Bug 126360 - init script does ntpdate with -U to drop root priv
init script does ntpdate with -U to drop root priv
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: ntp (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-20 01:59 EDT by Jon Smirl
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-30 07:09:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jon Smirl 2004-06-20 01:59:37 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040211 Firefox/0.8

Description of problem:
In the ntpd init script it does:
/usr/sbin/ntpdate $dropstr -s -b -p 8 $tickers 2>/dev/null >/dev/null

The $drop string contains:
-U ntp

This works fine on the standard Redhat kernel.

On a kernel without SE Linux turned on it fails. 

debug.5:May 25 17:36:11 smirl ntpdate[3384]: cap_set_proc failed.
debug.5:May 25 17:36:12 smirl ntpd[3389]: cap_set_proc failed.

Workaround is to remove $dropstr on non-SE kernels.


Version-Release number of selected component (if applicable):
ntp-4.2.0-8

How reproducible:
Always
Comment 1 Josh Rollyson 2004-06-20 23:46:37 EDT
IIRC, this can be done with a non-selinux-enabled kernel, but
CAP_SETPCAP may need to have been unmasked in the kernel source
(include/linux/capability.h iirc)

If you test, you'll probably want to test for the presense of
capability flags, rather than for specific patches.
Comment 2 Harald Hoyer 2004-07-13 11:47:13 EDT
does loading the 'capability' module solve your problem?
Comment 3 Harald Hoyer 2004-07-13 11:47:27 EDT
see #101393
Comment 4 Jon Smirl 2004-07-15 00:37:17 EDT
I believe the 'capabilities' module is a 2.4 feature. I looked around
in the 2.6 tree can couldn't find anything by that name. I have the
'default' security model turned on. If I turn on 'selinux' the problem
goes away. The problem is still there with kernel 2.6.8-rc1.

I suspect ntpd -U is using a SELinux feature that is not there in a
standard kernel.

To change your kernel security mode, make xconfig, select security,
select enable different security mode, pick default instead of se.
Comment 5 Harald Hoyer 2004-08-30 07:09:16 EDT
capabilites are present in the kernel 2.6 and are essential for Red
Hat's security model. Without capabilities ntp cannot drop root
rights, so you have to remove the command line parameters yourself. sorry!

Note You need to log in before you can comment on or make changes to this bug.