/usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails

[Dimitry Andric]

On 13 Mar 2019, at 12:50, Julian H. Stacey <jhs at berklix.com> wrote:
> Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
> uid=123 not root on 12.0, the process runs, But fails to correct
> the time !  Next thing to diagnose it, would be a kill of ntpd &
> restart direct as root, I'm not root there so I'll wait for that.
> 
> Are others 12 systems slipping time too ?

My systems are working fine, even though ntpd is running as user ntpd.

There's this new part in /etc/rc.d/ntpd, which may be the reason it is
not working for you:

        # Try to set up the the MAC ntpd policy so ntpd can run with reduced
        # privileges.  Detect whether MAC is compiled into the kernel, load
        # the policy module if not already present, then check whether the
        # policy has been disabled via tunable or sysctl.
        [ -n "$(sysctl -qn security.mac.version)" ] || return 1
        sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
        [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1

So it tries to setup that MAC policy, which shows up in syslog like:

kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
ntpd[810]: ntpd 4.2.8p12-a (1): Starting
ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash signature
ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, expire=2019-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37

Maybe on your system something goes wrong loading the mac_ntpd module,
or setting the sysctl, but it still continues to attempt to run ntpd as
non-root?

I would run /etc/rc.d/ntpd with sh -x to see what is doing exactly.

-Dimitry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 223 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20190313/a6eee667/attachment.sig>