From nobody Sun Mar 02 01:25:45 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Z545m62ZYz5Vbm0 for ; Sun, 02 Mar 2025 01:26:04 +0000 (UTC) (envelope-from junchoon@dec.sakura.ne.jp) Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Z545j49JQz3x1T; Sun, 02 Mar 2025 01:26:00 +0000 (UTC) (envelope-from junchoon@dec.sakura.ne.jp) Authentication-Results: mx1.freebsd.org; dkim=fail ("headers rsa verify failed") header.d=dec.sakura.ne.jp header.s=s2405 header.b=rS5SmU4r; dmarc=pass (policy=none) header.from=dec.sakura.ne.jp; spf=pass (mx1.freebsd.org: domain of junchoon@dec.sakura.ne.jp designates 153.125.133.21 as permitted sender) smtp.mailfrom=junchoon@dec.sakura.ne.jp Received: from kalamity.joker.local (124-18-40-20.area1c.commufa.jp [124.18.40.20]) (authenticated bits=0) by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 5221PjXK075192; Sun, 2 Mar 2025 10:25:46 +0900 (JST) (envelope-from junchoon@dec.sakura.ne.jp) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp; s=s2405; t=1740878747; bh=fWFmRtCFG9o66ZDcoRxFqWVnqR7lxoIiObBRIGenEh4=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=rS5SmU4rGlSRhKYlKgsqbF4CYP4ug0uQz/K0FPg8E7JIYBrrDWPbw1kVosq1LnKlx q16WfHXUCIHNlALqbLGuVOpta3aOzBiK7crnDxoOrPQ8wXTo75ODlsMjJBUk/0ZWLR LpoPX1+4WscoGjJng55wWGujgFQto486w6sTTGLg= Date: Sun, 2 Mar 2025 10:25:45 +0900 From: Tomoaki AOKI To: Cy Schubert Cc: freebsd@oldach.net (Helge Oldach), cy@FreeBSD.org, dev-commits-src-branches@freebsd.org Subject: Re: git: 1a241a911dc8 - stable/14 - ntpd: Use the ntpd -u option in preference to the rc su plumbing Message-Id: <20250302102545.3ce62f3a0f3836d2ff01d544@dec.sakura.ne.jp> In-Reply-To: <20250301053719.2449ddcf28e417f6639ac58f@dec.sakura.ne.jp> References: <202502281412.51SECsWG048020@nuc.oldach.net> <20250228162252.E5053324@slippy.cwsent.com> <20250301053719.2449ddcf28e417f6639ac58f@dec.sakura.ne.jp> Organization: Junchoon corps X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2) List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [0.23 / 15.00]; SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE(1.00)[]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_MEDIUM(-0.90)[-0.904]; URIBL_RED(0.50)[dec.sakura.ne.jp:mid,dec.sakura.ne.jp:email]; MV_CASE(0.50)[]; ONCE_RECEIVED(0.20)[]; NEURAL_HAM_LONG(-0.16)[-0.163]; HAS_ANON_DOMAIN(0.10)[]; BAD_REP_POLICIES(0.10)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_POLICY_ALLOW(0.00)[dec.sakura.ne.jp,none]; RCPT_COUNT_THREE(0.00)[4]; R_DKIM_REJECT(0.00)[dec.sakura.ne.jp:s=s2405]; DKIM_TRACE(0.00)[dec.sakura.ne.jp:-]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; HAS_ORG_HEADER(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; TO_DN_SOME(0.00)[]; MLMMJ_DEST(0.00)[dev-commits-src-branches@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DMARC_POLICY_ALLOW_WITH_FAILURES(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(0.00)[+ip4:153.125.133.16/28]; ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP]; MIME_TRACE(0.00)[0:+] X-Rspamd-Queue-Id: 4Z545j49JQz3x1T X-Spamd-Bar: / On Sat, 1 Mar 2025 05:37:19 +0900 Tomoaki AOKI wrote: > On Fri, 28 Feb 2025 08:22:52 -0800 > Cy Schubert wrote: > > > In message <202502281412.51SECsWG048020@nuc.oldach.net>, Helge Oldach > > writes: > > > Tomoaki AOKI wrote on Fri, 28 Feb 2025 10:53:24 +0100 (CET): > > > > Unfortunately, this commit caused ntpd hesitating to (re)start > > > > with error messages below on stable/14, amd64. > > > > > > > > ===== Quote ===== > > > > # service ntpd stop > > > > Stopping ntpd. > > > > Waiting for PIDS: 52508. > > > > # service ntpd start > > > > Starting ntpd. > > > > daemon control: got EOF > > > > /etc/rc.d/ntpd: WARNING: failed to start ntpd > > > > # > > > > ===== End quote ===== > > > > > > > > Note that I have > > > > ntpd_flags="-4 -g -x -f /var/db/ntpd.drift -l /var/log/ntpd.log" > > > > ntpd_config="/etc/ntp/ntp.conf" > > > > ntpd_enable="YES" > > > > ntpd_sync_on_start="YES" > > > > daily_ntpd_leapfile_enable="YES" > > > > ntp_leapfile_fetch_verbose="YES" > > > > in my /etc/rc.conf. > > > > > > I suggest ensure that the files referenced by the command line or by > > > configuration files can be created/written to by ntpd:ntpd. > > > > > > For example, you're not using the default location for ntpd.drift. > > > The default location is /var/db/ntp/ntpd.drift, where the directory > > > /var/db/ntp/ is owned by ntpd:ntpd (as per /etc/mtree/BSD.var.dist), so > > > ntpd is able to write the drift file after dropping privileges. > > > > > > Kind regards > > > Helge > > Thanks for advice! > > IIRC, my configuration was to allow keeping use of old-school place. > > Anyway, edited /etc/rc/conf to switch /var/db/ntpd.drift > to /var/db/ntp/ntpd.drift (serivce command picks configs everytime > invoked, so no reboots), without luck. Of course, /var/db/ntp has > ntpd:ntpd ownweship. > > Comparing succeeded (with reverted /etc/rc.d/ntpd) and failed > (/etc/rc.d/ntpd without reverts), I found an error only in the latter > case. > > 1 Mar 04:32:59 ntpd[12772]: Need MAC 'ntpd' policy enabled to drop > root privileges 1 Mar 04:32:59 ntpd[12771]: daemon child exited with > code 255 > > In normal case, ntpd starts soliciting pool servers, but the erroneous > case, stops there (does not start soiciting pool servers). > > > > This looks like it's related to, > > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284863, which is upstream > > https://bugs.ntp.org/show_bug.cgi?id=3967. It's a regression in 4.2.8p18. > > Thanks! > But it's not my case. All interfaces has different IP addresses. > (Some are hidden with "*".) > > % ifconfig > em0: flags=1008843 > metric 0 mtu 1454 > options=4e504bb > ether 98:*:*:*:*:* inet 192.168.*.45 netmask 0xffffff00 broadcast > 192.168.*.255 media: Ethernet autoselect (1000baseT ) > status: active > nd6 options=29 > lo0: flags=1008049 metric 0 mtu > 16384 options=680003 > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 > groups: lo > nd6 options=21 > wlan0: flags=8c43 > metric 10 mtu 1500 options=0 > ether 24:*:*:*:*:* > inet 192.168.*.108 netmask 0xffffff00 broadcast 192.168.*.255 > groups: wlan > ssid "" channel 36 (5180 MHz 11a) > regdomain JAPAN country JP authmode WPA1+WPA2/802.11i privacy ON > deftxkey UNDEF txpower 23 bmiss 7 mcastrate 6 mgmtrate 6 > scanvalid 60 wme roaming MANUAL > parent interface: iwlwifi0 > media: IEEE 802.11 Wireless Ethernet autoselect mode 11a > status: no carrier > nd6 options=29 > > The problem seems to be "how to enable MAC 'ntpd' policy?". > > Reading Chapter 18 of the Handbook (especially 18.5) and looking > into /boot/kernel, mac_ntpd.ko seems to be the culprit, but as I still > have confusions with MAC feature, I'm not 100% sure loading it is safe > or not, thus, still cannot try loading it. > > *I've read somewhere (lost track with there) stating that "once MAC > feature is enabled in a filesystem, it cannot disabled anymore and > possibly causes fatal problems on interpoerabilities". > This does not match handbook at least with 18.5, though. > > My /etc/rc.conf is carried over from 2.1.6.1 (IIRC) with modifications > on needs. So don't have MAC (not MAC address but Mandatory Access > Control feature, I guess) related configurations in it. > > IMHO, this kinds of mandated (and considered to be safe) configurations > should be in /etc/defaults/rc.conf (including auto-loading mandatory > in-tree kmods) by default and overrided in /etc/rc.conf[.local] whenever > actually needed. Tried and turned out that mac_ntpd.ko, which is not auto-loaded, was the culprit. Loading it manually resolved the issue. Looking closer (not limited with the diff) into /etc/rc.d/ntpd, it has function can_run_nonroot() and it has code to auto-load mac_ntpd.ko, but it doesn't work because checks for options that accesses files runs before the auto-load code, thus, returns earlier if any of -f, -k, -p, -i, -l and -s options are specified. I think this order is basically reverseable, as /var/db/ntp/ is defaulted with ownership ntpd:ntpd and ntpd.drift has defaulted to ntpd:ntpd. And pid file and log file are (IIUC) opened before the priviledge is dropped and kept open. Not sure about keyfile, jaildir and statsdir, as I haven't specified them. > > > > -- > > Cheers, > > Cy Schubert > > FreeBSD UNIX: Web: https://FreeBSD.org > > NTP: Web: https://nwtime.org > > > > e^(i*pi)+1=0 > > Regards. > > -- > Tomoaki AOKI -- Tomoaki AOKI