[opensuse] Help VRFY BUG with ntp: gid not set to primary group-id of user ntp; Security threat:low?
As I've been told is good practice, I tend to put each of my daemons with different UID's also in their own groups (if possible with same name and GID). For example, for "ntp", UID=74, in "/etc/passwd", I list its group as "74". In "/etc/group", I have "ntp" as group 74. I "expected" ntp to be running as user "ntp", group "ntp".
ps -eo pid,user,group,uid,gid,args|grep ntp
Much to my surprise, I found ntp to be running with group "root": pid user group uid gid arg 2601 ntp root 74 0 /usr/sbin/ntpd In the "/etc/sysconfig" dir, file "ntp" specifies "-u ntp" in its arguments. I checked the man page for ntpd, and found for the "-u" switch: -u server_user Ntpd process drops root privileges and changes user ID to server_user and group ID to the primary group of server_user. --- Clearly, on my system, this doesn't appear to be happening. Can anyone verify if this working as documented (gid is set to primary group of the server_user) on their system, or is this a bug that should be reported? Thanks... It *appears* a simple workaround can be to include the -g ntp param to startproc in the startup script -- but this is kludgey, since you can't set the group (via -g) on the ntp command line (-g is used for something else). So ntp should really be setting the group correctly or it could be running as an "invalid" user with an "ELEVATED" group of "root".... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 11 September 2008, Linda Walsh wrote:
ps -eo pid,user,group,uid,gid,args|grep ntp
Much to my surprise, I found ntp to be running with group "root": pid user group uid gid arg 2601 ntp root 74 0 /usr/sbin/ntpd
Output on opensuse 11: 3950 ntp ntp 74 113 /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -i /var/lib/ntp -c /etc/ntp.conf
In the "/etc/sysconfig" dir, file "ntp" specifies "-u ntp" in its arguments.
NTPD_OPTIONS="-g -u ntp:ntp" here. Regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2008-09-12 at 13:14 +0300, auxsvr@gmail.com wrote:
Much to my surprise, I found ntp to be running with group "root": pid user group uid gid arg 2601 ntp root 74 0 /usr/sbin/ntpd
Output on opensuse 11: 3950 ntp ntp 74 113 /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -i /var/lib/ntp -c /etc/ntp.conf
How do you force ps to output the group? I use "ps afxu", where "u" stands for group. The man page seems to say that "g" is for group, but it doesn't work, and "ps --help" says that is is "g OBSOLETE -- DO NOT USE". So? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjKSesACgkQtTMYHG2NR9VLTACfUggUTadbAdIO6WjQhIVwYIHB XaEAoJbP0by4hla21C8+1eQOwH6JAbrU =JA3x -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2008-09-12 at 12:52 +0200, I wrote: Errata:
where "u" stands for group.
stands for user, obviously. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjKUdQACgkQtTMYHG2NR9ULGQCeKRNOagdT323C4WpcJy+dOHzF b04An1UWHjjIrmutpdBLgRiOZNFC7wUJ =jiUK -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 12 September 2008, Carlos E. R. wrote:
How do you force ps to output the group? I use "ps afxu", where "u" stands for group. The man page seems to say that "g" is for group, but it doesn't work, and "ps --help" says that is is "g OBSOLETE -- DO NOT USE".
ps -eo pid,user,group,uid,gid,args|grep ntp, it's the line after which you start quoting. Regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
auxsvr@gmail.com wrote:
In the "/etc/sysconfig" dir, file "ntp" specifies "-u ntp" in its arguments. NTPD_OPTIONS="-g -u ntp:ntp" here. Regards
That's certainly convenient. Did you set that? I setup my ntp configuration so many years back, I don't remember if I setup the options or not -- my "-u ntp" could have been 'grandfathered', though according to the manpage, it should set the user's primary group (ntp) as well. I don't recall seeing the user:group in the documentation, but I might have missed something like that if I was expecting to rely on the primary group getting set. Thanks for the quick response! :-) -linda -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2008-09-12 at 13:18 -0700, Linda Walsh wrote:
In the "/etc/sysconfig" dir, file "ntp" specifies "-u ntp" in its arguments. NTPD_OPTIONS="-g -u ntp:ntp" here.
That's certainly convenient. Did you set that?
Suse did :-) Look at the file: ## Type: string ## Default: "-g -u ntp:ntp" # # Additional arguments when starting ntpd. The most # important ones would be # -u user[:group] to make ntpd run as a user (group) other than root. # NTPD_OPTIONS="-g -u ntp:ntp" It is the default config... - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjK6uwACgkQtTMYHG2NR9XifACdFM1OMJ2wAMfT58YONTMXRD32 0JQAn1vokc2ZP41CijMyQmTQ7OC9Hoz8 =UyMb -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Linda Walsh wrote:
I "expected" ntp to be running as user "ntp", group "ntp".
See bug #351059 at [1]. It was in 10.3 and got fixed for 11.0. Regards nordi [1] https://bugzilla.novell.com/show_bug.cgi?id=351059 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
auxsvr@gmail.com -
Carlos E. R. -
Linda Walsh -
nordi