Re: heads up: mac_ntpd has to be explicitly loaded in recent stable/14

Reply: Cy Schubert : "Re: heads up: mac_ntpd has to be explicitly loaded in recent stable/14"
In reply to: Marek Zarychta : "Re: heads up: mac_ntpd has to be explicitly loaded in recent stable/14"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Marek Zarychta <zarychtam_at_plan-b.pwste.edu.pl>
Date: Tue, 11 Mar 2025 17:13:12 UTC
W dniu 11.03.2025 o 17:29, Marek Zarychta pisze:
> W dniu 11.03.2025 o 16:13, Cy Schubert pisze:
>> In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
>> Tomoaki
>> AOKI writes:
>>> On Mon, 10 Mar 2025 16:37:58 +0100
>>> "Herbert J. Skuhra" <herbert@gojira.at> wrote:
>>>
>>>> On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
>>>>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
>>>>>> Hello List Subscirbers,
>>>>>>
>>>>>> in the past the module was loaded automatically upon NTPD server 
>>>>>> startu
>>> p.
>>>>>> It's no longer true, now it has to be loaded earlier.
>>>>>> Perhaps people running stable/14 might find this message useful.
>>>> Hmm, works for me on main and stable/14.
>>>>
>>>>> So... I noticed this for (precisely) one of the five machines I have
>>>>> that track stable/14 -- the other 4 get mac_ntpd loaded 
>>>>> automagically as
>>>>> usual.
>>>>>
>>>>> In the failing case, it seems that
>>>>>
>>>>>     sysctl security.mac.version
>>>>>
>>>>> yielded
>>>>>
>>>>>     sysctl: unknown oid 'security.mac.version'
>>>> I only get this if I build a kernel without "options MAC". But in this
>>>> no mac_* kernel modules are built and ntpd fails with:
>>>>
>>>> Starting ntpd.
>>>> daemon control: got EOF
>>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
>>> In this case, you'll find something like
>>>    Need MAC 'ntpd' policy enabled to drop root privileges
>>>    daemon child exited with code 255
>>> in ntpd logfile (/var/db/ntpd.log in my case, but
>>> possibly /var/log/messages by default).
>> I don't understand why some systems (those in this thread) have a 
>> problem
>> not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are 
>> fine. I'd
>> like to try to understand the differences between those that work and 
>> those
>> that don't.
>>
>> First of all, the ntpd rc script bails without saying why when it
>> encounters a problem. can_run_nonroot() simply returns a bad return code
>> leaving us to wonder why.
>>
>> The first order of business is to  produce a patch to indicate why it
>> bails. Please apply the attached patch and let me know where it fails.
>> Messages will be printed to stderr and to /var/log/messages (assuming
>> daemon.err is sent there).
>>
>>> -- 
>>> Tomoaki AOKI    <junchoon@dec.sakura.ne.jp>
>>>
>>
>>
>>
>> Cheers,
>> Cy Schubert <Cy.Schubert@cschubert.com>
>> FreeBSD UNIX:  <cy@FreeBSD.org>   Web: https://FreeBSD.org
>> NTP:           <cy@nwtime.org>    Web:  https://nwtime.org
>>
>>             e^(i*pi)+1=0
>
> Output from the patch:
>
> Mar 11 17:20:35 plan-b ntpd[60113]: ntpd 4.2.8p18-a (17): Starting
> Mar 11 17:20:35 plan-b ntpd[60113]: Command line: /usr/sbin/ntpd -p 
> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd
> Mar 11 17:20:35 plan-b ntpd[60113]: 
> ----------------------------------------------------
> Mar 11 17:20:35 plan-b ntpd[60113]: ntp-4 is maintained by Network 
> Time Foundation,
> Mar 11 17:20:35 plan-b ntpd[60113]: Inc. (NTF), a non-profit 501(c)(3) 
> public-benefit
> Mar 11 17:20:35 plan-b ntpd[60113]: corporation.  Support and training 
> for ntp-4 are
> Mar 11 17:20:35 plan-b ntpd[60113]: available at 
> https://www.nwtime.org/support
> Mar 11 17:20:35 plan-b ntpd[60113]: 
> ----------------------------------------------------
> Mar 11 17:20:35 plan-b ntpd[60114]: switching logging to file 
> /var/log/ntp
> Mar 11 17:20:36 plan-b ntpd[60113]: daemon child exited with code 255
> Mar 11 17:20:36 plan-b root[60118]: /etc/rc.d/ntpd: WARNING: failed to 
> start ntpd
>
> Debugging output from from the unpatched /etc/rc.d/ntpd:
>
> (...)
>
> + echo 'Starting ntpd.'
> Starting ntpd.
> + [ -n '' ]
> + _cd=''
> + _doit=' /usr/sbin/ntpd  -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf  -u 
> ntpd:ntpd'
> + [ -n '' ]
> + [ -n '' ]
> + [ -n '' ]
> + [ -n '' ]
> + _doit=' limits -C daemon   /usr/sbin/ntpd  -p /var/db/ntp/ntpd.pid 
> -c /etc/ntp.conf  -u ntpd:ntpd'
> + _run_rc_doit ' limits -C daemon   /usr/sbin/ntpd  -p 
> /var/db/ntp/ntpd.pid -c /etc/ntp.conf  -u ntpd:ntpd'
> + local _m
> + debug 'run_rc_command: doit:  limits -C daemon   /usr/sbin/ntpd -p 
> /var/db/ntp/ntpd.pid -c /etc/ntp.conf  -u ntpd:ntpd'
> + umask
> + _m=0022
> +
> + eval ' limits -C daemon   /usr/sbin/ntpd  -p /var/db/ntp/ntpd.pid -c 
> /etc/ntp.conf  -u ntpd:ntpd'
> + limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c 
> /etc/ntp.conf -u ntpd:ntpd
> daemon control: got EOF
> + _return=255
> + umask 0022
> + [ 255 -ne 0 ]
> + [ -z '' ]
> + return 1
> + warn 'failed to start ntpd'
> + [ -x /usr/bin/logger ]
> + logger '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
> + echo '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
> /etc/rc.d/ntpd: WARNING: failed to start ntpd
> + return 1
>

The real problem is here:
+ [ -n '' ]
+ local 'fileopts=^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[ 
\t]*logfile|^[ \t]*statsdir'
+ grep -E -q '^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[ 
\t]*logfile|^[ \t]*statsdir' /etc/ntp.conf
+ return 1

To reproduce: use config matching the regex from the above, for example 
add line:

logfile /var/log/ntp.log

to the ntp.conf

15-CURRENT is also affected this way. That's a bit odd that nobody 
reported it yet.

Problems made by can_run_nonroot function can be fixed by removing lines 
60-64 from the starting script.

https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L63


Cheers

-- 
Marek Zarychta