Index | Thread | Search

From:
Thomas Kupper <mailing.list@kupper.li>
Subject:
Re: clock_settime() not pledge()-ed
To:
Theo de Raadt <deraadt@openbsd.org>
Cc:
tech@openbsd.org
Date:
Sun, 15 Feb 2026 17:21:30 +0000

Download raw body.

Thread 
On 15.02.2026 16:55, Theo de Raadt wrote:
> Thomas Kupper <mailing.list@kupper.li> wrote:
> 
>> Hi,
>>
>> I had a search through the tech@ mailing list and a grep through (git)
>> commits but did not find anything about the topic.
>>
>> Working on getting OpenBSD support into Chrony, it does use
>> clock_settime() for setting time (and adjfreq()).
>>
>> The helper running as root which does the calls to privileged tasks
>> like opening a socket for a port <1024 and setting time, uses
>> clock_settime(). Since that call is not pledged, pledging this helper
>> is not possible right now.
> 
> pledge was designed by building extensive understanding about what
> all the system calls, library routines, and daemons needed.  Nothing
> was calling clock_settime().  This was turned into a minimum feature
> set of pledges.  Programs were adapted to work towards the supplied
> pledges.  The pledges were generally not allowed to expand based upon
> a single program needing something strange.
> 
> Anyways, nothing should call clock_settime(), read the manual page:
> 
>       The clock_settime() function sets the given clock to the absolute value
>       now.  Only the CLOCK_REALTIME clock may be set and only the superuser may
>       set it.  If the system securelevel(7) is 2 or greater, the time may only
>       be advanced.  This limitation is imposed to prevent a malicious superuser
>       from setting arbitrary timestamps on files.
> 
> The same applies to settimeofday()
> 
>       The settimeofday() function sets the system's UTC clock to the absolute
>       value now unless now is NULL.  Only the superuser may set the clock.  If
>       the system securelevel(7) is 2 or greater, the clock may only be
>       advanced.  This limitation prevents a malicious superuser from setting
>       arbitrary timestamps on files.  Setting the clock cancels any ongoing
>       adjtime(2) adjustment.
> 
> 
>> I was wondering if there is specific reason that clock_gettime(),
>> adjtime() and adjfreq() are covered but not clock_settime()?
> 
> Because clock_settime() is dangerous, and because nothing in OpenBSD
> calls it.  Our ntpd does call settimeofday(), but the placement of ntpd
> in the boot-time sequence is carefully designed to allow this to work.
> It falls into
> 
>           [SYS_settimeofday] = PLEDGE_SETTIME,
> 
> But back to the first sentences I wrote.  pledge is a minimal subsystem
> designed to all securing *OPENBSD PARTS*, and anything beyond that is
> not a priority because soon we'd have a elephant instead of a minimal
> mechanism.

Thank you Theo for taking the time to explain, understood.