Debian Bug report logs - #282941
ntp-server: Please run ntpd as non-root

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ntp-server: Please run ntpd as non-root

Date: Thu, 25 Nov 2004 15:34:14 +0100

[Message part 1 (text/plain, inline)]

Package: ntp-server
Version: 4.2.0a-11
Severity: wishlist
Tags: patch

Hi!

Currently ntpd runs as root, which is unnecessary. Running as
unprivileged user "ntp" with an additional kernel capability
(CAP_SYS_TIME) is enough and greatly reduces the potential impact of
security holes.

The code already has provisions for doing this, it only needs some
tweaking for the case that ntpd is started on a kernel without
capability support (it should just continue to run as root in this
case).

I prepared an updated Ubuntu package which has this tweaks and also
ensures a clean upgrade path from earlier versions. It also fixes the
broken init script handling (in the case ntp-server's postinst script
runs earlier than ntp-simple/ntp-refclock's).

The debdiff (based on 4.2.0a-11) is available at

  http://patches.ubuntu.com/patches/ntp.no-root.diff

Thanks for considering and have a nice day!

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 282941@bugs.debian.org (full text, mbox, reply):

From: dean gaudet <dean-debian@arctic.org>

To: 282941@bugs.debian.org

Subject: Re: ntp-server: Please run ntpd as non-root

Date: Thu, 10 Feb 2005 00:49:22 -0800 (PST)

On Thu, 25 Nov 2004, Martin Pitt wrote:

>   http://patches.ubuntu.com/patches/ntp.no-root.diff

hey cool -- i was about to submit a bug-report suggesting that debian 
enable this support.

i found one problem with your patch -- it drops cap_sys_chroot before the 
chroot call.  the following one-liner change applied on top of your patch 
handles that case.

-dean

--- ntp-4.2.0a+stable/ntpd/ntpd.c	2005-02-10 00:26:58.000000000 -0800
+++ ntp-4.2.0a+stable.dg1/ntpd/ntpd.c	2005-02-10 00:22:48.000000000 -0800
@@ -848,7 +848,7 @@
                  *  drop privileges in this case.
                  */
                 cap_t caps;
-                if( ! ( caps = cap_from_text( "cap_sys_time,cap_setuid,cap_setgid=pe" ) ) ) {
+                if( ! ( caps = cap_from_text( "cap_sys_time,cap_setuid,cap_setgid,cap_sys_chroot=pe" ) ) ) {
                         msyslog( LOG_ERR, "cap_from_text() failed: %m" );
                         exit(-1);
                 }

Message #15 received at 282941@bugs.debian.org (full text, mbox, reply):

From: dean gaudet <dean-debian@arctic.org>

To: 282941@bugs.debian.org

Cc: Martin Pitt <mpitt@debian.org>

Subject: Re: ntp-server: Please run ntpd as non-root

Date: Thu, 10 Feb 2005 01:17:26 -0800 (PST)

one further change to consider -- run /etc/cron.daily/ntp-server as user 
ntp instead of root.  maybe stick a line like this in it:

        [ "`/usr/bin/id -un`" = ntp ] || exec /bin/su -s /bin/sh ntp $0

(or use /etc/cron.d/ntp-server which can specify a username)

-dean

Message #20 received at 282941-close@bugs.debian.org (full text, mbox, reply):

From: Matthias Urlichs <smurf@debian.org>

To: 282941-close@bugs.debian.org

Subject: Bug#282941: fixed in ntp 1:4.2.0a+stable-4

Date: Mon, 14 Mar 2005 03:02:22 -0500

Source: ntp
Source-Version: 1:4.2.0a+stable-4

We believe that the bug you reported is fixed in the latest version of
ntp, which is due to be installed in the Debian FTP archive:

ntp-doc_4.2.0a+stable-4_all.deb
  to pool/main/n/ntp/ntp-doc_4.2.0a+stable-4_all.deb
ntp-refclock_4.2.0a+stable-4_i386.deb
  to pool/main/n/ntp/ntp-refclock_4.2.0a+stable-4_i386.deb
ntp-server_4.2.0a+stable-4_i386.deb
  to pool/main/n/ntp/ntp-server_4.2.0a+stable-4_i386.deb
ntp-simple_4.2.0a+stable-4_i386.deb
  to pool/main/n/ntp/ntp-simple_4.2.0a+stable-4_i386.deb
ntp_4.2.0a+stable-4.diff.gz
  to pool/main/n/ntp/ntp_4.2.0a+stable-4.diff.gz
ntp_4.2.0a+stable-4.dsc
  to pool/main/n/ntp/ntp_4.2.0a+stable-4.dsc
ntp_4.2.0a+stable-4_i386.deb
  to pool/main/n/ntp/ntp_4.2.0a+stable-4_i386.deb
ntpdate_4.2.0a+stable-4_i386.deb
  to pool/main/n/ntp/ntpdate_4.2.0a+stable-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 282941@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Urlichs <smurf@debian.org> (supplier of updated ntp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Changed-By: Matthias Urlichs <smurf@debian.org>
Date: Sat, 12 Mar 2005 06:16:39 +0100
Version: 1:4.2.0a+stable-4
Distribution: unstable
Source: ntp
Urgency: low
Maintainer: Debian NTP Team <debian-ntp@gag.com>
Binary: ntp ntp-doc ntp-refclock ntp-server ntp-simple ntpdate
Architecture: i386 all source
Closes: 276216 282941 283386 286463 293793 294636 294971 295553 295574 296595 298059 298190 298226 298697
Changes:
 ntp (1:4.2.0a+stable-4) unstable; urgency=low
 .
   * Merged Upstream fix for ntpdate IPv4/IPv6 problems.
     - Closes: #293793, #294636
   * Install if-up.d/ntp-server in the correct directory.
     - Closes: #294971
   * Merged ubuntu's no-root patch.
     - Closes: #298059, #296595, #282941
   * Don't change the date when debugging ntpdate.
     - Closes: #286463
   * Tell the user that "/etc/initd/ntp-server reload" is not possible.
     - Sort-of-Closes: #276216
   * Fix FTBFS with GCC 4.0. Closes: #298697
   * Cleanup init.d script. Closes: #295574
   * Fix doc typos. Closes: #298226
   * Remove /var/run/ntpd.pid when stopping the server.
     - Closes: #295553
   * Document ntpdate's exit status. Closes: #298190.
   * Enhance ntpdate's logcheck rule. Closes: #283386
   * Built against libreadline5.
Description:
 ntp        - Network Time Protocol: network utilities
 ntp-doc    - Network Time Protocol: documentation
 ntp-server - Network Time Protocol: common server tools
 ntp-simple - Network Time Protocol: daemon for simple systems
 ntpdate    - The ntpdate client for setting system time from NTP servers
 ntp-refclock - Network Time Protocol: daemon for reference clocks
Files:
 00b9e700bb3450fcccabe206b51dfadc 254670 net optional ntp_4.2.0a+stable-4_i386.deb
 b37c928610e87854284ad3d2a79b9dac 243784 net optional ntp_4.2.0a+stable-4.diff.gz
 9864129890b79bbbda6be43b679dfdba 42580 net optional ntpdate_4.2.0a+stable-4_i386.deb
 edd7ce7ba7c466dcef4a48ef924763d4 32126 net optional ntp-server_4.2.0a+stable-4_i386.deb
 9a51ad29ff063c408b64c0115686a49a 889240 doc optional ntp-doc_4.2.0a+stable-4_all.deb
 06d58d29537d5683d485bbc176588717 842 net optional ntp_4.2.0a+stable-4.dsc
 0270365bb8f8030bd62080a73ab4a7bf 121156 net optional ntp-simple_4.2.0a+stable-4_i386.deb
 d021274733c129d38b6c7d17a307c09f 201564 net extra ntp-refclock_4.2.0a+stable-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCMsO38+hUANcKr/kRAtzRAKCm0aQkZZVW3QVkTF6C/gQ07GVY9QCfc/6V
suKID36mk8egHjC/jkhTP1Q=
=7JYP
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.