busybox: allow ntpd to run as non-root ntpd user

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-19 21:22:30 +01:00
parent ccb283c71c
commit 2d34355e16
4 changed files with 45 additions and 1 deletions
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=busybox
 PKG_VERSION:=1.31.1
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 PKG_FLAGS:=essential

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
@@ -50,6 +50,7 @@ define Package/busybox/Default
  TITLE:=Core utilities for embedded Linux
  URL:=http://busybox.net/
  DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter
+  USERID:=ntpd=123:ntpd=123
 endef

 define Package/busybox
@@ -144,6 +145,8 @@ endif
 ifneq ($(CONFIG_BUSYBOX_$(BUSYBOX_SYM)_NTPD),)
 	$(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
 	$(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
+	$(INSTALL_DIR) $(1)/etc/capabilities/
+	$(INSTALL_DATA) ./files/ntpd.capabilities $(1)/etc/capabilities/ntpd.json
 endif
 	-rm -rf $(1)/lib64
 endef
--- a/package/utils/busybox/files/ntpd.capabilities
+++ b/package/utils/busybox/files/ntpd.capabilities
@@ -0,0 +1,22 @@
+{
+	"bounding": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"effective": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"ambient": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"permitted": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"inheritable": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	]
+}
--- a/package/utils/busybox/files/sysntpd
+++ b/package/utils/busybox/files/sysntpd
@@ -55,6 +55,13 @@ start_ntpd_instance() {
 		procd_append_param command -p $peer
 	done
 	procd_set_param respawn
+	[ -x /sbin/ujail ] && {
+		procd_add_jail ntpd
+		procd_set_param capabilities /etc/capabilities/ntpd.json
+		procd_set_param user ntpd
+		procd_set_param group ntpd
+		procd_set_param no_new_privs 1
+	}
 	procd_close_instance
 }

--- a/package/utils/busybox/patches/600-allow-ntpd-non-root.patch
+++ b/package/utils/busybox/patches/600-allow-ntpd-non-root.patch
@@ -0,0 +1,12 @@
+--- a/networking/ntpd.c
+++ b/networking/ntpd.c
+@@ -2414,9 +2414,6 @@ static NOINLINE void ntp_init(char **arg
+ 
+ 	srand(getpid());
+ 
+-	if (getuid())
+-		bb_error_msg_and_die(bb_msg_you_must_be_root);
+-
+ 	/* Set some globals */
+ 	G.discipline_jitter = G_precision_sec;
+ 	G.stratum = MAXSTRAT;