# How to put NTPD in a jail?

## syncmaster

hi,

now, my ntpd works great, but how can i put ntpd in a jail (aka chroot)? The most docs are very old.

i tested:

/usr/bin/ntpd -u ntp:ntp -i /var/chroot/ntp

it starts without any errors, but not in the (incomplete) chroot :-/

any hints?

----------

## Chris W

I imagine the /var/chroot/npt directory should contain at least the NTP configuration files and runtime directories /var/run, /var/lib/ntp, etc.

The NTP code needs to have Linux Capabilities support built in in order for the non-root user to play with the time.  That seems to be the case with a Gentoo ebuild.

----------

## Fog_Watch

Given the paucity of documentation on chrooting ntpd I presume that people dont bother to do it.  This seems strange, though, given that there are command line options for doing this.  Has anyone read how to use -u ntp:ntp -i /chroot/ntp, or seen documentation about chrooting ntpd?

Regards

Fog_Watch.

----------

## xglad

I have the basics working but it's a bit clunky.

/etc/conf.d/ntpd:

```
NTPD_OPTS="-u ntp:ntp -i /chroots/ntpd"
```

/etc/ntp.conf:

```
restrict 127.0.0.1 nomodify

server 0.north-america.pool.ntp.org

server 1.north-america.pool.ntp.org

server 2.north-america.pool.ntp.org

logfile /chroots/ntpd/ntp.log

driftfile /var/lib/ntp/ntp.drift
```

```
# ls -l -R /var/lib/ntp

/var/lib/ntp:

total 0

lrwxrwxrwx 1 root root 35 Aug 17 00:34 ntp.drift -> /chroots/ntpd/var/lib/ntp/ntp.drift
```

```
# ls -l -R /chroots

/chroots:

total 0

drwxrwx--- 3 root ntp 96 Aug 17 00:35 ntpd

/chroots/ntpd:

total 4

-rw-r--r-- 1 root root 639 Aug 17 01:45 ntp.log

drwx------ 3 ntp  ntp   72 Aug 17 00:31 var

/chroots/ntpd/var:

total 0

drwx------ 3 ntp ntp 72 Aug 17 00:31 lib

/chroots/ntpd/var/lib:

total 0

drwx------ 2 ntp ntp 80 Aug 17 01:38 ntp

/chroots/ntpd/var/lib/ntp:

total 4

-rw-r--r-- 1 ntp ntp 7 Aug 17 01:38 ntp.drift
```

And some verification:

```
# lsof -p `pidof ntpd` | grep rtd

ntpd    10022  ntp  rtd    DIR        3,6      96     722 /chroots/ntpd
```

```
# ls -l /proc/`pidof ntpd`/root

lrwxrwxrwx 1 root root 0 Aug 17 01:42 /proc/10022/root -> /chroots/ntpd
```

You can read about the necessity of the drift file symlink here. I verified this is still a problem with ntp-4.2.2_p2 via strace.

----------

## Fog_Watch

Thanks xglad.  I'll have a look at your post after I've put Squid in its chroot.

Regards

Fog_Watch.

----------

## Fog_Watch

I'm not liking this chroot business.  I failed at squid, and now at ntp.  Boo hoo.

I installed ntp and got it working.  All was fine until I tried to chroot.

It seems as though I cannot drop root privileges.  ntpd works without -u

```
# ntpd && ps aux | grep ntpd

root     19533  0.0  0.4   3680  3680 ?        SLs  13:29   0:00 ntpd
```

ntpd does not work with with -u

```
# date && ntpd -u ntp:ntp && ps aux | grep ntp && tail /var/log/ntpd.log

Fri Aug 18 13:36:08 EST 2006

root     17811  0.0  0.0   1436   452 pts/0    S+   13:36   0:00 grep ntp

Aug 18 13:35:55 mr-proliant ntpd[965]: Listening on interface eth1, 192.168.2.1#123

Aug 18 13:35:55 mr-proliant ntpd[965]: Listening on interface lo, 127.0.0.1#123

Aug 18 13:35:55 mr-proliant ntpd[965]: kernel time sync status 0040

Aug 18 13:36:08 mr-proliant ntpd[11996]: ntpd 4.2.0a@1.1190-r Thu Aug 17 10:09:55 EST 2006 (1)

Aug 18 13:36:08 mr-proliant ntpd[11996]: precision = 12.000 usec

Aug 18 13:36:08 mr-proliant ntpd[11996]: Listening on interface wildcard, 0.0.0.0#123

Aug 18 13:36:08 mr-proliant ntpd[11996]: Listening on interface eth0, 192.168.1.2#123

Aug 18 13:36:08 mr-proliant ntpd[11996]: Listening on interface eth1, 192.168.2.1#123

Aug 18 13:36:08 mr-proliant ntpd[11996]: Listening on interface lo, 127.0.0.1#123

Aug 18 13:36:08 mr-proliant ntpd[11996]: kernel time sync status 0040
```

There is nothing in the log that tells me about a misconfiguration.  Yes I have CONFIG_CAPABILITY built into my kernel.  No I have not used notrust to my restrict configuration.

man ntpd says this about -u

 *Quote:*   

> Currently, this option is supported under NetBSD (configure with --enable-clockctl) and Linux (configure with --enable-linuxcaps).
> 
> 

   Anybody know anything about this --enable-linuxcaps?  I didn't see anything in emerge -pv net-misc/ntp about this.

I'm stumped.  Any suggestions would be gratefully received.

PS, kernel=2.6.16-hardened-r11

----------

## PaulBredbury

 *Fog_Watch wrote:*   

> Anybody know anything about this --enable-linuxcaps?

 

It's done in the ntp ebuild, with:   $(use_enable caps linuxcaps)

So it's dependent on the caps USE flag.

----------

## Fog_Watch

Thanks for the tip, PaulBredbury.  I can now use -u on my ntpd, but still not -i.  ntpd returns with  *Quote:*   

> cap_set_proc() failed to drop root privileges

   These fora are littered with cap_set_proc postings.  The solution they prescribe is to make sure the capability module is loaded.  Well my kernel .config says this:

 *Quote:*   

> # Logging Options
> 
> #
> 
> CONFIG_GRKERNSEC_FLOODTIME=10
> ...

   That is, capability is built into the kernel, just like the wiki says.

Sorry, but I'm stumped again.  Help?  Anybody?  Please?

----------

## tgh

Might want to google through the USENET archives of comp.protocols.time.ntp which is the semi-official location for ntp support.  Chroot'ing was discussed in Nov/Dec 2003, Feb 2004 and Jun 2006.  One quote from Jun 27 2006 by Danny Mayer:

 *Quote:*   

> Right now that's a difficult question. On some O/S's you can do this but
> 
> in some you are really restricted. You need some privilege to change the
> 
> time or adjust the time frequency on your O/S. You also need privileges
> ...

 

So... dunno.  There is an SELinux profile for ntp so going the hardened Gentoo route may be a more viable option then attempting to chroot.

----------

## Fog_Watch

I still don't understand this.  My conf.d looks like this, NTPD_OPTS="-u ntp:ntp -i /chroot/ntpd".  If I boot the server with the network cable installed, ntpd fails with cap_set_proc() failed to drop root privileges recorded in /var/log/ntpd.log.  With the cable removed ntpd loads with no problem, of course it doesn't work because of the removed network cable.  Now, with a loaded ntpd, if I install the network cable again ntpd quits with cap_set_proc() recorded in the log file.  Bash head.  Don't understand.  ?

 *tgh wrote:*   

> may be a more viable option then attempting to chroot

 

There is enough evidence in these fora to suggest to me that chrooting ntpd should be easy enough.  I won't give up just yet.

Regards

Fog_Watch.

----------

## Fog_Watch

SOLVED: I turned off Grsecurity, Capability restrictions and hey presto it works.   

No I don't understand the post I made yesterday.

Regards

Fog_Watch

----------

