OpenSolaris

Printable Version Enter a New Search
Bug ID 4837090
Synopsis xntpd should use privileges(5)
State 10-Fix Delivered (Fix available in build)
Category:Subcategory network:ntp
Keywords gse-sec-team | immutable-service-containers | least-priv
Responsible Engineer Brian Utterback
Reported Against s10 , s10_30
Duplicate Of
Introduced In solaris_10
Commit to Fix snv_116
Fixed In snv_116
Release Fixed solaris_nevada(snv_116)
Related Bugs 5042506
Submit Date 25-March-2003
Last Update Date 7-June-2009
Description 
The xntpd demon runs as root (== all privileges), which is much more than it needs to operate. It should be modified to run as the daemon user with only the privileges required (sys_time).
 xxxxx@xxxxx.com 2003-03-25
Work Around 
If we can't/won't modify the ntp source, then we should change the startup script to limit the privileges of the xntpd demon.

Of the top of my head, here is what needs to be done:

Add the following to /etc/security/prof_attr:
xntpd:::Privilege needed for the xntpd demon:help=none.html

Add the following to /etc/security/exec_attr:
xntpd:solaris:cmd:::/usr/lib/inet/xntpd:privs=basic,sys_time,proc_priocntl,sys_resource,net_privaddr;limitprivs=basic,sys_time,proc_priocntl,sys_resource,net_privaddr

And in /etc/init.d/xntpd prepend both occurances of /usr/lib/inet/xntpd with pfexec

 xxxxx@xxxxx.com 2003-03-26
When run from the global zone, the SMF start method can be set to:

	<exec_method
		type='method'
		name='start'
		exec='/lib/svc/method/xntp'
		timeout_seconds='1800'>
		<method_context>
			<method_credential
				user='root'
				group='root'
				privileges='basic,!file_link_any,!proc_info,!proc_session,net_privaddr,proc_priocntl,proc_lock_memory,sys_time'
				/>
		</method_context>
	</exec_method>

When run from a non-global zone, this start method requires that the proc_priocntl and sys_time privileges are configured for use by the non-global zone using the zonecfg limitpriv option.  Without these options, the service will fail into maintenance with a setppriv error.  The only way to get around this is to not specify privileges as part of the SMF manifest but rather strip off those privileges as part of the SMF method (start script) using ppriv.

Note that in the above example, xntpd is running with proc_exec which it does not need.  The only way to get around this would be to remove proc_exec from inside of the SMF method (start script) using ppriv as part of the invokation of xntpd.  Of course, making this code be privilege aware would be another way to fix both of these issues.
The fix to the service definition in SMF consists of replacing (in the start method):
<method_context/>

with

<method_context>
	<method_credential
		user='root'
		group='root'
		privileges='basic,!file_link_any,!proc_info,!proc_session,net_privaddr,proc_priocntl,proc_lock_memory,sys_time'
	/>
</method_context>

and updating /lib/svc/method/xntp so that the last line reads
/usr/bin/ppriv -e -s L-proc_exec /usr/lib/inet/xntp
instead of
/usr/lib/inet/xntp

Note that the second change requires the first, as otherwise privilege inheritance would not be as expected.

This will permit xntp to run with "basic,!file_link_any,!proc_exec,!proc_info,!proc_session,net_privaddr,proc_priocntl,proc_lock_memory,sys_time" instead of all/zone privileges.
Comments 
N/A