[Bug 1744072] Re: MIR Chrony in 18.04

Seth Arnold 1744072 at bugs.launchpad.net
Tue Jan 30 03:55:57 UTC 2018


I reviewed chrony version 3.2-1build1 as checked into bionic. This isn't a
full security audit but rather a quick gauge of maintainability.

- There are ten CVEs in our database; the fixes mostly aren't enumerated
  in our database, but many of the descriptions sound like they were
  handed out 'conservatively' -- errors in administration-level command
  channel or a malicious peer server operator in a position to interpose
  traffic from another peer server.

  I like the paranoia.

- chrony is a new, simpler, smaller, safer, ntp daemon. It's suitable for
  client and server use, and supports some hardware drivers, NIC
  timestamping, but perhaps not as many features as our old NTPD.

- Build-Depends: debhelper, bison, libedit-dev, libtomcrypt-dev,
  libcap-dev, pps-tools, libseccomp-dev, pkg-config, asciidoctor

- libtomcrypt dependency is being worked on; apparently nss is an option
  once we expose an "internal only" library.

- Does daemonize, nicely
- pre/post inst/rm scripts have autogenerated sections. Also:
- postinst script creates _chrony user and group, chowns /var/log/chrony
  and /var/lib/chrony
- postinst cleans up after previous version "key" file (authentication has
  been simplified in newer versions) in a complicated set of comparisons
- postrm removes /var/lib/chrony/, /etc/chrony/, _chrony user and group
- Initscript uses start-stop-daemon to start chrony
- systemd unit file is simple
- No dbus services
- No setuid files
- chronyc and chronyd executables in PATH
- No sudo fragments
- No udev rules
- test suite run at build; not comprehensive, but nice to have
- clean build logs

- sendmail is spawned to send mail via popen(). All variables are under
  control of configuration file. No error handling in case the admin sets
  the "mail to" variable to something silly long or dangerous, but this is
  very low risk.

- Memory management looked careful
- file io looked careful
- logging looked careful
- TZ environment variable used to gather information on leap seconds,
  looked careful
- Privileged operations looked careful
- I did not inspect cryptography
- Privileged portions of the code, privsep-style, looked careful; I did
  not inspect privsep for safety
- Extensive networking, looked careful
- No temporary file handling
- No WebKit
- No JavaScript
- No PolicyKit
- Clean cppcheck


Errors are checked religiously, coding style is unique and awkward but not
a real impediment to maintenance. Obviously ntp is an involved protocol
and probably further flaws will be found -- and we will rely upon
upstream's help for all but the simplest of issues. It looks
professionally programmed.

The only issue I found has no security relevance but may be slightly
surprising:

- reference() uses snprintf() to build a string to call sendmail; the
  username may not fit in the allocated space, and the code gets no
  warning about this.

  Any shell metacharacters in this setting would interfere with proper
  operation of the program.

I'd like to see this addressed for reliability reasons but it's not a
pressing issue.

Security team ACK for promoting chrony to main.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ceph in Ubuntu.
https://bugs.launchpad.net/bugs/1744072

Title:
  MIR Chrony in 18.04

Status in NTP Charm:
  New
Status in Ubuntu Server Guide:
  New
Status in ceph package in Ubuntu:
  Confirmed
Status in chrony package in Ubuntu:
  Confirmed
Status in cloud-init package in Ubuntu:
  Confirmed
Status in maas package in Ubuntu:
  Confirmed

Bug description:
  --- MIR ---

  1. Availability: The package is Ubuntu universe and builds for the
  architectures it is designed to work on.

  2. Rationale:
   2.1 NTP in general is needed quite a lot, but we want to exchange ntpd
       which is the current implementation in main with chrony for 18.04.
   2.2 Security: chrony was considered easier to be maintained easier in
       terms of security and provide a more modern ntp experience as well.
   2.3 Efficiency: Furthermore several cloud people seem to be interested to
       change to chrony in the guests for its lower memoy/cpu footprint
       (efficiency I guess).
  2.4 related to this MIR 6 years ago this is the same but for Fedora.
      See: https://fedoraproject.org/wiki/Features/ChronyDefaultNTP
      IIRC some limitations that were present have been eliminated since, so
      it is even better than it was back then.
  2.5 In general one has to realize that in a systemd-timesync world
      ntp/chrony are mostly for the "serving" portion of an ntp service, and
      not so much about the client (unless you the better accuracy vs
      timesyncd is needed).

  3. Security: In fact the request came in by security Team, so I guess
  I call this section done

  3. Quality assurance
   3.1 configuration ease - works after installation
   3.2 no high prio debconf
   3.3 usability (no major issues in Debian nor Ubuntu)
       asked Paul in regard to the ntp charm in comment #5
   3.4 long-term >=high bugs (none in Debian nor Ubuntu)
   3.5 Debian/Ubuntu bugs look reasonable maintained
   3.6 does not deal with hard to support exotic hardware (other than ntpd
       btw). If used this can be done through universe package GPSD (no
       dependency)
   3.7 Test suite runs on build (some skipped if not env applicable)
   3.8 debian/watch exists
   3.9 not depending on obsoleted packages

  4.1 It does not face graphical UI
  4.2 It is unfortunately not internationalized as far as I could see in the source

  5. Dependencies - there is one not in main libtomcrypt
     We don't want it in main either, instead we want to fix bug 1744328 and then use libnss which is in main already.

  6. Not found major Policy or FSH violations that would have to be
  fixed.

  7. Maintenance
    7.1 Upstream - is maintained well (and better than ntpd it seems
         according to some discussisons)
    7.2 Ubuntu - Owning Team would be Ubuntu (in exchange to drop ntp)

  8. Background information:
    Fulfills the same role as ntp, yet according to the security Team would
    be preferred for them.

  --- Affected Packages ---

  I'll add all those as bug tasks.
  Once the MIR has passed the state of uncertainty (e.g. would it be blocked by one of the dependent bug being not doable at all) then please work on these into 18.04. Here a list what is affected in the listed packages:

  Maas - needs to change dependencies and maybe template
  cloud-init - needs to support writing ntp config to chrony instead of ntpd
  ceph-base - change recommends from ntpd to chrony (it only intends to get good time and doesn't care via which dameon that is, so that should be ok to be change)
  ntp charm - switch to chrony for >=18.04
  chrony - MIR itself (discussion here and eventually seeding)

  --- Depending on further Bugs ---
  In my initial evaluation I uncovered (and filed) a set of bugs that I consider requirement to make it fully ready:
  Reminder - tracking state here might be out of sync, I'll only change them to Done once complete and not care about interim status changes.

  OPEN - bug 1718227 - convert ifup hooks to networkd compatible hooks
  DONE - bug 1744662 - add chrony apparmor profile
  OPEN - bug 1744328 - make src:libnss libfreebl3 usable by other programs
  OPEN - bug 1744664 - use Ubuntu time servers

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp-charm/+bug/1744072/+subscriptions



More information about the Ubuntu-openstack-bugs mailing list