From owner-freebsd-jail@freebsd.org Wed Jun 27 04:10:21 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D526102CD9A for ; Wed, 27 Jun 2018 04:10:21 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id AE5F9921F5 for ; Wed, 27 Jun 2018 04:10:19 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id w5R3Hjuv047648 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 27 Jun 2018 13:17:45 +1000 (AEST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Subject: Re: Jailing {open,}ntpd To: Roger Marquis , freebsd-jail@freebsd.org References: From: Dewayne Geraghty Message-ID: <081ffc3c-8f9d-acd5-a3af-6bec0d08b32e@heuristicsystems.com.au> Date: Wed, 27 Jun 2018 13:17:46 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-AU X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jun 2018 04:10:21 -0000 Hi Roger, I have a similar mental state :) Yes, I run ports ntpd within a chroot environment.  ntpd can run within a jail, but it lacks the priv to perform a syscall to modify time.  Which is correct behaviour, for a restricted environment; protecting other jailed environs.  Previously there was also an mlock call, which prevented it running but that was changed a while ago; but that's an aside unless you're running on old "stuff". ;) As this is not a security issue, I've removed those interested in that area from the CC. There are a few tricks with chroot, but first a disclaimer: I use jails for everything except ntpd, so there may be a better way. Trick 1. This is how I want ntpd to run /usr/local/sbin/ntpd -c /etc/ntp.conf -x -G -g -p /var/run/ntpd.pid but you can't pass arguments into chroot.  So I created a "/start" that I place my chroot commands into. Trick 2.  Use ldd to see what libs you need to copy into your chroot.  Also remember, that you must have ld-elf and /dev/null. So Using ROOTD as your chroot destination mkdir $ROOTD/libexec && cp /libexec/ld-elf.so.1 $ROOTD/libexec  ; and setup dev   mkdir  $ROOTD/dev   touch $ROOTD/dev/null   chmod 666 $ROOTD/dev/null;   # Yes this is sufficient! The rest of the files are from the ntpd tarfile.  Enjoy ;) PS: ntpq wont report due to "servname not supported for ai_socktype"... no solution yet.