From: "Theo de Raadt" Subject: Re: clock_settime() not pledge()-ed To: Thomas Kupper Cc: tech@openbsd.org Date: Sun, 15 Feb 2026 09:55:11 -0700 Thomas Kupper wrote: > Hi, > > I had a search through the tech@ mailing list and a grep through (git) > commits but did not find anything about the topic. > > Working on getting OpenBSD support into Chrony, it does use > clock_settime() for setting time (and adjfreq()). > > The helper running as root which does the calls to privileged tasks > like opening a socket for a port <1024 and setting time, uses > clock_settime(). Since that call is not pledged, pledging this helper > is not possible right now. pledge was designed by building extensive understanding about what all the system calls, library routines, and daemons needed. Nothing was calling clock_settime(). This was turned into a minimum feature set of pledges. Programs were adapted to work towards the supplied pledges. The pledges were generally not allowed to expand based upon a single program needing something strange. Anyways, nothing should call clock_settime(), read the manual page: The clock_settime() function sets the given clock to the absolute value now. Only the CLOCK_REALTIME clock may be set and only the superuser may set it. If the system securelevel(7) is 2 or greater, the time may only be advanced. This limitation is imposed to prevent a malicious superuser from setting arbitrary timestamps on files. The same applies to settimeofday() The settimeofday() function sets the system's UTC clock to the absolute value now unless now is NULL. Only the superuser may set the clock. If the system securelevel(7) is 2 or greater, the clock may only be advanced. This limitation prevents a malicious superuser from setting arbitrary timestamps on files. Setting the clock cancels any ongoing adjtime(2) adjustment. > I was wondering if there is specific reason that clock_gettime(), > adjtime() and adjfreq() are covered but not clock_settime()? Because clock_settime() is dangerous, and because nothing in OpenBSD calls it. Our ntpd does call settimeofday(), but the placement of ntpd in the boot-time sequence is carefully designed to allow this to work. It falls into [SYS_settimeofday] = PLEDGE_SETTIME, But back to the first sentences I wrote. pledge is a minimal subsystem designed to all securing *OPENBSD PARTS*, and anything beyond that is not a priority because soon we'd have a elephant instead of a minimal mechanism.