/usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails

Julian H. Stacey jhs at berklix.com
Wed Mar 13 13:37:38 UTC 2019 

> On 13 Mar 2019, at 12:50, Julian H. Stacey <jhs at berklix.com> wrote:
> > Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
> > uid=3D123 not root on 12.0, the process runs, But fails to correct
> > the time !  Next thing to diagnose it, would be a kill of ntpd &
> > restart direct as root, I'm not root there so I'll wait for that.
> >=20
> > Are others 12 systems slipping time too ?
> 
> My systems are working fine, even though ntpd is running as user ntpd.
> 
> There's this new part in /etc/rc.d/ntpd, which may be the reason it is
> not working for you:
> 
>         # Try to set up the the MAC ntpd policy so ntpd can run with =
> reduced
>         # privileges.  Detect whether MAC is compiled into the kernel, =
> load
>         # the policy module if not already present, then check whether =
> the
>         # policy has been disabled via tunable or sysctl.
>         [ -n "$(sysctl -qn security.mac.version)" ] || return 1
>         sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd =
> || return 1
>         [ "$(sysctl -qn security.mac.ntpd.enabled)" =3D=3D "1" ] || =
> return 1
> 
> So it tries to setup that MAC policy, which shows up in syslog like:
> 
> kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
> ntpd[810]: ntpd 4.2.8p12-a (1): Starting
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash =
> signature
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, =
> expire=3D2019-06-28T00:00:00Z last=3D2017-01-01T00:00:00Z ofs=3D37
> 
> Maybe on your system something goes wrong loading the mac_ntpd module,
> or setting the sysctl, but it still continues to attempt to run ntpd as
> non-root?
> 
> I would run /etc/rc.d/ntpd with sh -x to see what is doing exactly.
> 
> -Dimitry

> Loading mac_XXX modules requires options MAC in running kernel.
> GENERIC has options but custom kernel may lack it.

> -Dimitry

config -x /boot/kernel/kernel > ~/tmp/config
  options CONFIG_AUTOGENERATED
  ident   GENERIC

sysctl -qn security.mac.version
  4

kldstat
  Id Refs Address                Size Name
   1   19 0xffffffff80200000  243cd00 kernel
   5    1 0xffffffff82c47000      acf mac_ntpd.ko

grep mac /boot/loader.conf
  # so probably the kernel module was loaded by ntpd

# _ntp_default_dir
ls -la /var/db/ntp
total 10
drwxr-xr-x   2 ntpd  ntpd    4 Mar 11 23:39 .
drwxr-xr-x  15 root  wheel  21 Feb 15 03:58 ..
-rw-r--r--   1 ntpd  ntpd    6 Mar 11 23:39 ntpd.drift
-rw-r--r--   1 ntpd  ntpd    5 Mar 13 13:53 ntpd.pid

cd /etc; ls -ls | grep ntp
  drwx------  2 root  wheel         3 Dec  7 05:16 ntp
  -rw-r--r--  1 root  wheel      3997 Dec  7 05:16 ntp.conf

ls -l /var/run/ntpd.leap-seconds.list
  ls: /var/run/ntpd.leap-seconds.list: No such file or directory

I have bcc'd the owner & will wait for him to try as root:
  sh -x /etc/rc.d/ntpd restart
  sh -x /etc/rc.d/ntpd stop

If he doesnt see clues with that, maybe I will soon when my current laptop
will be travelling & also using ntpd.

Thanks Dimitry

Cheers,
Julian
-- 
Julian Stacey, Consultant Systems Engineer, BSD Linux Unix, Munich Aachen Kent
 Brexit now minority:  2.1 M now over 18, More Remainers;  1.5 M died, less
 Leavers; 700 K votes Stolen from British Remainers in EU; + 3 M globaly
 dis- franchised; + drift to Remain + avoid chaos.  MPs should urge Queen: 
 Dismiss May, appoint new PM for unity government & 2nd Referendum.  Revoke
 Art. 50, plan better, refile Art.50 later?  http://ExitBrexit.UK/#email_an_mp

More information about the freebsd-hackers mailing list