From 4e94afcafe42cdd8d5883459b50e03e5f904cdd5 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 1 Jan 2015 07:22:21 -0600 Subject: [PATCH] support --privsep-user, overriding file paths Allow overriding the user and the config file paths for ntpd. This also adds back --privsep-path from OpenNTPD, which really only changes the installation instructions from 'make install', since ntpd always uses the home directory of the ntpd user. This borrows from the Darren's portable OpenNTPD and from OpenSSL, add credits and a license. --- Makefile.am | 61 ++++++++++++++++++- configure.ac | 37 +++++++++++ ...ding-default-user-and-file-locations.patch | 42 +++++++++++++ 3 files changed, 138 insertions(+), 2 deletions(-) create mode 100644 patches/0015-allow-overriding-default-user-and-file-locations.patch diff --git a/Makefile.am b/Makefile.am index 6323184..1d04976 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,3 +1,20 @@ +# +# Copyright (c) 2014 Brent Cook +# Parts based on Makefile.in from Portable OpenNTPD: +# Copyright (c) 2004-2008 Darren Tucker. +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + AM_CPPFLAGS = -I$(top_srcdir)/include SUBDIRS = include @@ -10,6 +27,9 @@ noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la dist_man_MANS = ntpctl.8 ntpd.8 ntpd.conf.5 ntpd_CFLAGS = $(CFLAGS) $(USER_CFLAGS) +ntpd_CFLAGS += -DSYSCONFDIR=\"$(sysconfdir)\" +ntpd_CFLAGS += -DLOCALSTATEDIR=\"$(localstatedir)\" + ntpd_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD) libcompat.la libcompatnoopt.la ntpd_SOURCES = client.c @@ -32,9 +52,46 @@ ntpd_SOURCES += server.c ntpd_SOURCES += util.c install-exec-hook: - ln -f $(DESTDIR)$(sbindir)/ntpd $(DESTDIR)$(sbindir)/ntpctl + @ln -f "$(DESTDIR)$(sbindir)/ntpd" "$(DESTDIR)$(sbindir)/ntpctl" + @if [ ! -d "$(DESTDIR)$(sysconfdir)" ]; then \ + $(INSTALL) -m 755 -d "$(DESTDIR)$(sysconfdir)"; \ + fi + @if [ ! -f "$(DESTDIR)$(sysconfdir)/ntpd.conf" ]; then \ + $(INSTALL) -m 644 "$(srcdir)/ntpd.conf" "$(DESTDIR)$(sysconfdir)/ntpd.conf"; \ + else \ + echo "$(DESTDIR)$(sysconfdir)/ntpd.conf already exists, install will not overwrite"; \ + fi + @if [ ! -d "$(PRIVSEP_PATH)" ]; then \ + echo; \ + echo " Please created a privilege separation directory for ntpd." ; \ + echo " # mkdir -p \"$(PRIVSEP_PATH)\"" ; \ + echo " # chown 0 \"$(PRIVSEP_PATH)\"" ; \ + echo " # chgrp 0 \"$(PRIVSEP_PATH)\"" ; \ + echo " # chmod 0755 "$(PRIVSEP_PATH)\""" ; \ + fi + @if egrep "^$(PRIVSEP_USER):" /etc/group >/dev/null; then \ + : ; \ + else \ + echo; \ + echo " Please create a dedicated group for ntpd." ; \ + echo " This is system-dependant, possibly:" ; \ + echo " # groupadd $(PRIVSEP_USER)" ; \ + fi + @if egrep "^$(PRIVSEP_USER):" /etc/passwd >/dev/null; then \ + : ; \ + else \ + echo; \ + echo " Please create a dedicated user for ntpd and ensure it can" ; \ + echo " not be used to log in. This is system-dependant, possibly:" ; \ + echo " # useradd -g $(PRIVSEP_USER) -s /sbin/nologin -d $(PRIVSEP_PATH) -c 'OpenNTP daemon' $(PRIVSEP_USER)" ; \ + fi + echo + uninstall-local: - -rm -f $(DESTDIR)$(sbindir)/ntpctl + @if cmp -s "$(DESTDIR)$(sysconfdir)/ntpd.conf" "$(srcdir)/ntpd.conf"; then \ + rm -f "$(DESTDIR)$(sysconfdir)/ntpd.conf"; \ + fi + @rm -f "$(DESTDIR)$(sbindir)/ntpctl" # compatibility functions that need to be built without optimizations libcompatnoopt_la_CFLAGS = -O0 diff --git a/configure.ac b/configure.ac index 71229ec..14b786b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,3 +1,22 @@ +# +# Copyright (c) 2014 Brent Cook +# Parts based on configure.ac from Portable OpenNTPD: +# Copyright (c) 2004-2008 Darren Tucker +# which itself was based on configure.ac from OpenSSH: +# Copyright (c) 1999-2004 Damien Miller +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + AC_INIT([OpenNTPD], m4_esyscmd([tr -d '\n' < VERSION])) AC_CANONICAL_HOST @@ -151,6 +170,24 @@ AC_CHECK_HEADERS([sys/sensors.h], AM_CONDITIONAL(HAVE_SENSORS, false) ) +AC_ARG_WITH(privsep-user, + [ --with-privsep-user=user Specify privilege separation user], + [ AC_DEFINE_UNQUOTED(NTPD_USER, "$withval", + [Unprivileged userid]) + PRIVSEP_USER=$withval ], + [ PRIVSEP_USER=_ntp ] +) +AC_SUBST(PRIVSEP_USER) + +AC_ARG_WITH(privsep-path, + [ --with-privsep-path=path Specify privilege separation chroot path], + [ AC_DEFINE_UNQUOTED(NTPD_CHROOT_DIR, "$withval", + [Privilege separation chroot path]) + PRIVSEP_PATH=$withval ], + [ PRIVSEP_PATH=/var/empty ] +) +AC_SUBST(PRIVSEP_PATH) + AC_CONFIG_FILES([ Makefile include/Makefile diff --git a/patches/0015-allow-overriding-default-user-and-file-locations.patch b/patches/0015-allow-overriding-default-user-and-file-locations.patch new file mode 100644 index 0000000..04dc5c6 --- /dev/null +++ b/patches/0015-allow-overriding-default-user-and-file-locations.patch @@ -0,0 +1,42 @@ +From b427630990b65377a7369b3d61e51ce02be1ec93 Mon Sep 17 00:00:00 2001 +From: Brent Cook +Date: Thu, 1 Jan 2015 07:18:11 -0600 +Subject: [PATCH 15/15] allow overriding default user and file locations + +Allow the build process to override the default ntpd file paths and +default user. +--- + src/usr.sbin/ntpd/ntpd.h | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/src/usr.sbin/ntpd/ntpd.h b/src/usr.sbin/ntpd/ntpd.h +index 5ac0bbb..136bdd2 100644 +--- a/src/usr.sbin/ntpd/ntpd.h ++++ b/src/usr.sbin/ntpd/ntpd.h +@@ -33,10 +33,20 @@ + #include "ntp.h" + #include + ++#ifndef NTPD_USER + #define NTPD_USER "_ntp" +-#define CONFFILE "/etc/ntpd.conf" +-#define DRIFTFILE "/var/db/ntpd.drift" +-#define CTLSOCKET "/var/run/ntpd.sock" ++#endif ++ ++#ifndef SYSCONFDIR ++#define SYSCONFDIR "/etc" ++#endif ++#define CONFFILE SYSCONFDIR "/ntpd.conf" ++ ++#ifndef LOCALSTATEDIR ++#define LOCALSTATEDIR "/var" ++#endif ++#define DRIFTFILE LOCALSTATEDIR "/db/ntpd.drift" ++#define CTLSOCKET LOCALSTATEDIR "/run/ntpd.sock" + + #define INTERVAL_QUERY_NORMAL 30 /* sync to peers every n secs */ + #define INTERVAL_QUERY_PATHETIC 60 +-- +1.9.1 +