[chrony-dev] shm permissions
Hi,
ntpd creates the shm refclock segments 2 and 3 with permissions 0666
(previously 0777), allowing also non-root users to provide synchronisation
data when these segments are set up. The attached patch changes chrony to
do that to (currently 0700 for all segments). It also changes the
permissions from 7 to 6, i.e. removing the useless execute-bits.
Cheers,
Håkandiff --git a/refclock_shm.c b/refclock_shm.c
index b3b689b..9f46a0c 100644
--- a/refclock_shm.c
+++ b/refclock_shm.c
@@ -56,12 +56,18 @@ struct shmTime {
};
static int shm_initialise(RCL_Instance instance) {
- int id, param;
+ int id, param, perm;
struct shmTime *shm;
param = atoi(RCL_GetDriverParameter(instance));
- id = shmget(SHMKEY + param, sizeof (struct shmTime), IPC_CREAT | 0700);
+ if (param < 2) {
+perm = 0700;
+ } else {
+perm = 0777;
+ }
+
+ id = shmget(SHMKEY + param, sizeof (struct shmTime), IPC_CREAT | perm);
if (id == -1) {
LOG_FATAL(LOGF_Refclock, "shmget() failed");
return 0;
Re: [chrony-dev] shm permissions
I am not sure that this is a good idea, since this would allow anyone to send rogue data to the shm driver. It would be better to leave it at 0600 for the chrony user ( or for root if you are using root), and let root change it if the sysadmin wants to allow anyone to write to the shm, or at most make it a configuration option. It is not clear to me what the scenario is where someone other than root should be able to send data to this driver. On Mon, 25 Jan 2010, Håkan Johansson wrote: Hi, ntpd creates the shm refclock segments 2 and 3 with permissions 0666 (previously 0777), allowing also non-root users to provide synchronisation data when these segments are set up. The attached patch changes chrony to do that to (currently 0700 for all segments). It also changes the permissions from 7 to 6, i.e. removing the useless execute-bits. Cheers, Håkan -- William G. Unruh | Canadian Institute for| Tel: +1(604)822-3273 Physics&Astronomy | Advanced Research | Fax: +1(604)822-5324 UBC, Vancouver,BC | Program in Cosmology | un...@physics.ubc.ca Canada V6T 1Z1 | and Gravity | www.theory.physics.ubc.ca/
Re: [chrony-dev] shm permissions
On Mon, 25 Jan 2010, Bill Unruh wrote: I am not sure that this is a good idea, since this would allow anyone to send rogue data to the shm driver. It would be better to leave it at 0600 for the chrony user ( or for root if you are using root), and let root change it if the sysadmin wants to allow anyone to write to the shm, or at most make it a configuration option. It becomes a configuarion option in the sense that segments 0 and 1 use permissions 0600 and only segments 2 and 3 use 0666, so the level of trust can then be selected that way. It is not clear to me what the scenario is where someone other than root should be able to send data to this driver. My scenario is that I am user on some systems where I will not get root permissions, so I cannot modify/restart/etc the ntpd/chronyd process, which I do not need. But the sysadmins would entrust me to run e.g. gpsd to provide reference data. This is useful for the further testing of gpsd I am doing, and the need to modify/restart gpsd doing that. Cheers, Håkan On Mon, 25 Jan 2010, Håkan Johansson wrote: Hi, ntpd creates the shm refclock segments 2 and 3 with permissions 0666 (previously 0777), allowing also non-root users to provide synchronisation data when these segments are set up. The attached patch changes chrony to do that to (currently 0700 for all segments). It also changes the permissions from 7 to 6, i.e. removing the useless execute-bits. Cheers, Håkan -- William G. Unruh | Canadian Institute for| Tel: +1(604)822-3273 Physics&Astronomy | Advanced Research | Fax: +1(604)822-5324 UBC, Vancouver,BC | Program in Cosmology | un...@physics.ubc.ca Canada V6T 1Z1 | and Gravity | www.theory.physics.ubc.ca/
Re: [chrony-dev] shm permissions
On Mon, Jan 25, 2010 at 09:48:57PM +0100, Håkan Johansson wrote: > On Mon, 25 Jan 2010, Bill Unruh wrote: > >I am not sure that this is a good idea, since this would allow anyone to send > >rogue data to the shm driver. It would be better to leave it at 0600 for the > >chrony user ( or for root if you are using root), and let root change it if > >the sysadmin wants to allow anyone to write to the shm, or at most make it a > >configuration option. > > It becomes a configuarion option in the sense that segments 0 and 1 > use permissions 0600 and only segments 2 and 3 use 0666, so the > level of trust can then be selected that way. I agree with Bill. This seems dangerous. > >It is not clear to me what the scenario is where someone > >other than root should be able to send data to this driver. > > My scenario is that I am user on some systems where I will not get > root permissions, so I cannot modify/restart/etc the ntpd/chronyd > process, which I do not need. But the sysadmins would entrust me to > run e.g. gpsd to provide reference data. This is useful for the > further testing of gpsd I am doing, and the need to modify/restart > gpsd doing that. If the sysadmins are willing to configure ntpd/chronyd to use SHM, I think you can ask them to create the segment before starting the service with any permissions you want, e.g. 600 with your user as the owner. -- Miroslav Lichvar --- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] shm permissions
Ok, could it perhaps be made an explicit option of the refclock? (The sysadmins were happy to not have to change more than the config file for the few machines in question. :) ) Cheers, Håkan On Tue, 26 Jan 2010, Miroslav Lichvar wrote: On Mon, Jan 25, 2010 at 09:48:57PM +0100, Håkan Johansson wrote: On Mon, 25 Jan 2010, Bill Unruh wrote: I am not sure that this is a good idea, since this would allow anyone to send rogue data to the shm driver. It would be better to leave it at 0600 for the chrony user ( or for root if you are using root), and let root change it if the sysadmin wants to allow anyone to write to the shm, or at most make it a configuration option. It becomes a configuarion option in the sense that segments 0 and 1 use permissions 0600 and only segments 2 and 3 use 0666, so the level of trust can then be selected that way. I agree with Bill. This seems dangerous. It is not clear to me what the scenario is where someone other than root should be able to send data to this driver. My scenario is that I am user on some systems where I will not get root permissions, so I cannot modify/restart/etc the ntpd/chronyd process, which I do not need. But the sysadmins would entrust me to run e.g. gpsd to provide reference data. This is useful for the further testing of gpsd I am doing, and the need to modify/restart gpsd doing that. If the sysadmins are willing to configure ntpd/chronyd to use SHM, I think you can ask them to create the segment before starting the service with any permissions you want, e.g. 600 with your user as the owner. -- Miroslav Lichvar --- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] shm permissions
On Tue, Jan 26, 2010 at 12:54:45PM +0100, Håkan Johansson wrote: > > Ok, could it perhaps be made an explicit option of the refclock? I think that would be ok. We don't have a mechanism for passing arbitrary options to drivers, but maybe colons could be used in refclock parameter, e.g "refclock SHM 0:perm=666". Would be nice to have some routines for parsing such options available for all drivers. -- Miroslav Lichvar --- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] shm permissions
On Tue, Jan 26, 2010 at 12:54:45PM +0100, Håkan Johansson wrote: > > Ok, could it perhaps be made an explicit option of the refclock? > (The sysadmins were happy to not have to change more than the config > file for the few machines in question. :) ) In the latest git the permissions can now be specified with :perm=666. -- Miroslav Lichvar --- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] shm permissions
In the latest git the permissions can now be specified with :perm=666. Great! Perhaps and the output of strtol(s, NULL, 8) with 0666 to prevent the user from setting any other flags by mistake. Cheers, Håkan
Re: [chrony-dev] shm permissions
On Fri, Jan 29, 2010 at 05:11:29AM +0100, Håkan Johansson wrote: > >In the latest git the permissions can now be specified with :perm=666. > > Great! > > Perhaps and the output of strtol(s, NULL, 8) with 0666 to prevent > the user from setting any other flags by mistake. Good idea. Thanks. -- Miroslav Lichvar --- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
