[Buildroot] [PATCH v2] package/chrony: add default unprivileged user option

[Buildroot] [PATCH v2] package/chrony: add default unprivileged user option

[James Kent]

Configurable option to define and enable by default an unprivileged
user which the Chrony daemon will assume once initialised. The
functionality requires libcap which is selected as necessary.

This option supports the good security practice of dropping elevated
privileges for daemon runtime.

The package configuration layout has been updated to current working
practice.

Signed-off-by: James Kent <james.kent@orchestrated-technology.com>
---
 package/chrony/Config.in | 12 +++++++++++-
 package/chrony/chrony.mk |  8 ++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/package/chrony/Config.in b/package/chrony/Config.in
index 158dc20530..0ba14c6aef 100644
--- a/package/chrony/Config.in
+++ b/package/chrony/Config.in
@@ -7,10 +7,20 @@ config BR2_PACKAGE_CHRONY
 
 	  http://chrony.tuxfamily.org/
 
+if BR2_PACKAGE_CHRONY
+
 config BR2_PACKAGE_CHRONY_DEBUG_LOGGING
 	bool "enable debug logging support"
-	depends on BR2_PACKAGE_CHRONY
 	help
 	  Enable support for debug logging output from Chrony when
 	  enabled at runtime. If disabled, code for debug logging will
 	  not be compiled in.
+
+config BR2_PACKAGE_CHRONY_USER
+	bool "chrony default unprivileged user"
+	select BR2_PACKAGE_LIBCAP
+	help
+	  Define and enable default unprivileged user for the Chrony
+	  daemon to run as.
+
+endif
diff --git a/package/chrony/chrony.mk b/package/chrony/chrony.mk
index 379e95a778..16f8f082a3 100644
--- a/package/chrony/chrony.mk
+++ b/package/chrony/chrony.mk
@@ -21,6 +21,14 @@ CHRONY_CONF_OPTS = \
 
 ifeq ($(BR2_PACKAGE_LIBCAP),y)
 CHRONY_DEPENDENCIES += libcap
+
+ifeq ($(BR2_PACKAGE_CHRONY_USER),y)
+CHRONY_CONF_OPTS += --with-user=chrony
+define CHRONY_USERS
+	chrony -1 chrony -1 * /run/chrony - - Time daemon
+endef
+endif
+
 else
 CHRONY_CONF_OPTS += --without-libcap
 endif
-- 
2.35.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/chrony: add default unprivileged user option

[Arnout Vandecappelle]

  Hi James,

On 08/02/2023 19:27, James Kent wrote:
> Configurable option to define and enable by default an unprivileged
> user which the Chrony daemon will assume once initialised. The
> functionality requires libcap which is selected as necessary.
> 
> This option supports the good security practice of dropping elevated
> privileges for daemon runtime.
> 
> The package configuration layout has been updated to current working
> practice.
> 
> Signed-off-by: James Kent <james.kent@orchestrated-technology.com>
> ---
>   package/chrony/Config.in | 12 +++++++++++-
>   package/chrony/chrony.mk |  8 ++++++++
>   2 files changed, 19 insertions(+), 1 deletion(-)
> 
> diff --git a/package/chrony/Config.in b/package/chrony/Config.in
> index 158dc20530..0ba14c6aef 100644
> --- a/package/chrony/Config.in
> +++ b/package/chrony/Config.in
> @@ -7,10 +7,20 @@ config BR2_PACKAGE_CHRONY
>   
>   	  http://chrony.tuxfamily.org/
>   
> +if BR2_PACKAGE_CHRONY
> +
>   config BR2_PACKAGE_CHRONY_DEBUG_LOGGING
>   	bool "enable debug logging support"
> -	depends on BR2_PACKAGE_CHRONY
>   	help
>   	  Enable support for debug logging output from Chrony when
>   	  enabled at runtime. If disabled, code for debug logging will
>   	  not be compiled in.
> +
> +config BR2_PACKAGE_CHRONY_USER
> +	bool "chrony default unprivileged user"

  Is there any reason to do this conditionally? For all other packages, we do it 
unconditionally.

  Regards,
  Arnout

> +	select BR2_PACKAGE_LIBCAP
> +	help
> +	  Define and enable default unprivileged user for the Chrony
> +	  daemon to run as.
> +
> +endif
> diff --git a/package/chrony/chrony.mk b/package/chrony/chrony.mk
> index 379e95a778..16f8f082a3 100644
> --- a/package/chrony/chrony.mk
> +++ b/package/chrony/chrony.mk
> @@ -21,6 +21,14 @@ CHRONY_CONF_OPTS = \
>   
>   ifeq ($(BR2_PACKAGE_LIBCAP),y)
>   CHRONY_DEPENDENCIES += libcap
> +
> +ifeq ($(BR2_PACKAGE_CHRONY_USER),y)
> +CHRONY_CONF_OPTS += --with-user=chrony
> +define CHRONY_USERS
> +	chrony -1 chrony -1 * /run/chrony - - Time daemon
> +endef
> +endif
> +
>   else
>   CHRONY_CONF_OPTS += --without-libcap
>   endif
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/chrony: add default unprivileged user option

[Yann E. MORIN]

Arnout, James, All,

On 2023-02-09 21:22 +0100, Arnout Vandecappelle spake thusly:
> On 08/02/2023 19:27, James Kent wrote:
> >Configurable option to define and enable by default an unprivileged
> >user which the Chrony daemon will assume once initialised. The
> >functionality requires libcap which is selected as necessary.
> >
> >This option supports the good security practice of dropping elevated
> >privileges for daemon runtime.
> >
> >The package configuration layout has been updated to current working
> >practice.
> >
> >Signed-off-by: James Kent <james.kent@orchestrated-technology.com>
> >---
[--SNIP--]
> >+config BR2_PACKAGE_CHRONY_USER
> >+	bool "chrony default unprivileged user"
>  Is there any reason to do this conditionally? For all other packages, we do
> it unconditionally.

From what I read, there are three situation to run chrony:
  - start as root and stay running as root;
  - start as root, setuid to a user either with a commandline option, or
    a configuration directive;
  - start as root, and setuid to a user defined at build-time (which can
    still be overriden on the commandline or a configuration directive).

What this patch does, is to allow for the third option.

As it was previously already possible to run as non-root, by just
enabling libcap in Buildroot's config, and adding the user configuration
directive in chrony's config file (or run it with -u), some people may
already do that in their setups, and we do not want to break that. So
those people do have eithe the config directive or the -u option, which
both take precendence over the build-time configuration.

As for those that do run as root, switching to a non-root user should
not have any impact in functionality.

So, we can safely unconditionally default to a compile-time non-root
user. Except, a linux kernel may only have the root user, see
CONFIG_MULTIUSER. But in that case we'd have tons of other packages that
are gonna whine...

Applied to master without the condition, thanks.

Regards,
Yann E. MORIN.

>  Regards,
>  Arnout
> 
> >+	select BR2_PACKAGE_LIBCAP
> >+	help
> >+	  Define and enable default unprivileged user for the Chrony
> >+	  daemon to run as.
> >+
> >+endif
> >diff --git a/package/chrony/chrony.mk b/package/chrony/chrony.mk
> >index 379e95a778..16f8f082a3 100644
> >--- a/package/chrony/chrony.mk
> >+++ b/package/chrony/chrony.mk
> >@@ -21,6 +21,14 @@ CHRONY_CONF_OPTS = \
> >  ifeq ($(BR2_PACKAGE_LIBCAP),y)
> >  CHRONY_DEPENDENCIES += libcap
> >+
> >+ifeq ($(BR2_PACKAGE_CHRONY_USER),y)
> >+CHRONY_CONF_OPTS += --with-user=chrony
> >+define CHRONY_USERS
> >+	chrony -1 chrony -1 * /run/chrony - - Time daemon
> >+endef
> >+endif
> >+
> >  else
> >  CHRONY_CONF_OPTS += --without-libcap
> >  endif

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot