Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 13 Mar 2019 20:01:51 +0700
From:      Eugene Grosbein <eugen@grosbein.net>
To:        Dimitry Andric <dim@FreeBSD.org>, "Julian H. Stacey" <jhs@berklix.com>
Cc:        hackers@freebsd.org
Subject:   Re: /usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails
Message-ID:  <e7fd44ae-d502-4d13-d39e-f23eb6621f62@grosbein.net>
In-Reply-To: <19EB99F0-20E9-4FB9-98CF-118E3CDDE154@FreeBSD.org>
References:  <201903131150.x2DBo75m071495@fire.js.berklix.net> <19EB99F0-20E9-4FB9-98CF-118E3CDDE154@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
13.03.2019 19:06, Dimitry Andric wrote:

> On 13 Mar 2019, at 12:50, Julian H. Stacey <jhs@berklix.com> wrote:
>> Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
>> uid=123 not root on 12.0, the process runs, But fails to correct
>> the time !  Next thing to diagnose it, would be a kill of ntpd &
>> restart direct as root, I'm not root there so I'll wait for that.
>>
>> Are others 12 systems slipping time too ?
> 
> My systems are working fine, even though ntpd is running as user ntpd.
> 
> There's this new part in /etc/rc.d/ntpd, which may be the reason it is
> not working for you:
> 
>         # Try to set up the the MAC ntpd policy so ntpd can run with reduced
>         # privileges.  Detect whether MAC is compiled into the kernel, load
>         # the policy module if not already present, then check whether the
>         # policy has been disabled via tunable or sysctl.
>         [ -n "$(sysctl -qn security.mac.version)" ] || return 1
>         sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
>         [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1
> 
> So it tries to setup that MAC policy, which shows up in syslog like:
> 
> kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
> ntpd[810]: ntpd 4.2.8p12-a (1): Starting
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash signature
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, expire=2019-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
> 
> Maybe on your system something goes wrong loading the mac_ntpd module,

Loading mac_XXX modules requires options MAC in running kernel.
GENERIC has options but custom kernel may lack it.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e7fd44ae-d502-4d13-d39e-f23eb6621f62>