/usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails
Eugene Grosbein
eugen at grosbein.net
Wed Mar 13 13:02:07 UTC 2019
13.03.2019 19:06, Dimitry Andric wrote:
> On 13 Mar 2019, at 12:50, Julian H. Stacey <jhs at berklix.com> wrote:
>> Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
>> uid=123 not root on 12.0, the process runs, But fails to correct
>> the time ! Next thing to diagnose it, would be a kill of ntpd &
>> restart direct as root, I'm not root there so I'll wait for that.
>>
>> Are others 12 systems slipping time too ?
>
> My systems are working fine, even though ntpd is running as user ntpd.
>
> There's this new part in /etc/rc.d/ntpd, which may be the reason it is
> not working for you:
>
> # Try to set up the the MAC ntpd policy so ntpd can run with reduced
> # privileges. Detect whether MAC is compiled into the kernel, load
> # the policy module if not already present, then check whether the
> # policy has been disabled via tunable or sysctl.
> [ -n "$(sysctl -qn security.mac.version)" ] || return 1
> sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
> [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1
>
> So it tries to setup that MAC policy, which shows up in syslog like:
>
> kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
> ntpd[810]: ntpd 4.2.8p12-a (1): Starting
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash signature
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, expire=2019-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
>
> Maybe on your system something goes wrong loading the mac_ntpd module,
Loading mac_XXX modules requires options MAC in running kernel.
GENERIC has options but custom kernel may lack it.
More information about the freebsd-hackers
mailing list