From owner-freebsd-security@freebsd.org Thu Jun 28 06:08:17 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A04A101E16E; Thu, 28 Jun 2018 06:08:17 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (mail.tyknet.dk [IPv6:2a01:4f8:201:2327:144:76:253:226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BB93A8BF47; Thu, 28 Jun 2018 06:08:16 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from [10.137.3.13] (nat2.hq.bornfiber.dk [185.96.91.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id F167DB9F2E0; Thu, 28 Jun 2018 06:08:13 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tyknet.dk F167DB9F2E0 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1530166094; bh=LGhdV/5kEalva5a1Ueogi78SspwjdbnXhBI9umOAvnY=; h=Subject:To:References:From:Date:In-Reply-To; b=H4rLJ5fwwni3IF80HODyH3Qp5qzLEgSYT1ObEFCt2WvOZpZuBI5qGvQeghT3AHcEw 9PL3doEY69nNEYCsY13/BILilHvT1zUxFbcB+GXiv5jHVgoeHQXYqDND+5lfxlrpl7 CJKFOzkgG7PmhkG7rOHahVU8kICX05tmapvXGiRdD2IGcInBRpihyESYQuRq3mhCJk SLmYRuBs3cCSfK06TglCT9bWKP05ve2Y1eiLGsXUpPNNpzC7sBHTvS2zsAGSXulvg7 0UAhIw6cGuM678votnJAmC4+4vFTmbY2PaaaYbjY03bA+j6Mem7ie6s278/i5rK0T0 iGRpS4qwcLjVA== Subject: Re: Jailing {open,}ntpd To: Roger Marquis , freebsd-security@freebsd.org, freebsd-jail@freebsd.org References: From: Thomas Steen Rasmussen Message-ID: <25837879-e464-0ed1-75f3-f4c43f47653c@gibfest.dk> Date: Thu, 28 Jun 2018 08:08:12 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2018 06:08:17 -0000 On 06/26/2018 09:53 PM, Roger Marquis wrote: > Has anyone configured {open,}ntpd to run in a FreeBSD jail or Linux > container?  Can it be done in such a way that a breached daemon would > not have access to the host? > > Roger Marquis Hello, TL;DR: +1 I've been wondering about the same thing. Anything that speaks to untrusted network clients belongs in a jail, but to my knowledge both ntpds are unjailable because they want to use some kernel system calls (to adjust time) which are not allowed in jails (as it should be). In my opinion adjusting the local bios/cmos clock and keeping it in sync with some upstream NTP source is a different task than serving NTP to untrusted network clients (like an ISP is expected to do). I'd love for one or both ntpds to have an option to only serve local time, without attempting to adjust the clock, if such a feature is possible. I'd then keep an ntpd running in the base system which takes care of keeping the system clock in-sync, and another in a jail which only reads the time and serves it to network clients, but doesn't try to adjust or speak to upsteam NTPs. I will be watching this thread hoping that someone who knows about NTP will chime in. Thanks! Best regards, Thomas Steen Rasmussen