There are three ways to run chronyd:
- start as root, and continue running as root;
- start as root, then setuid() to a non-root user via either a command
line option or a configuration directive;
- start as root, and setuid() to a build-time specified non-root user.
Currently, the first situation is used by Buildroot, which does not
follow security best practices of dropping elevated privileges for
daemon at runtime when that is possible.
We switch to the third situation, where a compile-time default non-root
user is then used at runtime to drop privileges, with libcap used to
keep the capabilities required to call the appropriate syscalls to
adjust the system time (typically, CAP_SYS_TIME to call adjtimex() or
clock_settime() et al.).
This means that libcap is now a mandatory dependency.
To be noted: users who previously had configured their systems to run
chronyd as non root, would have done so with either the command-line
option (`-u`), or the configuration directive (`user`). Those take
precedence over the compile-time default, so this should not break their
systems (presumably, they also run as the `chrony` user). They would
also have taken care to run chronyc as the appropriate user to
manipulate chronyd at runtime via the UNIX socket.
For those who were running chronyd as root, this does not change either:
the functionality is unchanged, and they were running chronyc as root,
which should still be capable of manipulating chronyd via its UNIX
socket.
Take that opportunity to brine chrony's Config.in to current coding
style: enclose sub-option in an if-endif block.
Signed-off-by: James Kent <james.kent@orchestrated-technology.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Support for chrony is added by the services/chronyd module in the
SELinux refpolicy.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
We have a chicken and egg problem: validation of DNSSEC signatures
doesn't work without a correct clock, but to set the correct clock we
need to contact NTP servers which requires resolving a hostname, which
would normally require DNSSEC validation.
Let's break the cycle by excluding NTP hostname resolution from
validation for now.
Details:
abf4e5c1d3
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update chrony to version 4.0 and add/remove configuration of
features as necessary.
Remove support for readline. Add support for nettle and
gnutls (required for NTS support). Add pkg-config support (for
nss, nettle and gnutls).
Signed-off-by: Mark Corbin <mark@dibsco.co.uk>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
CVE-2020-14367: Insecure writing of pidfile
-------------------------------------------
When chronyd is configured to save the pidfile in a directory where the
chrony user has write permissions (e.g. /var/run/chrony - the default
since chrony-3.4), an attacker that compromised the chrony user account
could create a symbolic link at the location of the pidfile to make
chronyd starting with root privileges follow the symlink and write its
process ID to a file for which the chrony user doesn't have write
permissions, causing a denial of service, or data loss.
This issue was reported by Matthias Gerstner of SUSE.
For further details, see the oss-security posting:
https://www.openwall.com/lists/oss-security/2020/08/21/1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
All the packages in this list have the following properties
* units are provided by buildroot in the package directory
* the SYSTEMD_INSTALL_INIT_HOOK is exactly equivalent to what the
[Install] section of the unit does
The fix removes the soflinking in the .mk file
Signed-off-by: Jérémy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
chrony is licensed under GPL-2.0, which is not license compatible with
readline (GPL-3.0+), so remove the optional readline handling and replace
with libedit instead.
While we are at it, also explicitly disable the libedit backend when not
available.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Add a BR2_PACKAGE_CHRONY_DEBUG_LOGGING config option to allow enabling
compiled-in support for debug logging in Chrony.
Signed-off-by: Robert Hancock <hancock@sedsystems.ca>
[Arnout: don't enable by default]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Remove second patch (already in version)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch 0002-util-fall-back-to-reading-dev-urandom-when-getrandom.patch
was applied upstream in this version, so it can be deleted.
Signed-off-by: Ferdinand van Aartsen <ferdinand@ombud.nl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
chrony calls getrandom() at startup if available, so it needs a workaround
for the blocking behaviour on recent (4.14.39+), similar to what was done
for util-linux in commit c4d86707cd (util-linux: add two upstream patches
to fix blocking on getrandom() with recent kernels).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With CHRONY_ARGS in /etc/default/chrony, chrony may asked to use an
alternative configuration file (with the -f option), so drop the explicit
/etc/chrony.conf check.
In case the configuration file isn't present chrony will anyway loudly
complain which is preferable to this silent failure:
chronyd -f /non/existing/file.conf
Could not open configuration file /non/existing/file.conf : No such file or directory
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Also add a hash for the license file while we're at it.
[Peter: use tuxfamily.org URL for annoucement]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We want to use SPDX identifier for license strings as much as possible.
SPDX short identifier for GPLv2/GPLv2+ is GPL-2.0/GPL-2.0+.
This change is done by using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/\<GPLv2\>/GPL-2.0/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes a crash issue with smoothtime directive.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Chrony has the ability to support PPS. Its enablement is determined
primarily from the existence of `sys/timepps.h`. This file is provided
from the pps-tools package. Adjusting Chrony's Makefile to depend on the
pps-tools package if a developer has included pps-tools as part of a
build. Relates to 2cfc966f43.
Signed-off-by: James Knight <james.knight@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes the systemd service, the binary is located at /usr/sbin not
/usr/bin.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
From the release notes:
Enhancements
------------
* Add support for NTP and command response rate limiting
* Add support for dropping root privileges on Mac OS X, FreeBSD, Solaris
* Add require and trust options for source selection
* Enable logchange by default (1 second threshold)
* Set RTC on Mac OS X with rtcsync directive
* Allow binding to NTP port after dropping root privileges on NetBSD
* Drop CAP_NET_BIND_SERVICE capability on Linux when NTP port is disabled
* Resolve names in separate process when seccomp filter is enabled
* Replace old records in client log when memory limit is reached
* Don't reveal local time and synchronisation state in client packets
* Don't keep client sockets open for longer than necessary
* Ignore poll in KoD RATE packets as ntpd doesn't always set it correctly
* Warn when using keys shorter than 80 bits
* Add keygen command to generate random keys easily
* Add serverstats command to report NTP and command packet statistics
Bug fixes
---------
* Fix clock correction after making step on Mac OS X
* Fix building on Solaris
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-1567: Impersonation between authenticated peers.
Signed-off-by: James Knight <james.knight@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With the new version, documentation is not generated part of the main
build. This removes the need to alter the Makefile to remove the invoke
on the `chrony.txt` target. Cleanup also explicitly disabling seccomp
(since its experimental) and tomcrypt (Buildroot does not have
libtomcrypt at this time).
[Thomas: use tabs for indentation in the definition of
CHRONY_CONF_OPTS.]
Signed-off-by: James Knight <james.knight@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
'echo -n' is not a POSIX construct (no flag support), we shoud use
'printf', especially in init script.
This patch was generated by the following command line:
git grep -l 'echo -n' -- `git ls-files | grep -v 'patch'` | xargs sed -i 's/echo -n/printf/'
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Otherwise the link would appear broken in output/target it's not that
big a deal but at least it's coherent with what we already have.
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
systemd has its own NTP daemon, which must be disabled before
starting chrony. Possible (but unlikely) conflict with openntpd
is not marked in either package.
Signed-off-by: Alex Suykov <alex.suykov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Now that IPv6 is mandatory remove package dependencies and conditionals
for it.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Since the trailing slash is stripped from $($(PKG)_SITE) by pkg-generic.mk:
$(call DOWNLOAD,$($(PKG)_SITE:/=)/$($(PKG)_SOURCE))
so it is redundant.
This patch removes it from $(PKG)_SITE variable for BR consistency.
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes CVE-2014-0021: Amplification in chrony control protocol
In the chrony control protocol some replies are significantly larger than
their requests, which allows an attacker to use it in an amplification
attack. With hosts allowed by cmdallow (only localhost by default) the
maximum amplification factor is 9.2. Hosts that are not allowed receive a
small reply with error status, which allows amplification of up to 1.5.
To fix the problem, the protocol has been modified to require padding in the
request packet, so replies are never larger than their requests. Also,
chronyd no longer sends replies with error status to hosts that are not
allowed by cmdallow.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
