Date: Wed, 27 Jun 2018 13:17:46 +1000
From: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>
To: Roger Marquis <marquis@roble.com>, freebsd-jail@freebsd.org
Subject: Re: Jailing {open,}ntpd
Message-ID: <081ffc3c-8f9d-acd5-a3af-6bec0d08b32e@heuristicsystems.com.au>
In-Reply-To: <nycvar.OFS.7.76.444.1806261238560.57821@mx.roble.com>
References: <nycvar.OFS.7.76.444.1806261238560.57821@mx.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Roger, I have a similar mental state :) Yes, I run ports ntpd within a chroot environment. ntpd can run within a jail, but it lacks the priv to perform a syscall to modify time. Which is correct behaviour, for a restricted environment; protecting other jailed environs. Previously there was also an mlock call, which prevented it running but that was changed a while ago; but that's an aside unless you're running on old "stuff". ;) As this is not a security issue, I've removed those interested in that area from the CC. There are a few tricks with chroot, but first a disclaimer: I use jails for everything except ntpd, so there may be a better way. Trick 1. This is how I want ntpd to run /usr/local/sbin/ntpd -c /etc/ntp.conf -x -G -g -p /var/run/ntpd.pid but you can't pass arguments into chroot. So I created a "/start" that I place my chroot commands into. Trick 2. Use ldd to see what libs you need to copy into your chroot. Also remember, that you must have ld-elf and /dev/null. So Using ROOTD as your chroot destination mkdir $ROOTD/libexec && cp /libexec/ld-elf.so.1 $ROOTD/libexec ; and setup dev mkdir $ROOTD/dev touch $ROOTD/dev/null chmod 666 $ROOTD/dev/null; # Yes this is sufficient! The rest of the files are from the ntpd tarfile. Enjoy ;) PS: ntpq wont report due to "servname not supported for ai_socktype"... no solution yet.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?081ffc3c-8f9d-acd5-a3af-6bec0d08b32e>