[OpenWrt-Devel] [PATCH] package/utils/busybox: Jail sysntpd
Daniel Dickinson
openwrt at daniel.thecshore.com
Thu Dec 17 03:20:44 EST 2015
Hi,
Speaking of jails, is it possible yet to automagically detect the
dependencies for multiple binaries yet (there is package I've got a pull
request to add to the packages feed that I haven't jailed because of a
dependency on another program; if that other program can be included in
the jail without having to manually figure out library dependencies I'll
move it as well).
I'll do some additional testing etc with sysntpd to see about narrowing
it's privileges.
Regards,
Daniel
On 17/12/15 03:14 AM, Etienne Champetier wrote:
> Hi,
>
> 2015-12-16 23:34 GMT+01:00 <openwrt at daniel.thecshore.com
> <mailto:openwrt at daniel.thecshore.com>>:
>
> From: Daniel Dickinson <openwrt at daniel.thecshore.com
> <mailto:openwrt at daniel.thecshore.com>>
>
> Note that not all of procfs sysfs log and ubus may be required for
> actual
> operation, they are just what strace reveals attempting to make
> accesses.
>
> Signed-off-by: Daniel Dickinson <openwrt at daniel.thecshore.com
> <mailto:openwrt at daniel.thecshore.com>>
> ---
> package/utils/busybox/files/sysntpd | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/package/utils/busybox/files/sysntpd
> b/package/utils/busybox/files/sysntpd
> index f73bb83..e61c9fc 100755
> --- a/package/utils/busybox/files/sysntpd
> +++ b/package/utils/busybox/files/sysntpd
> @@ -31,7 +31,11 @@ start_service() {
> for peer in $server; do
> procd_append_param command -p $peer
> done
> + touch /var/run/ntpd.pid
> procd_set_param respawn
> + procd_add_jail sysntpd procfs sysfs log ubus
> + procd_add_jail_mount "$HOTPLUG_SCRIPT" /etc/resolv.conf
> /tmp/resolv.conf /etc/hosts /etc/TZ
> + procd_add_jail_mount_rw /var/run/ntpd.pid
> procd_close_instance
> }
>
>
> Nice to see people jailing daemon.
> I've added some feature to ujail recently but it lack proper documentation
> https://dev.openwrt.org/changeset/47862/trunk
>
> Keep in mind that root inside the jail is the same as root outside it
> (we don't use user namespace for now),
> so sysntpd is still root and has access to /proc and /sys, so he can do
> lots of things
>
> Can you try to add capabilities restrictions ?
> procd_set_param capabilities <json file>
> for the syntax see
> http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0
>
> maybe you can also add
> procd_set_param no_new_privs 1
> which prevent the process to gain new privileges (this disable suid ...)
>
> Etienne
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list