Index | Thread | Search

From:
"Theo de Raadt" <deraadt@openbsd.org>
Subject:
Re: clock_settime() not pledge()-ed
To:
Thomas Kupper <mailing.list@kupper.li>
Cc:
tech@openbsd.org
Date:
Sun, 15 Feb 2026 09:55:11 -0700

Download raw body.

Thread 
Thomas Kupper <mailing.list@kupper.li> wrote:

> Hi,
> 
> I had a search through the tech@ mailing list and a grep through (git)
> commits but did not find anything about the topic.
> 
> Working on getting OpenBSD support into Chrony, it does use
> clock_settime() for setting time (and adjfreq()).
> 
> The helper running as root which does the calls to privileged tasks
> like opening a socket for a port <1024 and setting time, uses
> clock_settime(). Since that call is not pledged, pledging this helper
> is not possible right now.

pledge was designed by building extensive understanding about what
all the system calls, library routines, and daemons needed.  Nothing
was calling clock_settime().  This was turned into a minimum feature
set of pledges.  Programs were adapted to work towards the supplied
pledges.  The pledges were generally not allowed to expand based upon
a single program needing something strange.

Anyways, nothing should call clock_settime(), read the manual page:

     The clock_settime() function sets the given clock to the absolute value
     now.  Only the CLOCK_REALTIME clock may be set and only the superuser may
     set it.  If the system securelevel(7) is 2 or greater, the time may only
     be advanced.  This limitation is imposed to prevent a malicious superuser
     from setting arbitrary timestamps on files.

The same applies to settimeofday()

     The settimeofday() function sets the system's UTC clock to the absolute
     value now unless now is NULL.  Only the superuser may set the clock.  If
     the system securelevel(7) is 2 or greater, the clock may only be
     advanced.  This limitation prevents a malicious superuser from setting
     arbitrary timestamps on files.  Setting the clock cancels any ongoing
     adjtime(2) adjustment.


> I was wondering if there is specific reason that clock_gettime(),
> adjtime() and adjfreq() are covered but not clock_settime()?

Because clock_settime() is dangerous, and because nothing in OpenBSD
calls it.  Our ntpd does call settimeofday(), but the placement of ntpd
in the boot-time sequence is carefully designed to allow this to work.
It falls into

         [SYS_settimeofday] = PLEDGE_SETTIME,

But back to the first sentences I wrote.  pledge is a minimal subsystem
designed to all securing *OPENBSD PARTS*, and anything beyond that is
not a priority because soon we'd have a elephant instead of a minimal
mechanism.