From 2d34355e16b442fcf51e93786401716dae3c4ea2 Mon Sep 17 00:00:00 2001
From: Daniel Golle <daniel@makrotopia.org>
Date: Mon, 19 Oct 2020 21:22:30 +0100
Subject: busybox: allow ntpd to run as non-root ntpd user

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---
 package/utils/busybox/files/ntpd.capabilities | 22 ++++++++++++++++++++++
 package/utils/busybox/files/sysntpd           |  7 +++++++
 2 files changed, 29 insertions(+)
 create mode 100644 package/utils/busybox/files/ntpd.capabilities

(limited to 'package/utils/busybox/files')

diff --git a/package/utils/busybox/files/ntpd.capabilities b/package/utils/busybox/files/ntpd.capabilities
new file mode 100644
index 0000000000..8a05dba4bc
--- /dev/null
+++ b/package/utils/busybox/files/ntpd.capabilities
@@ -0,0 +1,22 @@
+{
+	"bounding": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"effective": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"ambient": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"permitted": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"inheritable": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	]
+}
diff --git a/package/utils/busybox/files/sysntpd b/package/utils/busybox/files/sysntpd
index 52866ba32a..cbc760a48e 100755
--- a/package/utils/busybox/files/sysntpd
+++ b/package/utils/busybox/files/sysntpd
@@ -55,6 +55,13 @@ start_ntpd_instance() {
 		procd_append_param command -p $peer
 	done
 	procd_set_param respawn
+	[ -x /sbin/ujail ] && {
+		procd_add_jail ntpd
+		procd_set_param capabilities /etc/capabilities/ntpd.json
+		procd_set_param user ntpd
+		procd_set_param group ntpd
+		procd_set_param no_new_privs 1
+	}
 	procd_close_instance
 }
 
-- 
cgit v1.2.3