Date: Wed, 13 Mar 2019 13:06:12 +0100 From: Dimitry Andric <dim@FreeBSD.org> To: "Julian H. Stacey" <jhs@berklix.com> Cc: hackers@freebsd.org Subject: Re: /usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails Message-ID: <19EB99F0-20E9-4FB9-98CF-118E3CDDE154@FreeBSD.org> In-Reply-To: <201903131150.x2DBo75m071495@fire.js.berklix.net> References: <201903131150.x2DBo75m071495@fire.js.berklix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_E45711CD-3753-435C-A970-56A572965FE3
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On 13 Mar 2019, at 12:50, Julian H. Stacey <jhs@berklix.com> wrote:
> Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
> uid=3D123 not root on 12.0, the process runs, But fails to correct
> the time ! Next thing to diagnose it, would be a kill of ntpd &
> restart direct as root, I'm not root there so I'll wait for that.
>=20
> Are others 12 systems slipping time too ?
My systems are working fine, even though ntpd is running as user ntpd.
There's this new part in /etc/rc.d/ntpd, which may be the reason it is
not working for you:
# Try to set up the the MAC ntpd policy so ntpd can run with =
reduced
# privileges. Detect whether MAC is compiled into the kernel, =
load
# the policy module if not already present, then check whether =
the
# policy has been disabled via tunable or sysctl.
[ -n "$(sysctl -qn security.mac.version)" ] || return 1
sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd =
|| return 1
[ "$(sysctl -qn security.mac.ntpd.enabled)" =3D=3D "1" ] || =
return 1
So it tries to setup that MAC policy, which shows up in syslog like:
kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
ntpd[810]: ntpd 4.2.8p12-a (1): Starting
ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash =
signature
ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, =
expire=3D2019-06-28T00:00:00Z last=3D2017-01-01T00:00:00Z ofs=3D37
Maybe on your system something goes wrong loading the mac_ntpd module,
or setting the sysctl, but it still continues to attempt to run ntpd as
non-root?
I would run /etc/rc.d/ntpd with sh -x to see what is doing exactly.
-Dimitry
--Apple-Mail=_E45711CD-3753-435C-A970-56A572965FE3
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.2
iF0EARECAB0WIQR6tGLSzjX8bUI5T82wXqMKLiCWowUCXIjyNAAKCRCwXqMKLiCW
o2f7AJ9RogZWGItHgLh1LQ1qaCUuAcBTeQCcCQ4AFcIRSA3MZxUPPqMBCvBI7Gs=
=dBOj
-----END PGP SIGNATURE-----
--Apple-Mail=_E45711CD-3753-435C-A970-56A572965FE3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19EB99F0-20E9-4FB9-98CF-118E3CDDE154>