Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 27 Jun 2018 14:13:02 +1000
From:      Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>
To:        Roger Marquis <marquis@roble.com>, freebsd-jail@freebsd.org
Subject:   Re: Jailing {open,}ntpd
Message-ID:  <3935aa1a-4b95-1c91-ffac-1d98ae718a9c@heuristicsystems.com.au>
In-Reply-To: <081ffc3c-8f9d-acd5-a3af-6bec0d08b32e@heuristicsystems.com.au>
References:  <nycvar.OFS.7.76.444.1806261238560.57821@mx.roble.com> <081ffc3c-8f9d-acd5-a3af-6bec0d08b32e@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 27/06/2018 1:17 PM, Dewayne Geraghty wrote:
> Hi Roger, I have a similar mental state :)
>
> Yes, I run ports ntpd within a chroot environment. 
>
> ntpd can run within a jail, but it lacks the priv to perform a syscall
> to modify time.  Which is correct behaviour, for a restricted
> environment; protecting other jailed environs.  Previously there was
> also an mlock call, which prevented it running but that was changed a
> while ago; but that's an aside unless you're running on old "stuff". ;)
>
> As this is not a security issue, I've removed those interested in that
> area from the CC.
>
> There are a few tricks with chroot, but first a disclaimer: I use jails
> for everything except ntpd, so there may be a better way.
>
> Trick 1. This is how I want ntpd to run
>
> /usr/local/sbin/ntpd -c /etc/ntp.conf -x -G -g -p /var/run/ntpd.pid
>
> but you can't pass arguments into chroot.  So I created a "/start" that
> I place my chroot commands into.
>
> Trick 2.  Use ldd to see what libs you need to copy into your chroot. 
> Also remember, that you must have ld-elf and /dev/null. So
>
> Using ROOTD as your chroot destination
>
> mkdir $ROOTD/libexec && cp /libexec/ld-elf.so.1 $ROOTD/libexec  ;
>
> and setup dev
>
>   mkdir  $ROOTD/dev
>   touch $ROOTD/dev/null
>   chmod 666 $ROOTD/dev/null;   # Yes this is sufficient!
>
> The rest of the files are from the ntpd tarfile.  Enjoy ;)
>
> PS: ntpq wont report due to "servname not supported for ai_socktype"...
> no solution yet.
>
Oops.  Running on low memory.
Roger, forget trick 1 above, we run our ntp via
chroot /usr/chroot/ntp /usr/local/sbin/ntpd -c /etc/ntp.conf -x -G -g -p
/var/run/ntpd.pid
and yes, "ntpq -np 127.0.0.1" works from the base system.  Tsk.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3935aa1a-4b95-1c91-ffac-1d98ae718a9c>