From owner-freebsd-security@freebsd.org Tue Jun 26 19:53:17 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D600A1015AB4; Tue, 26 Jun 2018 19:53:17 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7A30D818AA; Tue, 26 Jun 2018 19:53:17 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id BFE7521881; Tue, 26 Jun 2018 12:53:08 -0700 (PDT) Date: Tue, 26 Jun 2018 12:53:08 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org, freebsd-jail@freebsd.org Subject: Jailing {open,}ntpd Message-ID: MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jun 2018 19:53:18 -0000 Has anyone configured {open,}ntpd to run in a FreeBSD jail or Linux container? Can it be done in such a way that a breached daemon would not have access to the host? Roger Marquis From owner-freebsd-security@freebsd.org Tue Jun 26 20:48:03 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 636EC10198C5; Tue, 26 Jun 2018 20:48:03 +0000 (UTC) (envelope-from quake2k@mail.ru) Received: from f142.i.mail.ru (f142.i.mail.ru [128.140.171.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E6F9D8391B; Tue, 26 Jun 2018 20:48:02 +0000 (UTC) (envelope-from quake2k@mail.ru) Received: by f142.i.mail.ru with local (envelope-from ) id 1fXusS-0005ch-4P; Tue, 26 Jun 2018 23:47:52 +0300 Received: by e.mail.ru with HTTP; Tue, 26 Jun 2018 23:47:52 +0300 From: =?UTF-8?B?Sm9obiBGcmVlbWFu?= To: =?UTF-8?B?Um9nZXIgTWFycXVpcw==?= Cc: freebsd-security@freebsd.org, freebsd-jail@freebsd.org Subject: =?UTF-8?B?UmU6IEphaWxpbmcge29wZW4sfW50cGQ=?= MIME-Version: 1.0 X-Mailer: Mail.Ru Mailer 1.0 Date: Tue, 26 Jun 2018 23:47:52 +0300 Reply-To: =?UTF-8?B?Sm9obiBGcmVlbWFu?= X-Priority: 3 (Normal) Message-ID: <1530046072.33630487@f142.i.mail.ru> X-7FA49CB5: 0D63561A33F958A5607D833A4F3E8130DB55D34F037F9F88499158D57AB6E856725E5C173C3A84C3B5B8538481347D6ADCDF4FDF8F3F1F276B0B6A749F1976AFC4224003CC836476C0CAF46E325F83A50BF2EBBBDD9D6B0F2AF38021CC9F462D574AF45C6390F7469DAA53EE0834AAEE X-Mailru-MI: 800 X-Mailru-Sender: D940E3D0A8BFF72F2CC58892244DB8AE86D1BA6436606C5ADC27E1392B4ADA8BE39FB3263DD3419ADF434FAF91264EB3346D653DC8F96EBFF1B10390766F31F2A81CC308ED5F28576113E6702025CDEB46E133BC73C3D8015FEEDEB644C299C0ED14614B50AE0675 X-Mras: OK X-Spam: undefined In-Reply-To: References: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jun 2018 20:48:03 -0000 CldoeSBub3Qgd2l0aCBhY2NvcmRpbmcgZGV2ZnMgcnVsZXM/Cgo+0JLRgtC+0YDQvdC40LosIDI2 INC40Y7QvdGPIDIwMTgsIDIzOjAwICswMzowMCDQvtGCIFJvZ2VyIE1hcnF1aXMgPG1hcnF1aXNA cm9ibGUuY29tPjoKPgo+SGFzIGFueW9uZSBjb25maWd1cmVkIHtvcGVuLH1udHBkIHRvIHJ1biBp biBhIEZyZWVCU0QgamFpbCBvciBMaW51eAo+Y29udGFpbmVyPyAgQ2FuIGl0IGJlIGRvbmUgaW4g c3VjaCBhIHdheSB0aGF0IGEgYnJlYWNoZWQgZGFlbW9uIHdvdWxkCj5ub3QgaGF2ZSBhY2Nlc3Mg dG8gdGhlIGhvc3Q/Cj4KPlJvZ2VyIE1hcnF1aXMKPl9fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fCj5mcmVlYnNkLXNlY3VyaXR5QGZyZWVic2Qub3JnIG1haWxp bmcgbGlzdAo+aHR0cHM6Ly9saXN0cy5mcmVlYnNkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2ZyZWVi c2Qtc2VjdXJpdHkKPlRvIHVuc3Vic2NyaWJlLCBzZW5kIGFueSBtYWlsIHRvICIgZnJlZWJzZC1z ZWN1cml0eS11bnN1YnNjcmliZUBmcmVlYnNkLm9yZyAiCgoK0KEg0YPQstCw0LbQtdC90LjQtdC8 LApKb2huIEZyZWVtYW4KcXVha2Uya0BtYWlsLnJ1Cg== From owner-freebsd-security@freebsd.org Thu Jun 28 06:08:17 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A04A101E16E; Thu, 28 Jun 2018 06:08:17 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (mail.tyknet.dk [IPv6:2a01:4f8:201:2327:144:76:253:226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BB93A8BF47; Thu, 28 Jun 2018 06:08:16 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from [10.137.3.13] (nat2.hq.bornfiber.dk [185.96.91.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id F167DB9F2E0; Thu, 28 Jun 2018 06:08:13 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tyknet.dk F167DB9F2E0 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1530166094; bh=LGhdV/5kEalva5a1Ueogi78SspwjdbnXhBI9umOAvnY=; h=Subject:To:References:From:Date:In-Reply-To; b=H4rLJ5fwwni3IF80HODyH3Qp5qzLEgSYT1ObEFCt2WvOZpZuBI5qGvQeghT3AHcEw 9PL3doEY69nNEYCsY13/BILilHvT1zUxFbcB+GXiv5jHVgoeHQXYqDND+5lfxlrpl7 CJKFOzkgG7PmhkG7rOHahVU8kICX05tmapvXGiRdD2IGcInBRpihyESYQuRq3mhCJk SLmYRuBs3cCSfK06TglCT9bWKP05ve2Y1eiLGsXUpPNNpzC7sBHTvS2zsAGSXulvg7 0UAhIw6cGuM678votnJAmC4+4vFTmbY2PaaaYbjY03bA+j6Mem7ie6s278/i5rK0T0 iGRpS4qwcLjVA== Subject: Re: Jailing {open,}ntpd To: Roger Marquis , freebsd-security@freebsd.org, freebsd-jail@freebsd.org References: From: Thomas Steen Rasmussen Message-ID: <25837879-e464-0ed1-75f3-f4c43f47653c@gibfest.dk> Date: Thu, 28 Jun 2018 08:08:12 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2018 06:08:17 -0000 On 06/26/2018 09:53 PM, Roger Marquis wrote: > Has anyone configured {open,}ntpd to run in a FreeBSD jail or Linux > container?  Can it be done in such a way that a breached daemon would > not have access to the host? > > Roger Marquis Hello, TL;DR: +1 I've been wondering about the same thing. Anything that speaks to untrusted network clients belongs in a jail, but to my knowledge both ntpds are unjailable because they want to use some kernel system calls (to adjust time) which are not allowed in jails (as it should be). In my opinion adjusting the local bios/cmos clock and keeping it in sync with some upstream NTP source is a different task than serving NTP to untrusted network clients (like an ISP is expected to do). I'd love for one or both ntpds to have an option to only serve local time, without attempting to adjust the clock, if such a feature is possible. I'd then keep an ntpd running in the base system which takes care of keeping the system clock in-sync, and another in a jail which only reads the time and serves it to network clients, but doesn't try to adjust or speak to upsteam NTPs. I will be watching this thread hoping that someone who knows about NTP will chime in. Thanks! Best regards, Thomas Steen Rasmussen From owner-freebsd-security@freebsd.org Thu Jun 28 12:02:13 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E9C47102FB1F; Thu, 28 Jun 2018 12:02:12 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from echo.brtsvcs.net (echo.brtsvcs.net [IPv6:2607:f740:c::4ae]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8AECC78815; Thu, 28 Jun 2018 12:02:12 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from chombo.houseloki.net (c-73-240-250-185.hsd1.or.comcast.net [73.240.250.185]) by echo.brtsvcs.net (Postfix) with ESMTPS id 7401038D07; Thu, 28 Jun 2018 05:02:11 -0700 (PDT) Received: from [IPv6:fe80::7102:4df8:1f13:5c55] (unknown [IPv6:fe80::7102:4df8:1f13:5c55]) by chombo.houseloki.net (Postfix) with ESMTPSA id 1E099274E; Thu, 28 Jun 2018 05:02:10 -0700 (PDT) Subject: Re: Jailing {open,}ntpd To: Thomas Steen Rasmussen , Roger Marquis , freebsd-security@freebsd.org, freebsd-jail@freebsd.org References: <25837879-e464-0ed1-75f3-f4c43f47653c@gibfest.dk> From: Mel Pilgrim Message-ID: <5d28bb01-85e2-f08e-1bc8-865148c3cf9e@bluerosetech.com> Date: Thu, 28 Jun 2018 05:02:12 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <25837879-e464-0ed1-75f3-f4c43f47653c@gibfest.dk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2018 12:02:13 -0000 On 06/27/2018 23:08, Thomas Steen Rasmussen wrote: > Anything that speaks to untrusted network clients belongs in a jail, but > to my knowledge both ntpds are unjailable because they want to use some > kernel system calls (to adjust time) which are not allowed in jails (as > it should be). > > In my opinion adjusting the local bios/cmos clock and keeping it in sync > with some upstream NTP source is a different task than serving NTP to > untrusted network clients (like an ISP is expected to do). > > I'd love for one or both ntpds to have an option to only serve local > time, without attempting to adjust the clock, if such a feature is > possible. > > I'd then keep an ntpd running in the base system which takes care of > keeping the system clock in-sync, and another in a jail which only reads > the time and serves it to network clients, but doesn't try to adjust or > speak to upsteam NTPs. You can do this by configuring the jailed ntpd with the local clock driver as a reference. Doing this for an ntpd serving the general public would be evil. NTP Pool Project membership prohibits using the local clock driver. If your priority is something with a better security profile than an ISC daemon, run OpenNTPD instead. For the ISC ntpd, configure a reference clock with a server line that has a magic number 127.127.0.0/16 address. The "Reference Clock Support" section of ntp.conf(5) has more details. The local clock is type 1. OpenNTPD does not have reference clock support.