GRSecurity + PaX, ntpd "cap_set_proc()" can't drop root privileges.

Erased · 2014-05-12 18:18:56

Hey everyone,

I've recently installed an Archlinux server and decided to try out GRSecurity and PaX, I installed "linux-grsec" from the official repositories (not the AUR version).

It's running the "3.14.3-1-grsec" version on amd64.

Everything works great, except NTPd, here's the log :

May 12 20:01:24 xx systemd[1]: Starting Network Time Service...
May 12 20:01:24 xx ntpd[522]: ntpd 4.2.7p441@1.2483-o Tue May  6 10:14:26 UTC 2014 (1): Starting
May 12 20:01:24 xx systemd[1]: PID file /run/ntpd.pid not readable (yet?) after start.
May 12 20:01:24 xx ntpd[523]: proto: precision = 0.315 usec (-22)
May 12 20:01:24 xx ntpd[523]: Listen and drop on 0 v6wildcard [::]:123
May 12 20:01:24 xx ntpd[523]: Listen and drop on 1 v4wildcard 0.0.0.0:123
May 12 20:01:24 xx ntpd[523]: Listen normally on 2 lo 127.0.0.1:123
May 12 20:01:24 xx ntpd[523]: Listen normally on 3 enp1s0 x.x.x.x:123
May 12 20:01:24 xx ntpd[523]: Listen normally on 4 lo [::1]:123
May 12 20:01:24 xx ntpd[523]: Listen normally on 5 enp1s0 [x:x:x:x::1]:123
May 12 20:01:24 xx ntpd[523]: Listen normally on 6 enp1s0 [fe80::222:4dff:fe87:8b82%2]:123
May 12 20:01:24 xx ntpd[523]: Listening on routing socket on fd #23 for interface updates
May 12 20:01:24 xx ntpd[523]: cap_set_proc() failed to drop root privs: Operation not permitted
May 12 20:01:24 xx systemd[1]: Started Network Time Service.
May 12 20:01:24 xx systemd[1]: ntpd.service: main process exited, code=exited, status=255/n/a
May 12 20:01:24 xx systemd[1]: Unit ntpd.service entered failed state.

NTPd is at version "4.2.7.p441-1", and is using its default configuration file.

If I manually modify the unit file and remove the "-u ntp:ntp" argument then it works perfectly but it runs as root and that makes me feel uncomfortable.

After searching it looks like NTPd needs the CAP_SYS_TIME and something prevents it from having that capability, however I don't see what it it since GRSecurity's RBAC is disabled :

root@xx /home/xx # gradm -S
The RBAC system is currently disabled.

And according to the wiki, the official linux-grsec package is configured to not break anything, and I didn't touch anything either (everything is at its defaults).

This is my /etc/grsec/policy : https://gist.github.com/ErasedMemories/ … 43701bdeb2 - I didn't change it but since RBAC isn't even enabled I don't think this file matters.
This is my /etc/sysctl.d/05-grsecurity.conf : https://gist.github.com/ErasedMemories/ … b18b2fc9cd - same here, I didn't touch it.

Any idea on how to fix this ? Thanks.

Edit : a temporary solution is to downgrade to ntpd version "ntp-4.2.6.p5-19" (more info about downgrading : https://wiki.archlinux.org/index.php/Do … g_packages).

Last edited by Erased (2014-05-13 20:33:12)

hydrosIII · 2014-05-13 02:04:33

It might sound to simple as a workaround but you could try different versions of ntp via the downgrade utilty or try another ntp package like chrony or openntpd.

Erased · 2014-05-13 02:05:59

I'll try that and get back to you, however I don't think it's gonna fix anything since this is clearly a GRSecurity/PaX issue.

Edit : OpenNTPd isn't maintained anymore so I don't really want to install something unsupported and potentially vulnerable, and Chrony is a bit too complicated (I don't like all this control interface/command key stuff).

Still looking for a solution...

Last edited by Erased (2014-05-13 19:30:48)

Methos · 2014-05-13 19:54:46

I'm currently playing around with grsecurity and have the same problem. I can't help you with the problem, but I'm not sure that it is a grsecurity problem, because downgrading to ntp-4.2.6.p5-19-x86_64 solved the problem. Furthermore there are bugs reported for the current ntp version, which are looking quite similar.
Strange thing is only that I don't have the problem with the default kernel.

Erased · 2014-05-13 20:02:26

Can you link me the related bugs ? I can't seem to find similar bugs on their bugtracker (unless you're talking about the Arch bugtracker).

I tried starting it with the debug options but no matter how much "-ddddddddddddddd" options I put on the command line there's nothing relevant in the output :

local_clock: mu 0 state 2 poll 3 count 0
event at 0 0.0.0.0 c016 06 restart
13 May 22:00:49 ntpd[489]: cap_set_proc() failed to drop root privs: Operation not permitted
event at 0 0.0.0.0 c01d 0d kern kernel time sync disabled
filegen_unregister(peerstats)

I'm going to downgrade and hopefully it'll work for now.

Methos · 2014-05-13 20:10:35

Oh yes, sorry. I was talking about the archlinux bugtracker.
https://bugs.archlinux.org/task/40302?s … ect=1&type[0]=&sev[0]=&pri[0]=&due[0]=&reported[0]=&cat[0]=&status[0]=open&percent[0]=&opened=&dev=&closed=&duedatefrom=&duedateto=&changedfrom=&changedto=&openedfrom=&openedto=&closedfrom=&closedto=
https://bugs.archlinux.org/task/40319?s … ect=1&type[0]=&sev[0]=&pri[0]=&due[0]=&reported[0]=&cat[0]=&status[0]=open&percent[0]=&opened=&dev=&closed=&duedatefrom=&duedateto=&changedfrom=&changedto=&openedfrom=&openedto=&closedfrom=&closedto=

The log messages are different, but I hadn't the same log messages like you either. But I suggest that this is correlated to each other.

Erased · 2014-05-13 20:14:38

There's no mention of GRSecurity nor PaX in these bugs, IMO they're unrelated, but thanks for the downgrade solution though, it works perfectly.

Last edited by Erased (2014-05-13 20:21:02)

Methos · 2014-05-13 20:27:55

Fine. Always a pleasure to help.
And I still have the feeling that these errors are somehow related... So I mentioned this thread in the bug report. Maybe this gives a hint.

Erased · 2014-05-13 20:31:55

Yeah we'll see what they say on the bugtracker.

zodiac_es · 2014-06-02 15:41:13

Hi!
Is necessary to set kernel.grsecurity.consistent_setxid to 0 in /etc/sysctl.d/05-grsecurity.conf or create a file, eg, /etc/sysctl.d/06-grsecurity-ntp.conf, with
kernel.grsecurity.consistent_setxid = 0

https://github.com/thestinger/paxd/issu … t-44849079

Last edited by zodiac_es (2014-06-02 15:42:15)

thestinger · 2014-06-03 08:40:40

The compatibility issue between consistent_setxid and ntpd is fixed in 3.14.5.201406021708, so it can be left enabled.

Last edited by thestinger (2014-06-03 08:40:51)

Arch Linux

#1 2014-05-12 18:18:56

GRSecurity + PaX, ntpd "cap_set_proc()" can't drop root privileges.

#2 2014-05-13 02:04:33

Re: GRSecurity + PaX, ntpd "cap_set_proc()" can't drop root privileges.

#3 2014-05-13 02:05:59

Re: GRSecurity + PaX, ntpd "cap_set_proc()" can't drop root privileges.

#4 2014-05-13 19:54:46

Re: GRSecurity + PaX, ntpd "cap_set_proc()" can't drop root privileges.

#5 2014-05-13 20:02:26

Re: GRSecurity + PaX, ntpd "cap_set_proc()" can't drop root privileges.

#6 2014-05-13 20:10:35

Re: GRSecurity + PaX, ntpd "cap_set_proc()" can't drop root privileges.

#7 2014-05-13 20:14:38

Re: GRSecurity + PaX, ntpd "cap_set_proc()" can't drop root privileges.

#8 2014-05-13 20:27:55

Re: GRSecurity + PaX, ntpd "cap_set_proc()" can't drop root privileges.

#9 2014-05-13 20:31:55

Re: GRSecurity + PaX, ntpd "cap_set_proc()" can't drop root privileges.

#10 2014-06-02 15:41:13

Re: GRSecurity + PaX, ntpd "cap_set_proc()" can't drop root privileges.

#11 2014-06-03 08:40:40

Re: GRSecurity + PaX, ntpd "cap_set_proc()" can't drop root privileges.

Board footer