svn commit: r336553 - head/share/man/man4

Ian Lepore ian at FreeBSD.org
Fri Jul 20 16:06:45 UTC 2018 

Author: ian
Date: Fri Jul 20 16:06:44 2018
New Revision: 336553
URL: https://svnweb.freebsd.org/changeset/base/336553

Log:
  Apply some late-arriving markup suggestions from the phab review, and add a
  paragraph that mentions the possibility of starting ntpd as a non-root user
  rather than starting it as root and using its '-u' option to drop root privs
  after startup.
  
  Differential Revision:	 https://reviews.freebsd.org/D16281

Modified:
  head/share/man/man4/mac_ntpd.4

Modified: head/share/man/man4/mac_ntpd.4
==============================================================================
--- head/share/man/man4/mac_ntpd.4	Fri Jul 20 15:37:29 2018	(r336552)
+++ head/share/man/man4/mac_ntpd.4	Fri Jul 20 16:06:44 2018	(r336553)
@@ -23,7 +23,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd June 28, 2018
+.Dd July 20, 2018
 .Dt MAC_NTPD 4
 .Os
 .Sh NAME
@@ -45,8 +45,9 @@ place the following line in your kernel configuration 
 .Pp
 and in
 .Xr loader.conf 5 :
-.Pp
-.Dl "mac_ntpd_load=""YES"""
+.Bd -literal -offset indent
+mac_ntpd_load="YES"
+.Ed
 .Sh DESCRIPTION
 The
 .Nm
@@ -58,30 +59,28 @@ system time, and to (re-)bind to the privileged NTP po
 When
 .Xr ntpd 8
 is started with
-.Sq -u\ <user>
+.Sq Fl u Ar <user>[:group]
 on the command line, it performs all initializations requiring root
 privileges, then drops root privileges by switching to the given user id.
 From that point on, the only privileges it requires are the ability
 to manipulate system time, and the ability to re-bind a UDP socket
 to the NTP port (port 123) after a network interface change.
-By default,
-.Fx
-starts
-.Xr ntpd 8
-with
-.Sq -u\ ntpd:ntpd
-on the command line, if the mac_ntpd policy is available to grant
-the required privileges.
 .Pp
+With the
+.Nm
+policy active, it may also be possible to start ntpd as a non-root user,
+because the default ntpd options don't require any additional root
+privileges beyond those granted by the policy.
+.Pp
 .Ss Privileges Granted
 The exact set of kernel privileges granted to any process running
 with the configured uid is:
 .Bl -inset -compact -offset indent
-.It PRIV_ADJTIME
-.It PRIV_CLOCK_SETTIME
-.It PRIV_NTP_ADJTIME
-.It PRIV_NETINET_RESERVEDPORT
-.It PRIV_NETINET_REUSEPORT
+.It Dv PRIV_ADJTIME
+.It Dv PRIV_CLOCK_SETTIME
+.It Dv PRIV_NTP_ADJTIME
+.It Dv PRIV_NETINET_RESERVEDPORT
+.It Dv PRIV_NETINET_REUSEPORT
 .El
 .Pp
 .Ss Runtime Configuration

More information about the svn-src-head mailing list