Cache values from getpwnam() done at initialization, which need to be

used by the constraint processes setup later (chroot, setuid...)
[late getpwnam discovered during a further audit]
ok millert

src/usr.sbin/ntpd/constraint.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: constraint.c,v 1.21 2015/11/19 21:32:53 mmcc Exp $	*/
+/*	$OpenBSD: constraint.c,v 1.22 2015/11/24 01:03:25 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -58,7 +58,7 @@ int	 constraint_cmp(const void *, const void *);
 
 void	 priv_constraint_close(int, int);
 void	 priv_constraint_child(struct constraint *, struct ntp_addr_msg *,
-	    u_int8_t *, int[2]);
+	    u_int8_t *, int[2], const char *, uid_t, gid_t);
 
 struct httpsdate *
 	 httpsdate_init(const char *, const char *, const char *,
@@ -207,7 +207,8 @@ constraint_query(struct constraint *cstr)
 }
 
 void
-priv_constraint_msg(u_int32_t id, u_int8_t *data, size_t len)
+priv_constraint_msg(u_int32_t id, u_int8_t *data, size_t len,
+    const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
 {
 	struct ntp_addr_msg	 am;
 	struct ntp_addr		*h;
@@ -257,7 +258,8 @@ priv_constraint_msg(u_int32_t id, u_int8_t *data, size_t len)
 		close(pipes[1]);
 		return;
 	case 0:
-		priv_constraint_child(cstr, &am, data + sizeof(am), pipes);
+		priv_constraint_child(cstr, &am, data + sizeof(am), pipes,
+		    pw_dir, pw_uid, pw_gid);
 
 		_exit(0);
 		/* NOTREACHED */
@@ -273,12 +275,11 @@ priv_constraint_msg(u_int32_t id, u_int8_t *data, size_t len)
 
 void
 priv_constraint_child(struct constraint *cstr, struct ntp_addr_msg *am,
-    u_int8_t *data, int pipes[2])
+    u_int8_t *data, int pipes[2], const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
 {
 	static char		 hname[NI_MAXHOST];
 	struct timeval		 rectv, xmttv;
 	struct sigaction	 sa;
-	struct passwd		*pw;
 	void			*ctx;
 	struct iovec		 iov[2];
 	int			 i;
@@ -293,18 +294,14 @@ priv_constraint_child(struct constraint *cstr, struct ntp_addr_msg *am,
 	    &conf->ca_len, NULL)) == NULL)
 		log_warnx("constraint certificate verification turned off");
 
-	/* Drop privileges */
-	if ((pw = getpwnam(NTPD_USER)) == NULL)
-		fatalx("unknown user %s", NTPD_USER);
-
-	if (chroot(pw->pw_dir) == -1)
+	if (chroot(pw_dir) == -1)
 		fatal("chroot");
 	if (chdir("/") == -1)
 		fatal("chdir(\"/\")");
 
-	if (setgroups(1, &pw->pw_gid) ||
-	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
-	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
+	if (setgroups(1, &pw_gid) ||
+	    setresgid(pw_gid, pw_gid, pw_gid) ||
+	    setresuid(pw_uid, pw_uid, pw_uid))
 		fatal("can't drop privileges");
 
 	/* Reset all signal handlers */

src/usr.sbin/ntpd/ntpd.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ntpd.c,v 1.98 2015/10/23 16:39:13 deraadt Exp $ */
+/*	$OpenBSD: ntpd.c,v 1.99 2015/11/24 01:03:25 deraadt Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -41,7 +41,7 @@ void		sighdlr(int);
 __dead void	usage(void);
 int		main(int, char *[]);
 int		check_child(pid_t, const char *);
-int		dispatch_imsg(struct ntpd_conf *);
+int		dispatch_imsg(struct ntpd_conf *, const char *, uid_t, gid_t);
 int		dispatch_imsg_ctl(struct ntpd_conf *);
 void		reset_adjtime(void);
 int		ntpd_adjtime(double);
@@ -113,10 +113,13 @@ main(int argc, char *argv[])
 	const char		*conffile;
 	int			 fd_ctl, ch, nfds, i, j;
 	int			 pipe_chld[2];
-	struct passwd		*pw;
 	extern char		*__progname;
 	u_int			 pfd_elms = 0, new_cnt;
 	struct constraint	*cstr;
+	struct passwd		*pw;
+	const char		*pw_dir;
+	uid_t			pw_uid;
+	gid_t			pw_gid;
 	void			*newp;
 
 	if (strcmp(__progname, "ntpctl") == 0) {
@@ -176,6 +179,10 @@ main(int argc, char *argv[])
 	if ((pw = getpwnam(NTPD_USER)) == NULL)
 		errx(1, "unknown user %s", NTPD_USER);
 
+	pw_dir = strdup(pw->pw_dir);
+	pw_uid = pw->pw_uid;
+	pw_gid = pw->pw_gid;
+
 	if (setpriority(PRIO_PROCESS, 0, -20) == -1)
 		warn("can't set priority");
 
@@ -275,7 +282,7 @@ main(int argc, char *argv[])
 
 		if (nfds > 0 && pfd[PFD_PIPE].revents & POLLIN) {
 			nfds--;
-			if (dispatch_imsg(&lconf) == -1)
+			if (dispatch_imsg(&lconf, pw_dir, pw_uid, pw_gid) == -1)
 				quit = 1;
 		}
 
@@ -343,7 +350,8 @@ check_child(pid_t chld_pid, const char *pname)
 }
 
 int
-dispatch_imsg(struct ntpd_conf *lconf)
+dispatch_imsg(struct ntpd_conf *lconf, const char *pw_dir,
+    uid_t pw_uid, gid_t pw_gid)
 {
 	struct imsg		 imsg;
 	int			 n;
@@ -396,7 +404,8 @@ dispatch_imsg(struct ntpd_conf *lconf)
 			break;
 		case IMSG_CONSTRAINT_QUERY:
 			priv_constraint_msg(imsg.hdr.peerid,
-			    imsg.data, imsg.hdr.len - IMSG_HEADER_SIZE);
+			    imsg.data, imsg.hdr.len - IMSG_HEADER_SIZE,
+			    pw_dir, pw_uid, pw_gid);
 			break;
 		default:
 			break;

src/usr.sbin/ntpd/ntpd.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ntpd.h,v 1.124 2015/10/30 17:59:56 naddy Exp $ */
+/*	$OpenBSD: ntpd.h,v 1.125 2015/11/24 01:03:25 deraadt Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -355,7 +355,8 @@ int	 constraint_check(double);
 void	 constraint_msg_dns(u_int32_t, u_int8_t *, size_t);
 void	 constraint_msg_result(u_int32_t, u_int8_t *, size_t);
 void	 constraint_msg_close(u_int32_t, u_int8_t *, size_t);
-void	 priv_constraint_msg(u_int32_t, u_int8_t *, size_t);
+void	 priv_constraint_msg(u_int32_t, u_int8_t *, size_t,
+	    const char *, uid_t, gid_t);
 int	 priv_constraint_dispatch(struct pollfd *);
 void	 priv_constraint_check_child(pid_t, int);
 char	*get_string(u_int8_t *, size_t);