal();
}
+
}
diff -r 31cf41a5317c -r 65c01f410ee9 dist/ntp/ntpd/ntpd.c
--- a/dist/ntp/ntpd/ntpd.c Sun Sep 16 07:41:56 2001 +0000
+++ b/dist/ntp/ntpd/ntpd.c Sun Sep 16 07:51:54 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ntpd.c,v 1.1.1.2 2000/04/22 14:53:23 simonb Exp $ */
+/* $NetBSD: ntpd.c,v 1.2 2001/09/16 07:51:55 manu Exp $ */
/*
* ntpd.c - main program for the fixed point NTP daemon
@@ -94,6 +94,12 @@
# include <sys/ci/ciioctl.h>
#endif
+#ifdef HAVE_CLOCKCTL
+#include <ctype.h>
+#include <grp.h>
+#include <pwd.h>
+#endif
+
#ifdef PUBKEY
#include "ntp_crypto.h"
#endif /* PUBKEY */
@@ -140,6 +146,17 @@
*/
int nofork;
+#ifdef HAVE_CLOCKCTL
+char *user = NULL; /* User to switch to */
+char *group = NULL; /* group to switch to */
+char *chrootdir = NULL; /* directory to chroot to */
+int sw_uid;
+int sw_gid;
+char *endp;
+struct group *gr;
+struct passwd *pw;
+#endif /* HAVE_CLOCKCTL */
+
/*
* Initializing flag. All async routines watch this and only do their
* thing when it is clear.
@@ -779,7 +796,64 @@
}
# endif
#endif
-
+#ifdef HAVE_CLOCKCTL
+ /*
+ * Drop super-user privileges and chroot now on OSes that support
+ * non root users to set the clock. Currently only NetBSD.
+ */
+ if (user != NULL) {
+ if (isdigit((unsigned char)*user)) {
+ sw_uid = (uid_t)strtoul(user, &endp, 0);
+ if (*endp != '\0')
+ goto getuser;
+ } else {
+getuser:
+ if ((pw = getpwnam(user)) != NULL) {
+ sw_uid = pw->pw_uid;
+ } else {
+ errno = 0;
+ msyslog(LOG_ERR, "Cannot find user `%s'", user);
+ exit (-1);
+ }
+ }
+ }
+ if (group != NULL) {
+ if (isdigit((unsigned char)*group)) {
+ sw_gid = (gid_t)strtoul(group, &endp, 0);
+ if (*endp != '\0')
+ goto getgroup;
+ } else {
+getgroup:
+ if ((gr = getgrnam(group)) != NULL) {
+ sw_gid = pw->pw_gid;
+ } else {
+ errno = 0;
+ msyslog(LOG_ERR, "Cannot find group `%s'", group);
+ exit (-1);
+ }
+ }
+ }
+ if (chrootdir && chroot(chrootdir)) {
+ msyslog(LOG_ERR, "Cannot chroot to `%s': %m", chrootdir);
+ exit (-1);
+ }
+ if (group && setgid(sw_gid)) {
+ msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group);
+ exit (-1);
+ }
+ if (group && setegid(sw_gid)) {
+ msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group);
+ exit (-1);
+ }
+ if (user && setuid(sw_uid)) {
+ msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user);
+ exit (-1);
+ }
+ if (user && seteuid(sw_uid)) {
+ msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user);
+ exit (-1);
+ }
+#endif
/*
* Report that we're up to any trappers
*/
Home |
Main Index |
Thread Index |
Old Index