From 531d870924443868120532237598606c03c9400e Mon Sep 17 00:00:00 2001 From: deraadt <> Date: Tue, 24 Nov 2015 01:03:25 +0000 Subject: [PATCH] Cache values from getpwnam() done at initialization, which need to be used by the constraint processes setup later (chroot, setuid...) [late getpwnam discovered during a further audit] ok millert --- src/usr.sbin/ntpd/constraint.c | 25 +++++++++++-------------- src/usr.sbin/ntpd/ntpd.c | 21 +++++++++++++++------ src/usr.sbin/ntpd/ntpd.h | 5 +++-- 3 files changed, 29 insertions(+), 22 deletions(-) diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c index c2a01e8b..1c9d2890 100644 --- a/src/usr.sbin/ntpd/constraint.c +++ b/src/usr.sbin/ntpd/constraint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: constraint.c,v 1.21 2015/11/19 21:32:53 mmcc Exp $ */ +/* $OpenBSD: constraint.c,v 1.22 2015/11/24 01:03:25 deraadt Exp $ */ /* * Copyright (c) 2015 Reyk Floeter @@ -58,7 +58,7 @@ int constraint_cmp(const void *, const void *); void priv_constraint_close(int, int); void priv_constraint_child(struct constraint *, struct ntp_addr_msg *, - u_int8_t *, int[2]); + u_int8_t *, int[2], const char *, uid_t, gid_t); struct httpsdate * httpsdate_init(const char *, const char *, const char *, @@ -207,7 +207,8 @@ constraint_query(struct constraint *cstr) } void -priv_constraint_msg(u_int32_t id, u_int8_t *data, size_t len) +priv_constraint_msg(u_int32_t id, u_int8_t *data, size_t len, + const char *pw_dir, uid_t pw_uid, gid_t pw_gid) { struct ntp_addr_msg am; struct ntp_addr *h; @@ -257,7 +258,8 @@ priv_constraint_msg(u_int32_t id, u_int8_t *data, size_t len) close(pipes[1]); return; case 0: - priv_constraint_child(cstr, &am, data + sizeof(am), pipes); + priv_constraint_child(cstr, &am, data + sizeof(am), pipes, + pw_dir, pw_uid, pw_gid); _exit(0); /* NOTREACHED */ @@ -273,12 +275,11 @@ priv_constraint_msg(u_int32_t id, u_int8_t *data, size_t len) void priv_constraint_child(struct constraint *cstr, struct ntp_addr_msg *am, - u_int8_t *data, int pipes[2]) + u_int8_t *data, int pipes[2], const char *pw_dir, uid_t pw_uid, gid_t pw_gid) { static char hname[NI_MAXHOST]; struct timeval rectv, xmttv; struct sigaction sa; - struct passwd *pw; void *ctx; struct iovec iov[2]; int i; @@ -293,18 +294,14 @@ priv_constraint_child(struct constraint *cstr, struct ntp_addr_msg *am, &conf->ca_len, NULL)) == NULL) log_warnx("constraint certificate verification turned off"); - /* Drop privileges */ - if ((pw = getpwnam(NTPD_USER)) == NULL) - fatalx("unknown user %s", NTPD_USER); - - if (chroot(pw->pw_dir) == -1) + if (chroot(pw_dir) == -1) fatal("chroot"); if (chdir("/") == -1) fatal("chdir(\"/\")"); - if (setgroups(1, &pw->pw_gid) || - setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || - setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) + if (setgroups(1, &pw_gid) || + setresgid(pw_gid, pw_gid, pw_gid) || + setresuid(pw_uid, pw_uid, pw_uid)) fatal("can't drop privileges"); /* Reset all signal handlers */ diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c index 5c4d4103..81fded1e 100644 --- a/src/usr.sbin/ntpd/ntpd.c +++ b/src/usr.sbin/ntpd/ntpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ntpd.c,v 1.98 2015/10/23 16:39:13 deraadt Exp $ */ +/* $OpenBSD: ntpd.c,v 1.99 2015/11/24 01:03:25 deraadt Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -41,7 +41,7 @@ void sighdlr(int); __dead void usage(void); int main(int, char *[]); int check_child(pid_t, const char *); -int dispatch_imsg(struct ntpd_conf *); +int dispatch_imsg(struct ntpd_conf *, const char *, uid_t, gid_t); int dispatch_imsg_ctl(struct ntpd_conf *); void reset_adjtime(void); int ntpd_adjtime(double); @@ -113,10 +113,13 @@ main(int argc, char *argv[]) const char *conffile; int fd_ctl, ch, nfds, i, j; int pipe_chld[2]; - struct passwd *pw; extern char *__progname; u_int pfd_elms = 0, new_cnt; struct constraint *cstr; + struct passwd *pw; + const char *pw_dir; + uid_t pw_uid; + gid_t pw_gid; void *newp; if (strcmp(__progname, "ntpctl") == 0) { @@ -176,6 +179,10 @@ main(int argc, char *argv[]) if ((pw = getpwnam(NTPD_USER)) == NULL) errx(1, "unknown user %s", NTPD_USER); + pw_dir = strdup(pw->pw_dir); + pw_uid = pw->pw_uid; + pw_gid = pw->pw_gid; + if (setpriority(PRIO_PROCESS, 0, -20) == -1) warn("can't set priority"); @@ -275,7 +282,7 @@ main(int argc, char *argv[]) if (nfds > 0 && pfd[PFD_PIPE].revents & POLLIN) { nfds--; - if (dispatch_imsg(&lconf) == -1) + if (dispatch_imsg(&lconf, pw_dir, pw_uid, pw_gid) == -1) quit = 1; } @@ -343,7 +350,8 @@ check_child(pid_t chld_pid, const char *pname) } int -dispatch_imsg(struct ntpd_conf *lconf) +dispatch_imsg(struct ntpd_conf *lconf, const char *pw_dir, + uid_t pw_uid, gid_t pw_gid) { struct imsg imsg; int n; @@ -396,7 +404,8 @@ dispatch_imsg(struct ntpd_conf *lconf) break; case IMSG_CONSTRAINT_QUERY: priv_constraint_msg(imsg.hdr.peerid, - imsg.data, imsg.hdr.len - IMSG_HEADER_SIZE); + imsg.data, imsg.hdr.len - IMSG_HEADER_SIZE, + pw_dir, pw_uid, pw_gid); break; default: break; diff --git a/src/usr.sbin/ntpd/ntpd.h b/src/usr.sbin/ntpd/ntpd.h index 7ecdc97a..052907a4 100644 --- a/src/usr.sbin/ntpd/ntpd.h +++ b/src/usr.sbin/ntpd/ntpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ntpd.h,v 1.124 2015/10/30 17:59:56 naddy Exp $ */ +/* $OpenBSD: ntpd.h,v 1.125 2015/11/24 01:03:25 deraadt Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -355,7 +355,8 @@ int constraint_check(double); void constraint_msg_dns(u_int32_t, u_int8_t *, size_t); void constraint_msg_result(u_int32_t, u_int8_t *, size_t); void constraint_msg_close(u_int32_t, u_int8_t *, size_t); -void priv_constraint_msg(u_int32_t, u_int8_t *, size_t); +void priv_constraint_msg(u_int32_t, u_int8_t *, size_t, + const char *, uid_t, gid_t); int priv_constraint_dispatch(struct pollfd *); void priv_constraint_check_child(pid_t, int); char *get_string(u_int8_t *, size_t);