faraphel/chrony
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sys_linux: don't keep NET_BIND_SERVICE for unprivileged port

Browse source 
Don't keep the NET_BIND_SERVICE capability if the configured NTP port is
not privileged (i.e. not smaller than 1024).
This commit is contained in:
Miroslav Lichvar 2020-09-15 12:02:49 +02:00
parent 349323dec7
commit c28c2cde43
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
sys_linux.c
View file

@ -437,12 +437,14 @@ SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control)
UTI_DropRoot(uid, gid); UTI_DropRoot(uid, gid);
/* Keep CAP_NET_BIND_SERVICE if the NTP server sockets may need to be bound. /* Keep CAP_NET_BIND_SERVICE if the NTP server sockets may need to be bound
to a privileged port.
Keep CAP_NET_RAW if an NTP socket may need to be bound to a device on Keep CAP_NET_RAW if an NTP socket may need to be bound to a device on
kernels before 5.7. kernels before 5.7.
Keep CAP_SYS_TIME if the clock control is enabled. */ Keep CAP_SYS_TIME if the clock control is enabled. */
if (snprintf(cap_text, sizeof (cap_text), "%s %s %s", if (snprintf(cap_text, sizeof (cap_text), "%s %s %s",
CNF_GetNTPPort() ? "cap_net_bind_service=ep" : "", (CNF_GetNTPPort() > 0 && CNF_GetNTPPort() < 1024) ?
"cap_net_bind_service=ep" : "",
(CNF_GetBindNtpInterface() || CNF_GetBindAcquisitionInterface()) && (CNF_GetBindNtpInterface() || CNF_GetBindAcquisitionInterface()) &&
!SYS_Linux_CheckKernelVersion(5, 7) ? "cap_net_raw=ep" : "", !SYS_Linux_CheckKernelVersion(5, 7) ? "cap_net_raw=ep" : "",
clock_control ? "cap_sys_time=ep" : "") >= sizeof (cap_text)) clock_control ? "cap_sys_time=ep" : "") >= sizeof (cap_text))