X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Ftimesync%2Ftimesyncd.c;h=21843363d2ac03259ad7b48cb980f45c25b2eb52;hb=9f7115498bac670013f6b8923f2e12366fbd13a8;hp=13cd3b1ed3c2f7d24453099b8dad8ab8ccff1739;hpb=9b3310b066136b0674a926da094b7fe87a13a58b;p=elogind.git

diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c
index 13cd3b1ed..21843363d 100644
--- a/src/timesync/timesyncd.c
+++ b/src/timesync/timesyncd.c
@@ -33,6 +33,9 @@
 #include <sys/timex.h>
 #include <sys/socket.h>
 #include <resolv.h>
+#include <sys/prctl.h>
+#include <sys/types.h>
+#include <grp.h>
 
 #include "missing.h"
 #include "util.h"
@@ -49,6 +52,7 @@
 #include "sd-network.h"
 #include "event-util.h"
 #include "network-util.h"
+#include "capability.h"
 #include "timesyncd.h"
 
 #define TIME_T_MAX (time_t)((1UL << ((sizeof(time_t) << 3) - 1)) - 1)
@@ -205,7 +209,7 @@ static int manager_send_request(Manager *m) {
                 return manager_connect(m);
         }
 
-        /* re-arm timer with incresing timeout, in case the packets never arrive back */
+        /* re-arm timer with increasing timeout, in case the packets never arrive back */
         if (m->retry_interval > 0) {
                 if (m->retry_interval < NTP_POLL_INTERVAL_MAX_SEC * USEC_PER_SEC)
                         m->retry_interval *= 2;
@@ -972,6 +976,8 @@ static int manager_new(Manager **ret) {
         if (r < 0)
                 return r;
 
+        sd_event_set_watchdog(m->event, true);
+
         sd_event_add_signal(m->event, &m->sigterm, SIGTERM, NULL,  NULL);
         sd_event_add_signal(m->event, &m->sigint, SIGINT, NULL, NULL);
 
@@ -981,7 +987,7 @@ static int manager_new(Manager **ret) {
 
         r = sd_resolve_attach_event(m->resolve, m->event, 0);
         if (r < 0)
-                return 0;
+                return r;
 
         r = manager_clock_watch_setup(m);
         if (r < 0)
@@ -1138,6 +1144,80 @@ static int manager_network_monitor_listen(Manager *m) {
         return 0;
 }
 
+static int drop_priviliges(void) {
+        static const cap_value_t bits[] = {
+                CAP_SYS_TIME,
+        };
+
+        _cleanup_cap_free_ cap_t d = NULL;
+        const char *name = "systemd-timesync";
+        uid_t uid;
+        gid_t gid;
+        int r;
+
+        /* Unfortunately we cannot leave privilige dropping to PID 1
+         * here, since we want to run as user but want to keep te
+         * CAP_SYS_TIME capability. Since file capabilities have been
+         * introduced this cannot be done across exec() anymore,
+         * unless our binary has the capability configured in the file
+         * system, which we want to avoid. */
+
+        r = get_user_creds(&name, &uid, &gid, NULL, NULL);
+        if (r < 0) {
+                log_error("Cannot resolve user name %s: %s", name, strerror(-r));
+                return r;
+        }
+
+        if (setresgid(gid, gid, gid) < 0) {
+                log_error("Failed change group ID: %m");
+                return -errno;
+        }
+
+        if (setgroups(0, NULL) < 0) {
+                log_error("Failed to drop auxiliary groups list: %m");
+                return -errno;
+        }
+
+        if (prctl(PR_SET_KEEPCAPS, 1) < 0) {
+                log_error("Failed to enable keep capabilities flag: %m");
+                return -errno;
+        }
+
+        r = setresuid(uid, uid, uid);
+        if (r < 0) {
+                log_error("Failed change user ID: %m");
+                return -errno;
+        }
+
+        if (prctl(PR_SET_KEEPCAPS, 0) < 0) {
+                log_error("Failed to disable keep capabilities flag: %m");
+                return -errno;
+        }
+
+        r = capability_bounding_set_drop(~(1ULL << CAP_SYS_TIME), true);
+        if (r < 0) {
+                log_error("Failed to drop capabilities: %s", strerror(-r));
+                return r;
+        }
+
+        d = cap_init();
+        if (!d)
+                return log_oom();
+
+        if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
+            cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) {
+                log_error("Failed to enable capabilities bits: %m");
+                return -errno;
+        }
+
+        if (cap_set_proc(d) < 0) {
+                log_error("Failed to increase capabilities: %m");
+                return -errno;
+        }
+
+        return 0;
+}
+
 int main(int argc, char *argv[]) {
         _cleanup_manager_free_ Manager *m = NULL;
         int r;
@@ -1154,6 +1234,10 @@ int main(int argc, char *argv[]) {
 
         umask(0022);
 
+        r = drop_priviliges();
+        if (r < 0)
+                goto out;
+
         assert_se(sigprocmask_many(SIG_BLOCK, SIGTERM, SIGINT, -1) == 0);
 
         r = manager_new(&m);