From e3bd39f52e4418bee9f0d3c1abcebe592b09d458 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 10 May 2023 15:51:12 +0200 Subject: [PATCH] update to 4.4-pre1 --- .gitignore | 6 +- chrony-keyaccess.patch | 191 ---------------------------------------- chrony-restricted.patch | 79 ----------------- chrony.spec | 13 +-- sources | 6 +- 5 files changed, 10 insertions(+), 285 deletions(-) delete mode 100644 chrony-keyaccess.patch delete mode 100644 chrony-restricted.patch diff --git a/.gitignore b/.gitignore index 57bb59a..b393483 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.3.tar.gz -/chrony-4.3-tar-gz-asc.txt -/clknetsim-f00531.tar.gz +/chrony-4.4-pre1.tar.gz +/chrony-4.4-pre1-tar-gz-asc.txt +/clknetsim-13b0a5.tar.gz diff --git a/chrony-keyaccess.patch b/chrony-keyaccess.patch deleted file mode 100644 index 4beedd8..0000000 --- a/chrony-keyaccess.patch +++ /dev/null @@ -1,191 +0,0 @@ -commit 9cba9c8585bc5ebf19bafece118fb2362090547c -Author: Miroslav Lichvar -Date: Thu Jan 19 16:09:40 2023 +0100 - - keys+nts: warn if loading world-readable/writable key - - Log a warning message if the file specified by the keyfile or - ntsserverkey directive is world-readable or writable, which is likely - an insecure misconfiguration. There is no check of directories - containing the file. - -diff --git a/keys.c b/keys.c -index 11f8b761..9225e6cd 100644 ---- a/keys.c -+++ b/keys.c -@@ -182,6 +182,9 @@ KEY_Reload(void) - if (!key_file) - return; - -+ if (!UTI_CheckFilePermissions(key_file, 0771)) -+ ; -+ - in = UTI_OpenFile(NULL, key_file, NULL, 'r', 0); - if (!in) { - LOG(LOGS_WARN, "Could not open keyfile %s", key_file); -diff --git a/nts_ke_session.c b/nts_ke_session.c -index dfcd18ab..2ae1e915 100644 ---- a/nts_ke_session.c -+++ b/nts_ke_session.c -@@ -667,6 +667,8 @@ create_credentials(const char **certs, const char **keys, int n_certs_keys, - assert(0); - - for (i = 0; i < n_certs_keys; i++) { -+ if (!UTI_CheckFilePermissions(keys[i], 0771)) -+ ; - r = gnutls_certificate_set_x509_key_file(credentials, certs[i], keys[i], - GNUTLS_X509_FMT_PEM); - if (r < 0) -diff --git a/util.c b/util.c -index 064292ce..4b9d30ee 100644 ---- a/util.c -+++ b/util.c -@@ -1248,6 +1248,29 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid) - - /* ================================================== */ - -+int -+UTI_CheckFilePermissions(const char *path, mode_t perm) -+{ -+ mode_t extra_perm; -+ struct stat buf; -+ -+ if (stat(path, &buf) < 0 || !S_ISREG(buf.st_mode)) { -+ /* Not considered an error */ -+ return 1; -+ } -+ -+ extra_perm = (buf.st_mode & 0777) & ~perm; -+ if (extra_perm != 0) { -+ LOG(LOGS_WARN, "%s permissions on %s", extra_perm & 0006 ? -+ (extra_perm & 0004 ? "World-readable" : "World-writable") : "Wrong", path); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+/* ================================================== */ -+ - static int - join_path(const char *basedir, const char *name, const char *suffix, - char *buffer, size_t length, LOG_Severity severity) -diff --git a/util.h b/util.h -index 4655e537..6844798c 100644 ---- a/util.h -+++ b/util.h -@@ -196,6 +196,10 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid - permissions and its uid/gid must match the specified values. */ - extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid); - -+/* Check and log a warning message if a file has more permissions than -+ specified. It does not return error if it is not an accessible file. */ -+extern int UTI_CheckFilePermissions(const char *path, mode_t perm); -+ - /* Open a file. The full path of the file is constructed from the basedir - (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). - Created files have specified permissions (umasked). Returns NULL on error. - -commit 883b0dde946105e0910456a0bebb24d57fecb0fc -Author: Miroslav Lichvar -Date: Wed Jan 25 14:29:06 2023 +0100 - - conf: warn if not having read-only access to keys - - After dropping root privileges, log a warning message if chronyd - doesn't have read access or has (unnecessary) write access to the - files containing symmetric and server NTS keys. - -diff --git a/conf.c b/conf.c -index 9f42a426..0597836d 100644 ---- a/conf.c -+++ b/conf.c -@@ -1774,6 +1774,19 @@ CNF_CreateDirs(uid_t uid, gid_t gid) - - /* ================================================== */ - -+void -+CNF_CheckReadOnlyAccess(void) -+{ -+ unsigned int i; -+ -+ if (keys_file) -+ UTI_CheckReadOnlyAccess(keys_file); -+ for (i = 0; i < ARR_GetSize(nts_server_key_files); i++) -+ UTI_CheckReadOnlyAccess(*(char **)ARR_GetElement(nts_server_key_files, i)); -+} -+ -+/* ================================================== */ -+ - void - CNF_AddInitSources(void) - { -diff --git a/conf.h b/conf.h -index 11fd11df..d7acb4fd 100644 ---- a/conf.h -+++ b/conf.h -@@ -44,6 +44,8 @@ extern void CNF_ParseLine(const char *filename, int number, char *line); - - extern void CNF_CreateDirs(uid_t uid, gid_t gid); - -+extern void CNF_CheckReadOnlyAccess(void); -+ - extern void CNF_AddInitSources(void); - extern void CNF_AddSources(void); - extern void CNF_AddBroadcasts(void); -diff --git a/main.c b/main.c -index c40b5e4b..31e3c8f0 100644 ---- a/main.c -+++ b/main.c -@@ -637,9 +637,13 @@ int main - } - - /* Drop root privileges if the specified user has a non-zero UID */ -- if (!geteuid() && (pw->pw_uid || pw->pw_gid)) -+ if (!geteuid() && (pw->pw_uid || pw->pw_gid)) { - SYS_DropRoot(pw->pw_uid, pw->pw_gid, SYS_MAIN_PROCESS); - -+ /* Warn if missing read access or having write access to keys */ -+ CNF_CheckReadOnlyAccess(); -+ } -+ - if (!geteuid()) - LOG(LOGS_WARN, "Running with root privileges"); - -diff --git a/util.c b/util.c -index 4b9d30ee..0321720e 100644 ---- a/util.c -+++ b/util.c -@@ -1271,6 +1271,17 @@ UTI_CheckFilePermissions(const char *path, mode_t perm) - - /* ================================================== */ - -+void -+UTI_CheckReadOnlyAccess(const char *path) -+{ -+ if (access(path, R_OK) != 0 && errno != ENOENT) -+ LOG(LOGS_WARN, "Missing read access to %s : %s", path, strerror(errno)); -+ if (access(path, W_OK) == 0) -+ LOG(LOGS_WARN, "Having write access to %s", path); -+} -+ -+/* ================================================== */ -+ - static int - join_path(const char *basedir, const char *name, const char *suffix, - char *buffer, size_t length, LOG_Severity severity) -diff --git a/util.h b/util.h -index 6844798c..d8e25dee 100644 ---- a/util.h -+++ b/util.h -@@ -200,6 +200,10 @@ extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid - specified. It does not return error if it is not an accessible file. */ - extern int UTI_CheckFilePermissions(const char *path, mode_t perm); - -+/* Log a warning message if not having read access or having write access -+ to a file/directory */ -+extern void UTI_CheckReadOnlyAccess(const char *path); -+ - /* Open a file. The full path of the file is constructed from the basedir - (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). - Created files have specified permissions (umasked). Returns NULL on error. diff --git a/chrony-restricted.patch b/chrony-restricted.patch deleted file mode 100644 index 930e814..0000000 --- a/chrony-restricted.patch +++ /dev/null @@ -1,79 +0,0 @@ -commit 6fba5a4a7fbe785849c0ec759e18bce0b7e234e4 -Author: Miroslav Lichvar -Date: Tue Jan 10 15:02:49 2023 +0100 - - examples: add chronyd-restricted.service - - This is a more restricted version of the chronyd service intended for - minimal NTP/NTS client configurations. The daemon is started without - root privileges and is allowed to write only to its own runtime, state, - and log directories. It cannot bind to privileged ports in order to - operate as an NTP server, or provide monitoring access over IPv4/IPv6. - It cannot use reference clocks, HW timestamping, RTC tracking, and other - features. - -diff --git a/examples/chronyd-restricted.service b/examples/chronyd-restricted.service -new file mode 100644 -index 00000000..50998338 ---- /dev/null -+++ b/examples/chronyd-restricted.service -@@ -0,0 +1,59 @@ -+# This is a more restricted version of the chronyd service intended for -+# minimal NTP/NTS client configurations. The daemon is started without root -+# privileges and is allowed to write only to its own runtime, state, and log -+# directories. It cannot bind to privileged ports in order to operate as an -+# NTP server, or provide monitoring access over IPv4/IPv6. It cannot use -+# reference clocks, HW timestamping, RTC tracking, and other features. -+[Unit] -+Description=NTP client (restricted) -+Documentation=man:chronyd(8) man:chrony.conf(5) -+After=chronyd.service ntpdate.service sntp.service ntpd.service -+Conflicts=chronyd.service ntpd.service systemd-timesyncd.service -+ConditionCapability=CAP_SYS_TIME -+ -+[Service] -+Type=forking -+PIDFile=/run/chrony/chronyd.pid -+EnvironmentFile=-/etc/sysconfig/chronyd -+ExecStart=/usr/sbin/chronyd -U $OPTIONS -+ -+User=chrony -+LogsDirectory=chrony -+LogsDirectoryMode=0750 -+RuntimeDirectory=chrony -+RuntimeDirectoryMode=0750 -+RuntimeDirectoryPreserve=restart -+StateDirectory=chrony -+StateDirectoryMode=0750 -+ -+AmbientCapabilities=CAP_SYS_TIME -+CapabilityBoundingSet=CAP_SYS_TIME -+DevicePolicy=closed -+LockPersonality=yes -+MemoryDenyWriteExecute=yes -+NoNewPrivileges=yes -+PrivateDevices=yes -+PrivateTmp=yes -+# This breaks adjtimex() -+#PrivateUsers=yes -+ProcSubset=pid -+ProtectControlGroups=yes -+ProtectHome=yes -+ProtectHostname=yes -+ProtectKernelLogs=yes -+ProtectKernelModules=yes -+ProtectKernelTunables=yes -+ProtectProc=invisible -+ProtectSystem=strict -+RemoveIPC=yes -+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -+RestrictNamespaces=yes -+RestrictRealtime=yes -+RestrictSUIDSGID=yes -+SystemCallArchitectures=native -+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io -+SystemCallFilter=~@reboot @resources @swap -+UMask=0077 -+ -+[Install] -+WantedBy=multi-user.target diff --git a/chrony.spec b/chrony.spec index 532f6ef..efe9f89 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver f00531 +%global clknetsim_ver 13b0a5 +%global prerelease -pre1 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.3 +Version: 4.4 Release: 3%{?dist} Summary: An NTP client/server @@ -25,10 +26,6 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch -# add chronyd-restricted service -Patch2: chrony-restricted.patch -# warn if keys are world-accessible or chronyd doesn't have read-only access -Patch3: chrony-keyaccess.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -60,8 +57,6 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp -%patch2 -p1 -b .restricted -%patch3 -p1 -b .keyaccess %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -71,7 +66,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp - 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline + 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service f092f965dc61f691ca838958eeeb3377 examples/chronyd-restricted.service EOF diff --git a/sources b/sources index f352bac..73edab9 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.3.tar.gz) = 1394bac3ed684352fe89b7fef7da50e61f9f522abee807627ae1fc4c2dde891017bc8e5b13759fced028f3a1e875d5e4e5a4f85de65c63b5f83d0ca03bb4c5df -SHA512 (chrony-4.3-tar-gz-asc.txt) = 300b06f253ac3727edb86a1b7c337f9529ee752bbb471b266217b6a8ac5183e827264177a3210d436425d746673bf11fbdc41da145673213e28165197c6c76b7 -SHA512 (clknetsim-f00531.tar.gz) = a44f543574519d1d5b5778f91b88fc73a976de511b97011c8ff3bc61a7ebff868fe9c6b46947ff4b58b29bd45520ffa68147934b1d289b1ffada4a329c048df5 +SHA512 (chrony-4.4-pre1.tar.gz) = d251f822ff49be0ff691c41e08b2c68ca86c3c3b1896c11d8f72cb72c5d3fde38ec4609ffab2a737faf0824f603b6c36d56a827aacde3b296cadddca59ad7812 +SHA512 (chrony-4.4-pre1-tar-gz-asc.txt) = b03592f26603403eaff2140f640f88408a1bd5be3468cf91fdd221fc9579611bdd475017a5803d7a5b1db08b11e20f260a4af91ee0a4d3b33ae6232b81a109fe +SHA512 (clknetsim-13b0a5.tar.gz) = e23b90bd0650502856ce472489d9ea0274aab7c1bd8945cac460f3a12338a509cad76133c60ccc2c7c31375496ec55b42c62008250109453f237ceb750bee03a