1. Forum
  2. Newsgroups
  3. comp.protocols.time.ntp

  • Aborting ntpd when unable to control the clock

    From Dave Hart@davehart@gmail.com to NTP coders on Tue Nov 12 19:13:05 2024
    From Newsgroup: comp.protocols.time.ntp

    --000000000000221b9c0626bbf80d
    Content-Type: text/plain; charset="UTF-8"

    It seems obvious to me that ntpd should log an error and terminate when it
    is unable to adjust the system clock. To my surprise, https://bugs.ntp.org/1433 pointed out that when a Linux ntpd binary built
    to use capabilities is run on a kernel build without capability capability, ntpd blithely runs without complaint while effectively doing nothing. For
    this specific problem, you could blame the user and say they need to use
    ntpd built --without-linux-caps, but there's a more general issue of ntpd
    not reporting let alone aborting on a failure to control the clock.

    To explain the context a bit, I came across bug 1433 somehow and saw that
    in 2019 the decade-old bug was fixed by having ntpd test for whether capabilities work before dropping root (they're needed to crank the clock
    when not running as root on Linux). When capabilities do not work, ntpd
    was then ignoring the request to drop root and run as a user, typically
    "ntp". This meant it was silently opening up an opportunity for more
    useful privilege elevation or remote code execution despite the user's
    explicit configuration, and that's unacceptable to me. My intention is to change the behavior to error out when controlling the clock fails (via step
    or slew). If you think that's a bad idea, please speak up and explain your reasoning.

    Cheers,
    Dave Hart

    --000000000000221b9c0626bbf80d
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon= t-family:trebuchet ms,sans-serif">It seems obvious to me that ntpd should l=
    og an error and terminate when it is unable to adjust the system clock.=C2=
    =A0 To my surprise, <a href=3D"https://bugs.ntp.org/1433" target=3D"_blank"= >https://bugs.ntp.org/1433</a> pointed out that when a Linux ntpd binary bu= ilt to use capabilities is run on a kernel build without capability capabil= ity, ntpd blithely runs without complaint while effectively doing nothing.= =C2=A0 For this specific problem, you could blame the user and say they nee=
    d to use ntpd built --without-linux-caps, but there&#39;s a more general is= sue of ntpd not reporting let alone aborting on a failure to control the cl= ock.</div><div class=3D"gmail_default" style=3D"font-family:trebuchet ms,sa= ns-serif"><br></div><div class=3D"gmail_default" style=3D"font-family:trebu= chet ms,sans-serif">To explain the context a bit, I came across bug 1433 so= mehow and saw that in 2019 the decade-old bug was fixed by having ntpd test=
    for whether capabilities work before dropping root (they&#39;re needed to = crank the clock when not running as root on Linux).=C2=A0 When capabilities=
    do not work, ntpd was then ignoring the request to drop root and run as a = user, typically &quot;ntp&quot;.=C2=A0 This meant it was silently opening u=
    p an opportunity for more useful privilege elevation or remote code executi=
    on despite the user&#39;s explicit configuration, and that&#39;s unacceptab=
    le to me.=C2=A0 My intention is to change the behavior to error out when co= ntrolling the clock fails (via step or slew).=C2=A0 If you think that&#39;s=
    a bad idea, please speak up and explain your reasoning.</div><div class=3D= "gmail_default" style=3D"font-family:trebuchet ms,sans-serif"><br></div><di= v><div dir=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"gmail_signat= ure"><div dir=3D"ltr">Cheers,<br>Dave Hart<br></div></div></div></div>
    </div>

    --000000000000221b9c0626bbf80d--

    --- Synchronet 3.20a-Linux NewsLink 1.114
  • From Terje Mathisen@terje@tmsw.no to Dave Hart on Wed Nov 13 12:13:05 2024
    From Newsgroup: comp.protocols.time.ntp

    This is a multi-part message in MIME format. --------------5A229A60BC9936FE21491A6F
    Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable

    Dave Hart wrote:
    It seems obvious to me that ntpd should log an error and terminate=20
    when it is unable to adjust the system clock.=C2=A0 To my surprise,=20 https://bugs.ntp.org/1433 pointed out that when a Linux ntpd binary=20
    built to use capabilities is run on a kernel build without capability=20 capability, ntpd blithely runs without complaint while effectively=20
    doing nothing.=C2=A0 For this specific problem, you could blame the use=
    r=20
    and say they need to use ntpd built --without-linux-caps, but there's=20
    a more general issue of ntpd not reporting let alone aborting on a=20
    failure to control the clock.

    To explain the context a bit, I came across bug 1433 somehow and saw=20
    that in 2019 the decade-old bug was fixed by having ntpd test for=20
    whether capabilities work before dropping root (they're needed to=20
    crank the clock when not running as root on Linux).=C2=A0 When capabili=
    ties=20
    do not work, ntpd was then ignoring the request to drop root and run=20
    as a user, typically "ntp".=C2=A0 This meant it was silently opening up=
    an=20
    opportunity for more useful privilege elevation or remote code=20
    execution despite the user's explicit configuration, and that's=20 unacceptable to me.=C2=A0 My intention is to change the behavior to err=
    or=20
    out when controlling the clock fails (via step or slew).=C2=A0 If you t=
    hink=20
    that's a bad idea, please speak up and explain your reasoning.

    Cheers,
    Dave Hart
    I agree, that seems like The Right Thing to do.

    Terje
    PS. I'm going to retire soon, so my intention is to get back into NTP=20 Hackers work at that point!

    --=20
    - <Terje@tmsw.no>
    "almost all programming can be viewed as an exercise in caching"


    --------------5A229A60BC9936FE21491A6F
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    <html>
    <head>
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF=

    </head>
    <body text=3D"#000000" bgcolor=3D"#FFFFFF">
    <div class=3D"moz-cite-prefix">Dave Hart wrote:<br>
    </div>
    <blockquote type=3D"cite" cite=3D"mid:CAMbSiYDb+wETmibMR4QauyQ9d3aRGUtRr011U3rnsuwea_HXeA@mail.gmai= l.com">
    <meta http-equiv=3D"content-type" content=3D"text/html; charset=3DU= TF-8">
    <meta http-equiv=3D"content-type" content=3D"text/html; charset=3DU= TF-8">
    <div dir=3D"ltr">
    <div dir=3D"ltr">
    <div class=3D"gmail_default" style=3D"font-family:trebuchet
    ms,sans-serif">It seems obvious to me that ntpd should log
    an error and terminate when it is unable to adjust the
    system clock.=C2=A0 To my surprise, <a
    href=3D"https://bugs.ntp.org/1433" target=3D"_blank"
    moz-do-not-send=3D"true">https://bugs.ntp.org/1433</a>
    pointed out that when a Linux ntpd binary built to use
    capabilities is run on a kernel build without capability
    capability, ntpd blithely runs without complaint while
    effectively doing nothing.=C2=A0 For this specific problem, y=
    ou
    could blame the user and say they need to use ntpd built
    --without-linux-caps, but there's a more general issue of
    ntpd not reporting let alone aborting on a failure to
    control the clock.</div>
    <div class=3D"gmail_default" style=3D"font-family:trebuchet
    ms,sans-serif"><br>
    </div>
    <div class=3D"gmail_default" style=3D"font-family:trebuchet
    ms,sans-serif">To explain the context a bit, I came across
    bug 1433 somehow and saw that in 2019 the decade-old bug was
    fixed by having ntpd test for whether capabilities work
    before dropping root (they're needed to crank the clock when
    not running as root on Linux).=C2=A0 When capabilities do not=

    work, ntpd was then ignoring the request to drop root and
    run as a user, typically "ntp".=C2=A0 This meant it was silen=
    tly
    opening up an opportunity for more useful privilege
    elevation or remote code execution despite the user's
    explicit configuration, and that's unacceptable to me.=C2=A0 =
    My
    intention is to change the behavior to error out when
    controlling the clock fails (via step or slew).=C2=A0 If you
    think that's a bad idea, please speak up and explain your
    reasoning.</div>
    <div class=3D"gmail_default" style=3D"font-family:trebuchet
    ms,sans-serif"><br>
    </div>
    <div>
    <div dir=3D"ltr" class=3D"gmail_signature"
    data-smartmail=3D"gmail_signature">
    <div dir=3D"ltr">Cheers,<br>
    Dave Hart<br>
    </div>
    </div>
    </div>
    </div>
    </div>
    </blockquote>
    <tt>I agree, that seems like The Right Thing to do.<br>
    <br>
    Terje<br>
    PS. I'm going to retire soon, so my intention is to get back into
    NTP Hackers work at that point!<br>
    </tt><br>
    <pre class=3D"moz-signature" cols=3D"72">--=20
    - <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:Terje@tmsw.no">&lt;Te= rje@tmsw.no&gt;</a>
    "almost all programming can be viewed as an exercise in caching"
    </pre>
    </body>
    </html>

    --------------5A229A60BC9936FE21491A6F--

    --- Synchronet 3.20a-Linux NewsLink 1.114
  • From Dave Hart@davehart@gmail.com to Majdi S. Abbas on Thu Nov 14 02:38:00 2024
    From Newsgroup: comp.protocols.time.ntp

    --000000000000d8fc360626d64d56
    Content-Type: text/plain; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    On Thu, Nov 14, 2024 at 2:31=E2=80=AFAM Majdi S. Abbas <msa@latt.net> wrote=
    :

    On Tue, Nov 12, 2024 at 07:10:12PM +0000, Dave Hart wrote:
    It seems obvious to me that ntpd should log an error and terminate when
    it
    is unable to adjust the system clock. To my surprise, https://bugs.ntp.org/1433 pointed out that when a Linux ntpd binary
    built
    to use capabilities is run on a kernel build without capability
    capability,
    ntpd blithely runs without complaint while effectively doing nothing.
    For
    this specific problem, you could blame the user and say they need to us=
    e
    ntpd built --without-linux-caps, but there's a more general issue of nt=
    pd
    not reporting let alone aborting on a failure to control the clock.

    Note that widely used operating systems, like Apple's OS X, run
    ntpd as a monitoring service that explicitly does not/cannot discipline
    the clock.

    I've also heard of people explicitly running ntpd to monitor and
    log statistics, without wanting it to discipline the clock.

    Perhaps the cleanest way to do this is add a flag to run the
    daemon without attempting to discipline the clock?


    I believe that flag is already there, "disable ntp". I haven't used it
    though.

    Cheers,
    Dave Hart

    --000000000000d8fc360626d64d56
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div dir=3D"ltr"><div dir=3D"ltr"><div><div class=3D"gmail_default" style= =3D"font-family:&quot;trebuchet ms&quot;,sans-serif"></div></div></div><div=
    class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Nov 14=
    , 2024 at 2:31=E2=80=AFAM Majdi S. Abbas &lt;<a href=3D"mailto:msa@latt.net= ">msa@latt.net</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" st= yle=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padd= ing-left:1ex">On Tue, Nov 12, 2024 at 07:10:12PM +0000, Dave Hart wrote:<br=

    &gt; It seems obvious to me that ntpd should log an error and terminate whe=
    n it<br>
    &gt; is unable to adjust the system clock.=C2=A0 To my surprise,<br>
    &gt; <a href=3D"https://bugs.ntp.org/1433" rel=3D"noreferrer" target=3D"_bl= ank">https://bugs.ntp.org/1433</a> pointed out that when a Linux ntpd binar=
    y built<br>
    &gt; to use capabilities is run on a kernel build without capability capabi= lity,<br>
    &gt; ntpd blithely runs without complaint while effectively doing nothing.= =C2=A0 For<br>
    &gt; this specific problem, you could blame the user and say they need to u= se<br>
    &gt; ntpd built --without-linux-caps, but there&#39;s a more general issue =
    of ntpd<br>
    &gt; not reporting let alone aborting on a failure to control the clock.<br=


    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Note that widely used operating systems, like A= pple&#39;s OS X, run<br>
    ntpd as a monitoring service that explicitly does not/cannot discipline<br>
    the clock.<br>

    =C2=A0 =C2=A0 =C2=A0 =C2=A0 I&#39;ve also heard of people explicitly runnin=
    g ntpd to monitor and<br>
    log statistics, without wanting it to discipline the clock.<br>

    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Perhaps the cleanest way to do this is add a fl=
    ag to run the<br>
    daemon without attempting to discipline the clock?<br></blockquote><div><br= ></div><div class=3D"gmail_default" style=3D""><span style=3D"font-family:&= quot;trebuchet ms&quot;,sans-serif">I believe that flag is already there, &= quot;</span><font face=3D"monospace">disable ntp&quot;</font><font face=3D"= trebuchet ms, sans-serif">.=C2=A0 I haven&#39;t used it though.</font></div= ><div class=3D"gmail_default" style=3D""><div><br></div><div><div dir=3D"lt=
    r" class=3D"gmail_signature"><div dir=3D"ltr"><font face=3D"tahoma, sans-se= rif" color=3D"#666666">Cheers,<br>Dave Hart</font></div></div></div><br cla= ss=3D"gmail-Apple-interchange-newline"></div></div></div>

    --000000000000d8fc360626d64d56--

    --- Synchronet 3.20a-Linux NewsLink 1.114
  • From Majdi S. Abbas@msa@latt.net to Dave Hart on Thu Nov 14 02:38:00 2024
    From Newsgroup: comp.protocols.time.ntp

    On Tue, Nov 12, 2024 at 07:10:12PM +0000, Dave Hart wrote:
    It seems obvious to me that ntpd should log an error and terminate when it
    is unable to adjust the system clock. To my surprise, https://bugs.ntp.org/1433 pointed out that when a Linux ntpd binary built
    to use capabilities is run on a kernel build without capability capability, ntpd blithely runs without complaint while effectively doing nothing. For this specific problem, you could blame the user and say they need to use
    ntpd built --without-linux-caps, but there's a more general issue of ntpd
    not reporting let alone aborting on a failure to control the clock.

    Note that widely used operating systems, like Apple's OS X, run
    ntpd as a monitoring service that explicitly does not/cannot discipline
    the clock.

    I've also heard of people explicitly running ntpd to monitor and
    log statistics, without wanting it to discipline the clock.

    Perhaps the cleanest way to do this is add a flag to run the
    daemon without attempting to discipline the clock?

    --msa

    --- Synchronet 3.20a-Linux NewsLink 1.114
  • From Harlan Stenn via questions Mailing List@questions@lists.ntp.org to Dave Hart on Thu Nov 14 07:13:00 2024
    From Newsgroup: comp.protocols.time.ntp

    On 11/13/2024 6:35 PM, Dave Hart wrote:
    On Thu, Nov 14, 2024 at 2:31 AM Majdi S. Abbas <msa@latt.net <mailto:msa@latt.net>> wrote:

    On Tue, Nov 12, 2024 at 07:10:12PM +0000, Dave Hart wrote:
    > It seems obvious to me that ntpd should log an error and
    terminate when it
    > is unable to adjust the system clock.  To my surprise,
    > https://bugs.ntp.org/1433 <https://bugs.ntp.org/1433> pointed out
    that when a Linux ntpd binary built
    > to use capabilities is run on a kernel build without capability
    capability,
    > ntpd blithely runs without complaint while effectively doing
    nothing.  For
    > this specific problem, you could blame the user and say they need
    to use
    > ntpd built --without-linux-caps, but there's a more general issue
    of ntpd
    > not reporting let alone aborting on a failure to control the clock.

            Note that widely used operating systems, like Apple's OS X, run
    ntpd as a monitoring service that explicitly does not/cannot discipline
    the clock.

            I've also heard of people explicitly running ntpd to
    monitor and
    log statistics, without wanting it to discipline the clock.

            Perhaps the cleanest way to do this is add a flag to run the
    daemon without attempting to discipline the clock?


    I believe that flag is already there, "disable ntp".  I haven't used it though.

    To be clear, deciding when ntpd should abort if it cannot discipline the
    clock should be done at the "right" place in the code - not too early,
    and not too late.

    Cheers,
    Dave Hart

    --
    Harlan Stenn <stenn@nwtime.org>
    https://www.nwtime.org/ - be a member!

    --- Synchronet 3.20a-Linux NewsLink 1.114
  • From Dave Hart@davehart@gmail.com to Harlan Stenn on Thu Nov 14 08:53:05 2024
    From Newsgroup: comp.protocols.time.ntp

    --000000000000ca93730626db89e7
    Content-Type: text/plain; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    On Thu, Nov 14, 2024 at 7:04=E2=80=AFAM Harlan Stenn <stenn@nwtime.org> wro= te:

    To be clear, deciding when ntpd should abort if it cannot discipline the clock should be done at the "right" place in the code - not too early,
    and not too late.


    Well, Goldilocks, it seems obvious to me -- when an attempt to modify the system time/clock rate fails.

    Cheers,
    Dave Hart

    --000000000000ca93730626db89e7
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div dir=3D"ltr"><div dir=3D"ltr"><div><div class=3D"gmail_default" style= =3D"font-family:&quot;trebuchet ms&quot;,sans-serif"></div></div></div><br>= <div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, No=
    v 14, 2024 at 7:04=E2=80=AFAM Harlan Stenn &lt;<a href=3D"mailto:stenn@nwti= me.org">stenn@nwtime.org</a>&gt; wrote:<br></div><blockquote class=3D"gmail= _quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204= ,204);padding-left:1ex">To be clear, deciding when ntpd should abort if it = cannot discipline the <br>
    clock should be done at the &quot;right&quot; place in the code - not too e= arly, <br>
    and not too late.<br></blockquote><div><br></div><div class=3D"gmail_defaul=
    t" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif">Well, Goldiloc= ks, it seems obvious to me -- when an attempt to modify the system time/clo=
    ck rate fails.</div><div><div dir=3D"ltr" class=3D"gmail_signature"><div di= r=3D"ltr"><div><font face=3D"tahoma, sans-serif" color=3D"#666666"><br></fo= nt></div><font face=3D"tahoma, sans-serif" color=3D"#666666">Cheers,<br>Dav=
    e Hart</font></div></div></div><br class=3D"gmail-Apple-interchange-newline= "></div></div>

    --000000000000ca93730626db89e7--

    --- Synchronet 3.20a-Linux NewsLink 1.114