svn commit: r525559 - in head/net/ntimed: . files
Mark Felder
feld at FreeBSD.org
Sat Feb 8 16:04:14 UTC 2020
Author: feld
Date: Sat Feb 8 16:04:13 2020
New Revision: 525559
URL: https://svnweb.freebsd.org/changeset/ports/525559
Log:
net/ntimed: Supervise process and attempt to drop privs
PR: 243469
Modified:
head/net/ntimed/Makefile
head/net/ntimed/files/ntimed.in
Modified: head/net/ntimed/Makefile
==============================================================================
--- head/net/ntimed/Makefile Sat Feb 8 15:03:50 2020 (r525558)
+++ head/net/ntimed/Makefile Sat Feb 8 16:04:13 2020 (r525559)
@@ -3,7 +3,7 @@
PORTNAME= ntimed
PORTVERSION= 0.0.2015.01.30
-PORTREVISION= 0
+PORTREVISION= 1
CATEGORIES= net
MAINTAINER= feld at FreeBSD.org
Modified: head/net/ntimed/files/ntimed.in
==============================================================================
--- head/net/ntimed/files/ntimed.in Sat Feb 8 15:03:50 2020 (r525558)
+++ head/net/ntimed/files/ntimed.in Sat Feb 8 16:04:13 2020 (r525559)
@@ -25,14 +25,32 @@ load_rc_config $name
start_precmd=ntimed_prestart
pidfile=/var/run/ntimed.pid
-procname="/usr/local/sbin/ntimed-client"
+ntimed_cmd="/usr/local/sbin/ntimed-client"
command=/usr/sbin/daemon
-command_args=" -p ${pidfile} ${procname} ${ntimed_flags}"
+can_run_nonroot()
+{
+ # Try to set up the the MAC ntpd policy so ntimed can run with reduced
+ # privileges. Detect whether MAC is compiled into the kernel, load
+ # the policy module if not already present, then check whether the
+ # policy has been disabled via tunable or sysctl.
+ [ -n "$(sysctl -qn security.mac.version)" ] || return 1
+ sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
+ [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1
+}
+
ntimed_prestart()
{
- # Have to empty rc_flags so they don't get passed to daemon(8)
- rc_flags=""
+ # Have to empty rc_flags so they don't get passed to daemon(8)
+ rc_flags=""
+
+ if can_run_nonroot; then
+ _ntimed_user="ntpd"
+ else
+ _ntimed_user="root"
+ fi
+
+ command_args=" -r -P ${pidfile} -u ${_ntimed_user} ${ntimed_cmd} ${ntimed_flags}"
}
run_rc_command "$1"
More information about the svn-ports-all
mailing list