From nobody Mon Mar 10 11:51:40 2025
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZBFcT5Q2Mz5qmcF
for <freebsd-stable@mlmmj.nyi.freebsd.org>; Mon, 10 Mar 2025 11:52:09 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZBFcS25w8z3GY5
for <freebsd-stable@freebsd.org>; Mon, 10 Mar 2025 11:52:07 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Authentication-Results: mx1.freebsd.org;
dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=oznlOk8z;
dmarc=pass (policy=quarantine) header.from=plan-b.pwste.edu.pl;
spf=pass (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl designates 2001:678:618::40 as permitted sender) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl
Received: from [IPV6:2001:678:618:402f:d0b2:419a:17a1:2b5b] ([IPv6:2001:678:618:402f:d0b2:419a:17a1:2b5b])
(authenticated bits=0)
by plan-b.pwste.edu.pl (8.18.1/8.17.2) with ESMTPSA id 52ABq16U053578
(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO)
for <freebsd-stable@freebsd.org>; Mon, 10 Mar 2025 12:52:01 +0100 (CET)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl;
s=plan-b-mailer; t=1741607521;
bh=FuVpqacbOrRcsPWjwgj2RxVKIxvZHsKl4f1n+O9rOSo=;
h=Date:To:From:Subject;
b=oznlOk8zMVKu4HB7iIL4r2alyrq/37bOAPDh8pbRzRyqok9gmsssIsZtH+BGIt+zY
DeY6P9sIn/OudKofPp65e1TW+yNGtmQ0j8peFMSnsnsXi1DM4YdQRxSCeWxjOYO0QQ
1k9gx7EdSkVgF+oAhqlTEVA3rjxi02EkwQUh/h2JB9xasOZu8k//KNK1s+gXH0nzjt
x7/qeQ06psD1GQ0QquIwGG7oS5ZmkA8vTSsMET7R+0til3AgWFtYD85JJHs7+ShF89
vexWEVtPGI1WRPbl5qDHkegNPbFj2NdfWTWoFXXgXknk/8No4BZds/lZU2DSgKWBa+
dHtL5mm5ZmEQQ==
Message-ID: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
Date: Mon, 10 Mar 2025 13:51:40 +0200
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: freebsd-stable@freebsd.org
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Subject: heads up: mac_ntpd has to be explicitly loaded in recent stable/14
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spamd-Result: default: False [-2.63 / 15.00];
DWL_DNSWL_MED(-2.00)[pwste.edu.pl:dkim];
NEURAL_SPAM_LONG(0.92)[0.923];
NEURAL_HAM_SHORT(-0.92)[-0.916];
NEURAL_SPAM_MEDIUM(0.86)[0.859];
DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,quarantine];
RCVD_DKIM_ARC_DNSWL_MED(-0.50)[];
RCVD_IN_DNSWL_MED(-0.20)[2001:678:618::40:from];
R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer];
R_SPF_ALLOW(-0.20)[+mx];
ONCE_RECEIVED(0.20)[];
MIME_GOOD(-0.10)[text/plain];
FROM_EQ_ENVFROM(0.00)[];
TO_DN_NONE(0.00)[];
ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL];
RCPT_COUNT_ONE(0.00)[1];
ARC_NA(0.00)[];
MIME_TRACE(0.00)[0:+];
PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org];
TO_MATCH_ENVRCPT_ALL(0.00)[];
MLMMJ_DEST(0.00)[freebsd-stable@freebsd.org];
RCVD_COUNT_ONE(0.00)[1];
RCVD_VIA_SMTP_AUTH(0.00)[];
MID_RHS_MATCH_FROM(0.00)[];
RCVD_TLS_ALL(0.00)[];
DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+];
FROM_HAS_DN(0.00)[]
X-Rspamd-Queue-Id: 4ZBFcS25w8z3GY5
X-Spamd-Bar: --
Hello List Subscirbers,
in the past the module was loaded automatically upon NTPD server
startup. It's no longer true, now it has to be loaded earlier.
Perhaps people running stable/14 might find this message useful.
Cheers
--
Marek Zarychta
From nobody Mon Mar 10 12:06:25 2025
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZBFx03KPRz5qnQ7
for <freebsd-stable@mlmmj.nyi.freebsd.org>; Mon, 10 Mar 2025 12:06:28 +0000 (UTC)
(envelope-from david@catwhisker.org)
Received: from mx.catwhisker.org (mx.catwhisker.org [107.204.234.170])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZBFwz4m24z3NLb
for <freebsd-stable@freebsd.org>; Mon, 10 Mar 2025 12:06:27 +0000 (UTC)
(envelope-from david@catwhisker.org)
Authentication-Results: mx1.freebsd.org;
none
Received: from albert.catwhisker.org (localhost [127.0.0.1])
by albert.catwhisker.org (8.18.1/8.18.1) with ESMTP id 52AC6PFP016519;
Mon, 10 Mar 2025 12:06:25 GMT
(envelope-from david@albert.catwhisker.org)
Received: (from david@localhost)
by albert.catwhisker.org (8.18.1/8.18.1/Submit) id 52AC6PlY016518;
Mon, 10 Mar 2025 05:06:25 -0700 (PDT)
(envelope-from david)
Date: Mon, 10 Mar 2025 05:06:25 -0700
From: David Wolfskill <david@catwhisker.org>
To: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Cc: freebsd-stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
Message-ID: <Z87VwY27sY8X0ySB@albert.catwhisker.org>
Mail-Followup-To: David Wolfskill <david@catwhisker.org>,
Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>,
freebsd-stable@freebsd.org
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="oyorpNvCrhgjCRqh"
Content-Disposition: inline
In-Reply-To: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:7018, ipnet:107.192.0.0/12, country:US]
X-Rspamd-Queue-Id: 4ZBFwz4m24z3NLb
X-Spamd-Bar: ----
--oyorpNvCrhgjCRqh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> Hello List Subscirbers,
>=20
> in the past the module was loaded automatically upon NTPD server startup.
> It's no longer true, now it has to be loaded earlier.
> Perhaps people running stable/14 might find this message useful.
>=20
> Cheers
> ....
So... I noticed this for (precisely) one of the five machines I have
that track stable/14 -- the other 4 get mac_ntpd loaded automagically as
usual.
In the failing case, it seems that
sysctl security.mac.version
yielded
sysctl: unknown oid 'security.mac.version'
which thus caused the code in /etc/rc.d/ntpd:
# Try to set up the MAC ntpd policy so ntpd can run with reduced
# privileges. Detect whether MAC is compiled into the kernel, load
# the policy module if not already present, then check whether the
# policy has been disabled via tunable or sysctl.
[ -n "$(sysctl -qn security.mac.version)" ] || return 1
sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || =
return 1
[ "$(sysctl -qn security.mac.ntpd.enabled)" =3D=3D "1" ] || return 1
(in can_run_nonroot()) to return before the kldload can run.
As the (only) machine that exhibits the failure is the one that
acts as my Internet gateway, I am fairly reluctant to have it down
longer than necessary. :-}
(I admit that I was beginning to wonder if what I seemed to be
seeing was actually real.)
Peace,
david
--=20
David H. Wolfskill david@catwhisker.org
Thank you, Claude Malhuret.
https://wickedemerald.wordpress.com/2025/03/08/speech-from-claude-malhuret/
See https://www.catwhisker.org/~david/publickey.gpg for my public key.
--oyorpNvCrhgjCRqh
Content-Type: application/pgp-signature; name=signature.asc
-----BEGIN PGP SIGNATURE-----
iNUEARYKAH0WIQSTLzOSbomIK53fjFliipiWhXYx5QUCZ87VwV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTMy
RjMzOTI2RTg5ODgyQjlEREY4QzU5NjI4QTk4OTY4NTc2MzFFNQAKCRBiipiWhXYx
5YXJAQCtdJxyrgk7889/kvmuN8vw5zmp4HUksSyzDbNGw+kuLgEAp/GEBcKryenA
whHj4PMn7QuYDfTnb+HuwpbonK4MHwU=
=ZZaz
-----END PGP SIGNATURE-----
--oyorpNvCrhgjCRqh--
From nobody Mon Mar 10 12:17:10 2025
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZBGBn1CnRz5qp1W
for <freebsd-stable@mlmmj.nyi.freebsd.org>; Mon, 10 Mar 2025 12:18:25 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZBGBm2VYgz3Sw5
for <freebsd-stable@freebsd.org>; Mon, 10 Mar 2025 12:18:24 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
none
Received: from kalamity.joker.local (124-18-40-20.area1c.commufa.jp [124.18.40.20])
(authenticated bits=0)
by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 52ACHArw099808;
Mon, 10 Mar 2025 21:17:12 +0900 (JST)
(envelope-from junchoon@dec.sakura.ne.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp;
s=s2405; t=1741609033;
bh=c+UqDd7w48sLxSHRSNBj1YJS/jCk2PmmCx41xGN1izI=;
h=Date:From:To:Cc:Subject:In-Reply-To:References;
b=FW9y2nP7B9n+HuHBj047tb6oGH4vPeQZu8XSDHPGmiIAMlrcKpKKcloGiZY+vNOWT
siahj0akqeSraOzL++J1C5YhxaxVzQBN5RNVPcDOU7ITE1tmn5P+pzb1pivBewSudz
C0+N5pwfYYL78tuBxA8FglwrJrjK4xI3sUMuBj60=
Date: Mon, 10 Mar 2025 21:17:10 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: David Wolfskill <david@catwhisker.org>
Cc: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>, freebsd-stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
Message-Id: <20250310211710.a7c3405c50b360138e2eb269@dec.sakura.ne.jp>
In-Reply-To: <Z87VwY27sY8X0ySB@albert.catwhisker.org>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP]
X-Rspamd-Queue-Id: 4ZBGBm2VYgz3Sw5
X-Spamd-Bar: ----
On Mon, 10 Mar 2025 05:06:25 -0700
David Wolfskill <david@catwhisker.org> wrote:
> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> > Hello List Subscirbers,
> >
> > in the past the module was loaded automatically upon NTPD server startup.
> > It's no longer true, now it has to be loaded earlier.
> > Perhaps people running stable/14 might find this message useful.
> >
> > Cheers
> > ....
>
> So... I noticed this for (precisely) one of the five machines I have
> that track stable/14 -- the other 4 get mac_ntpd loaded automagically as
> usual.
>
> In the failing case, it seems that
>
> sysctl security.mac.version
>
> yielded
>
> sysctl: unknown oid 'security.mac.version'
>
> which thus caused the code in /etc/rc.d/ntpd:
>
> # Try to set up the MAC ntpd policy so ntpd can run with reduced
> # privileges. Detect whether MAC is compiled into the kernel, load
> # the policy module if not already present, then check whether the
> # policy has been disabled via tunable or sysctl.
> [ -n "$(sysctl -qn security.mac.version)" ] || return 1
> sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
> [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1
>
> (in can_run_nonroot()) to return before the kldload can run.
>
> As the (only) machine that exhibits the failure is the one that
> acts as my Internet gateway, I am fairly reluctant to have it down
> longer than necessary. :-}
>
> (I admit that I was beginning to wonder if what I seemed to be
> seeing was actually real.)
>
> Peace,
> david
> --
> David H. Wolfskill david@catwhisker.org
> Thank you, Claude Malhuret.
> https://wickedemerald.wordpress.com/2025/03/08/speech-from-claude-malhuret/
>
> See https://www.catwhisker.org/~david/publickey.gpg for my public key.
FYI:
https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021308.html
https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021313.html
https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021312.html
https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021315.html
https://lists.freebsd.org/archives/dev-commits-src-branches/2025-March/021327.html
Maybe order of some evaluations in /etc/rc.d/ntpd needs to be moved.
--
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
From nobody Mon Mar 10 12:21:32 2025
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZBGHn0pJCz5qpCl
for <freebsd-stable@mlmmj.nyi.freebsd.org>; Mon, 10 Mar 2025 12:22:45 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZBGHm5c6cz3VwY
for <freebsd-stable@freebsd.org>; Mon, 10 Mar 2025 12:22:44 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Authentication-Results: mx1.freebsd.org;
none
Received: from [IPV6:2001:678:618:402f:d0b2:419a:17a1:2b5b] ([IPv6:2001:678:618:402f:d0b2:419a:17a1:2b5b])
(authenticated bits=0)
by plan-b.pwste.edu.pl (8.18.1/8.17.2) with ESMTPSA id 52ACLpJP054081
(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO);
Mon, 10 Mar 2025 13:21:52 +0100 (CET)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl;
s=plan-b-mailer; t=1741609312;
bh=xIE9UgcQsZ5zWE2gRkpqDhSXt/j2GrRXOvm2O333c/4=;
h=Date:Subject:To:Cc:References:From:In-Reply-To;
b=HUT1O8/ABHxr0XFQnj1/u3GbA89x1cGzhdNTaIjv+Vx33cYTsANzZPJxV/lY7E72V
7BTxs+g5su7U2M35snN59GtJ6xKv/OM6Lxnq86T3opodnTPGCDcHF9G1LFamD2W4aW
K7Z8QXQPeQPr1AgRPbMpczW3SruZyeVb6m5+7b8y9XWulFhgPSXAfgj7P4Z0YK92uc
GVDbAsu/QiacZRwzNXtVVPz6YxQR2sAgqWQb9fpTggJSwDZNSwVjev/TgbrGRatFSM
1crv267WEyoyvRWwg8XeGLM2dV/GGB4qlmWIV5nmAYyxnLIE/tWiMI4EDH7iUWmSjZ
9XNig6vuZax8Q==
Message-ID: <0d4bb787-ca68-4396-ab19-6b9cbeb27b34@plan-b.pwste.edu.pl>
Date: Mon, 10 Mar 2025 14:21:32 +0200
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>,
David Wolfskill <david@catwhisker.org>
Cc: freebsd-stable@freebsd.org
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org>
<20250310211710.a7c3405c50b360138e2eb269@dec.sakura.ne.jp>
Content-Language: en-US
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
In-Reply-To: <20250310211710.a7c3405c50b360138e2eb269@dec.sakura.ne.jp>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]
X-Rspamd-Queue-Id: 4ZBGHm5c6cz3VwY
X-Spamd-Bar: ----
W dniu 10.03.2025 o 14:17, Tomoaki AOKI pisze:
> On Mon, 10 Mar 2025 05:06:25 -0700
> David Wolfskill <david@catwhisker.org> wrote:
>
>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
>>> Hello List Subscirbers,
>>>
>>> in the past the module was loaded automatically upon NTPD server startup.
>>> It's no longer true, now it has to be loaded earlier.
>>> Perhaps people running stable/14 might find this message useful.
>>>
>>> Cheers
>>> ....
>> So... I noticed this for (precisely) one of the five machines I have
>> that track stable/14 -- the other 4 get mac_ntpd loaded automagically as
>> usual.
>>
>> In the failing case, it seems that
>>
>> sysctl security.mac.version
>>
>> yielded
>>
>> sysctl: unknown oid 'security.mac.version'
>>
>> which thus caused the code in /etc/rc.d/ntpd:
>>
>> # Try to set up the MAC ntpd policy so ntpd can run with reduced
>> # privileges. Detect whether MAC is compiled into the kernel, load
>> # the policy module if not already present, then check whether the
>> # policy has been disabled via tunable or sysctl.
>> [ -n "$(sysctl -qn security.mac.version)" ] || return 1
>> sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
>> [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1
>>
>> (in can_run_nonroot()) to return before the kldload can run.
>>
>> As the (only) machine that exhibits the failure is the one that
>> acts as my Internet gateway, I am fairly reluctant to have it down
>> longer than necessary. :-}
>>
>> (I admit that I was beginning to wonder if what I seemed to be
>> seeing was actually real.)
>>
>> Peace,
>> david
>> --
>> David H. Wolfskill david@catwhisker.org
>> Thank you, Claude Malhuret.
>> https://wickedemerald.wordpress.com/2025/03/08/speech-from-claude-malhuret/
>>
>> See https://www.catwhisker.org/~david/publickey.gpg for my public key.
> FYI:
> https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021308.html
> https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021313.html
> https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021312.html
> https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021315.html
> https://lists.freebsd.org/archives/dev-commits-src-branches/2025-March/021327.html
>
> Maybe order of some evaluations in /etc/rc.d/ntpd needs to be moved.
>
It looks like the problem is here:
+ eval ' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
/etc/ntp.conf -u ntpd:ntpd'
+ limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
/etc/ntp.conf -u ntpd:ntpd
daemon control: got EOF
+ _return=255
+ umask 0022
+ [ 255 -ne 0 ]
+ [ -z '' ]
+ return 1
+ warn 'failed to start ntpd'
--
Marek Zarychta
From nobody Mon Mar 10 13:04:43 2025
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZBHFB3NW7z5qr9K
for <freebsd-stable@mlmmj.nyi.freebsd.org>; Mon, 10 Mar 2025 13:05:34 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZBHF94xTLz3rfc
for <freebsd-stable@freebsd.org>; Mon, 10 Mar 2025 13:05:33 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
none
Received: from kalamity.joker.local (124-18-40-20.area1c.commufa.jp [124.18.40.20])
(authenticated bits=0)
by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 52AD4hkS011541;
Mon, 10 Mar 2025 22:04:43 +0900 (JST)
(envelope-from junchoon@dec.sakura.ne.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp;
s=s2405; t=1741611884;
bh=Lb7zvoe5BUv8/pL2DbGdvyZM8vvgw2VmwbKIEPMmgaA=;
h=Date:From:To:Cc:Subject:In-Reply-To:References;
b=CfLEl8O8Laq4ebM6dlAby1nru0vpZOThFUd+YDz7koqoT/ESzON+aT/hH7XHku1Ye
n55vaFrVmFpy5EKyXQU02ufq8kUy8KkLfPnlj/Dd/PoXYDDAtLhq7kTo58QW68fSKF
SKpa3eSUcZ01AsD5huzgSdZv8RnT6YLtDQ8JVA9w=
Date: Mon, 10 Mar 2025 22:04:43 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Cc: David Wolfskill <david@catwhisker.org>, freebsd-stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
Message-Id: <20250310220443.03f66b8c506b608d0ecddeae@dec.sakura.ne.jp>
In-Reply-To: <0d4bb787-ca68-4396-ab19-6b9cbeb27b34@plan-b.pwste.edu.pl>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org>
<20250310211710.a7c3405c50b360138e2eb269@dec.sakura.ne.jp>
<0d4bb787-ca68-4396-ab19-6b9cbeb27b34@plan-b.pwste.edu.pl>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP]
X-Rspamd-Queue-Id: 4ZBHF94xTLz3rfc
X-Spamd-Bar: ----
On Mon, 10 Mar 2025 14:21:32 +0200
Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
>
> W dniu 10.03.2025 o�$B".�(B14:17, Tomoaki AOKI pisze:
> > On Mon, 10 Mar 2025 05:06:25 -0700
> > David Wolfskill <david@catwhisker.org> wrote:
> >
> >> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> >>> Hello List Subscirbers,
> >>>
> >>> in the past the module was loaded automatically upon NTPD server startup.
> >>> It's no longer true, now it has to be loaded earlier.
> >>> Perhaps people running stable/14 might find this message useful.
> >>>
> >>> Cheers
> >>> ....
> >> So... I noticed this for (precisely) one of the five machines I have
> >> that track stable/14 -- the other 4 get mac_ntpd loaded automagically as
> >> usual.
> >>
> >> In the failing case, it seems that
> >>
> >> sysctl security.mac.version
> >>
> >> yielded
> >>
> >> sysctl: unknown oid 'security.mac.version'
> >>
> >> which thus caused the code in /etc/rc.d/ntpd:
> >>
> >> # Try to set up the MAC ntpd policy so ntpd can run with reduced
> >> # privileges. Detect whether MAC is compiled into the kernel, load
> >> # the policy module if not already present, then check whether the
> >> # policy has been disabled via tunable or sysctl.
> >> [ -n "$(sysctl -qn security.mac.version)" ] || return 1
> >> sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
> >> [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1
> >>
> >> (in can_run_nonroot()) to return before the kldload can run.
> >>
> >> As the (only) machine that exhibits the failure is the one that
> >> acts as my Internet gateway, I am fairly reluctant to have it down
> >> longer than necessary. :-}
> >>
> >> (I admit that I was beginning to wonder if what I seemed to be
> >> seeing was actually real.)
> >>
> >> Peace,
> >> david
> >> --
> >> David H. Wolfskill david@catwhisker.org
> >> Thank you, Claude Malhuret.
> >> https://wickedemerald.wordpress.com/2025/03/08/speech-from-claude-malhuret/
> >>
> >> See https://www.catwhisker.org/~david/publickey.gpg for my public key.
> > FYI:
> > https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021308.html
> > https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021313.html
> > https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021312.html
> > https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021315.html
> > https://lists.freebsd.org/archives/dev-commits-src-branches/2025-March/021327.html
> >
> > Maybe order of some evaluations in /etc/rc.d/ntpd needs to be moved.
> >
>
> It looks like the problem is here:
>
> + eval ' limits -C daemon�$B".".�(B /usr/sbin/ntpd�$B".�(B -p /var/db/ntp/ntpd.pid -c
> /etc/ntp.conf�$B".�(B -u ntpd:ntpd'
> + limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
> /etc/ntp.conf -u ntpd:ntpd
> daemon control: got EOF
> + _return=255
> + umask 0022
> + [ 255 -ne 0 ]
> + [ -z '' ]
> + return 1
> + warn 'failed to start ntpd'
>
> --
> Marek Zarychta
Yes. Newly added "-u" option mandates mac_ntpd.ko to drop root
priviledge.
Maybe line 48 through 55
https://cgit.freebsd.org/src/tree/libexec/rc/rc.d/ntpd?h=stable/14#n48
of the /etc/rc.d/ntpd would better relocated to after line 68 or
removed. Not tried, though, but this conditional causes the function
to be return to caller before auto-loading mac_ntpd.ko at line 62
through 68.
Another option would be relocating line 62 through 68 to the top of
the function can_run_nonroot().
--
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
From nobody Mon Mar 10 15:34:15 2025
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZBLYx1tSVz5r16h
for <freebsd-stable@mlmmj.nyi.freebsd.org>; Mon, 10 Mar 2025 15:35:17 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZBLYw5Mwlz3q8V
for <freebsd-stable@freebsd.org>; Mon, 10 Mar 2025 15:35:16 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Authentication-Results: mx1.freebsd.org;
none
Received: from [192.168.7.70] (dom.potoki.eu [62.133.140.50])
(authenticated bits=0)
by plan-b.pwste.edu.pl (8.18.1/8.17.2) with ESMTPSA id 52AFYGGu055270
(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO);
Mon, 10 Mar 2025 16:34:17 +0100 (CET)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl;
s=plan-b-mailer; t=1741620858;
bh=9ygfbBPmI1H2E/Nx+DbMqRqXGi/8bwBb7HDWjU8xpIs=;
h=Date:Subject:To:Cc:References:From:In-Reply-To;
b=PdICuwgNQXD+VQl7nvrGEX5JkXkhxG3GQqdK2bjbr0Z10o6tfHX/1TzrRbnfBpJeb
dioeMHGrBKaqRG7v3wCjbqhOLGl+7nxTU24Ik4zNm7Ov71M2BdyME4YLFa4Xkf4NGW
UpgzhLGrESbuIS2N0IPIIjM15R93IZy3SqRuJKabe7nCrJVP+9KS2MWtka6DuAkH9S
K5WzbORXTa9Wj+SB0MczNoXaJXRKJ8MvZ1eL90vMudwvF0Th705S0N+bNvZkkuBFGb
H+wJQXj0k9jLZtnltxxvaWy/TO5C9nG9mR3uZrHC+/DsRrdjqEU+D2C+bpl7N0BH75
I9r2MMr4hmpQA==
X-Authentication-Warning: plan-b.pwste.edu.pl: Host dom.potoki.eu [62.133.140.50] claimed to be [192.168.7.70]
Message-ID: <4c70544d-b2d9-44b0-84a0-d4366478c2c6@plan-b.pwste.edu.pl>
Date: Mon, 10 Mar 2025 16:34:15 +0100
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
Cc: David Wolfskill <david@catwhisker.org>, freebsd-stable@freebsd.org
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org>
<20250310211710.a7c3405c50b360138e2eb269@dec.sakura.ne.jp>
<0d4bb787-ca68-4396-ab19-6b9cbeb27b34@plan-b.pwste.edu.pl>
<20250310220443.03f66b8c506b608d0ecddeae@dec.sakura.ne.jp>
Content-Language: en-US
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Autocrypt: addr=zarychtam@plan-b.pwste.edu.pl; keydata=
xsBNBFfi3cMBCADLecMTFXad4uDXqv3eRuB4qJJ8G9tzzFezeRnnwxOsPdytW5ES2z1ibSrR
IsiImx6+PTqrAmXpTInxAi7yiZGdSiONRI4CCxKY9d1YFiNYT/2WyNXCekm9x29YeIU7x0JB
Llbz0f/9HC+styBIu2H+PY/X98Clzm110CS+n/b9l1AtiGxTiVFj7/uavYAKxH6LNWnbkuc5
v8EVNc7NkEcl5h7Z9X5NEtzDxTOiBIFQ/kOT7LAtkYUPo1lqLeOM2DtWSXTXQgXl0zJI4iP1
OAu4qQYm2nXwq4b2AH9peknelvnt1mpfgDCGSKnhc26q6ibTfMwydp+tvUtQIQYpA6b9ABEB
AAHNN01hcmVrIFphcnljaHRhIChQbGFuLWIpIDx6YXJ5Y2h0YW1AcGxhbi1iLnB3c3RlLmVk
dS5wbD7CwHcEEwEIACEFAlfi4LkCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQHZW8
vIFppoJXdgf8D9X3VRFSNaR9lthSx/+uqas17J3FJKBo1xMQsC2a+44vzNvYJSuPGLLJ+LW2
HPVazjP/BWZJbxOYpliY4zxNRU0YCp0BLIVLibc//yax+mE42FND/+NiIZhqJscl6MLPrSwo
sIwXec4XYkldkyqW/xBbBYXoIkBqdKB9j5j42Npy1IV/RizOSdmvTWY27ir8e/yGMR1RLr4F
8P5K3OWTdlGy2H2F/3J8bIPBLG6FpaIyLQw4dHSx8V02PYqDxK1cNo2kAOnU8PnZL/AGuMOH
iv3MN1VYL8ehcmpBBsrZGebQJxrjY2/5IaTSgp9xHYT70kshuU6Qb97vk1mOjNZxgc7ATQRX
4t3DAQgA10h6RCXuBLMHxq5B8X/ZIlj9sgLoeyfRdDZEc9rT2KUeUJVHDsbvOFf4/7F1ovWY
hJbA6GK/LUZeHHTjnbZcH1uDYQeHly4UOLxeEvhGoz4JhS2C7JzN/uRnwbdOAUbJr8rUj/IY
a7gk906rktsc/Ldrxrxh7O6WO0JCh2XO/p4pDfEwwB37g4xHprSab28ECYJ9JMbtA8Sy4M55
g3+GQ28FvSlGnx48OoGXU2BZdc1vZKSQmNOlikB+9/hDX8zdYWVfDaX1TLQ8Ib4+xTUmapza
mV/bxIsaZRBw+jFjLQHhTbIMfPEU+4mxFDvTdbKPruKPqVf1ydgMnPZWngowdwARAQABwsBf
BBgBCAAJBQJX4t3DAhsMAAoJEB2VvLyBaaaC6qkIAJs9sDPqrqW0bYoRfzY6XjDWQ59p9tJi
v8aogxacQNCfAu+WkJ8PNVUtC1dlVcG5NnZ80gXzd1rc8ueIvXlvdanUt/jZd8jbb3gaDbK3
wh1yMCGBl/1fOJTyEGYv1CRojv97KK89KP5+r8x1P1iHcSrunlDNqGxTMydNCwBH23QcOM+m
u4spKnJ/s0VRBkw3xoKBZfZza6fTQ4gTpAipjyk7ldOGBV+PvkKATdhK2yLwuWXhKbg/GRlD
1r5P0gxzSqfV4My+KJuc2EDcrqp1y0wOpE1m9iZqCcd0fup5f7HDsYlLWshr7NQl28f6+fQb
sylq/j672BHXsdeqf/Ip9V4=
In-Reply-To: <20250310220443.03f66b8c506b608d0ecddeae@dec.sakura.ne.jp>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]
X-Rspamd-Queue-Id: 4ZBLYw5Mwlz3q8V
X-Spamd-Bar: ----
W dniu 10.03.2025 o 14:04, Tomoaki AOKI pisze:
> On Mon, 10 Mar 2025 14:21:32 +0200
> Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
>
>> W dniu 10.03.2025 o〓14:17, Tomoaki AOKI pisze:
>>> On Mon, 10 Mar 2025 05:06:25 -0700
>>> David Wolfskill <david@catwhisker.org> wrote:
>>>
>>>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
>>>>> Hello List Subscirbers,
>>>>>
>>>>> in the past the module was loaded automatically upon NTPD server startup.
>>>>> It's no longer true, now it has to be loaded earlier.
>>>>> Perhaps people running stable/14 might find this message useful.
>>>>>
>>>>> Cheers
>>>>> ....
>>>> So... I noticed this for (precisely) one of the five machines I have
>>>> that track stable/14 -- the other 4 get mac_ntpd loaded automagically as
>>>> usual.
>>>>
>>>> In the failing case, it seems that
>>>>
>>>> sysctl security.mac.version
>>>>
>>>> yielded
>>>>
>>>> sysctl: unknown oid 'security.mac.version'
>>>>
>>>> which thus caused the code in /etc/rc.d/ntpd:
>>>>
>>>> # Try to set up the MAC ntpd policy so ntpd can run with reduced
>>>> # privileges. Detect whether MAC is compiled into the kernel, load
>>>> # the policy module if not already present, then check whether the
>>>> # policy has been disabled via tunable or sysctl.
>>>> [ -n "$(sysctl -qn security.mac.version)" ] || return 1
>>>> sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
>>>> [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1
>>>>
>>>> (in can_run_nonroot()) to return before the kldload can run.
>>>>
>>>> As the (only) machine that exhibits the failure is the one that
>>>> acts as my Internet gateway, I am fairly reluctant to have it down
>>>> longer than necessary. :-}
>>>>
>>>> (I admit that I was beginning to wonder if what I seemed to be
>>>> seeing was actually real.)
>>>>
>>>> Peace,
>>>> david
>>>> --
>>>> David H. Wolfskill david@catwhisker.org
>>>> Thank you, Claude Malhuret.
>>>> https://wickedemerald.wordpress.com/2025/03/08/speech-from-claude-malhuret/
>>>>
>>>> See https://www.catwhisker.org/~david/publickey.gpg for my public key.
>>> FYI:
>>> https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021308.html
>>> https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021313.html
>>> https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021312.html
>>> https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021315.html
>>> https://lists.freebsd.org/archives/dev-commits-src-branches/2025-March/021327.html
>>>
>>> Maybe order of some evaluations in /etc/rc.d/ntpd needs to be moved.
>>>
>> It looks like the problem is here:
>>
>> + eval ' limits -C daemon〓〓 /usr/sbin/ntpd〓 -p /var/db/ntp/ntpd.pid -c
>> /etc/ntp.conf〓 -u ntpd:ntpd'
>> + limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
>> /etc/ntp.conf -u ntpd:ntpd
>> daemon control: got EOF
>> + _return=255
>> + umask 0022
>> + [ 255 -ne 0 ]
>> + [ -z '' ]
>> + return 1
>> + warn 'failed to start ntpd'
>>
>> --
>> Marek Zarychta
> Yes. Newly added "-u" option mandates mac_ntpd.ko to drop root
> priviledge.
>
> Maybe line 48 through 55
>
> https://cgit.freebsd.org/src/tree/libexec/rc/rc.d/ntpd?h=stable/14#n48
>
> of the /etc/rc.d/ntpd would better relocated to after line 68 or
> removed. Not tried, though, but this conditional causes the function
> to be return to caller before auto-loading mac_ntpd.ko at line 62
> through 68.
>
> Another option would be relocating line 62 through 68 to the top of
> the function can_run_nonroot().
>
Yes, the offending commit is 1a241a911dc8635c3803f1a6620e1ab4692f6ecf
(cherry picked from commit 521f66715afb312b356afafc68cbc044a436a753).
Starting and stopping services in 14/stable and main are done in a
different manner, I have not investigated it much though.
Anyway, it seems like unintentional change, aka regression in stable/14 ...
Cheers
--
Marek Zarychta
From nobody Mon Mar 10 15:37:58 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZBLf90RxNz5r1MF
for <stable@mlmmj.nyi.freebsd.org>; Mon, 10 Mar 2025 15:38:57 +0000 (UTC)
(envelope-from herbert@gojira.at)
Received: from mail.bsd4all.net (mail.bsd4all.net [94.130.200.20])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature ECDSA (secp384r1) client-digest SHA384)
(Client CN "mail.bsd4all.net", Issuer "E6" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZBLf81blmz3rwQ
for <stable@freebsd.org>; Mon, 10 Mar 2025 15:38:56 +0000 (UTC)
(envelope-from herbert@gojira.at)
Authentication-Results: mx1.freebsd.org;
dkim=pass header.d=gojira.at header.s=mail202005 header.b=0G0lArDf;
dmarc=none;
spf=pass (mx1.freebsd.org: domain of herbert@gojira.at designates 94.130.200.20 as permitted sender) smtp.mailfrom=herbert@gojira.at
Date: Mon, 10 Mar 2025 16:37:58 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gojira.at;
s=mail202005; t=1741621134;
bh=YKEXfxANh6XEEPO9rIkBjcyFDDY4NuWQqOG8g5wNg6M=;
h=Date:Message-ID:From:To:Subject:MIME-Version:Content-Type;
b=0G0lArDf+QiOHXAvghtvCPiZOTDJnqeblR7LaoNLQKb27gccxH1j9hzRkkLj01eEt
ZZadkcxbVDUO8Qnmj9nE2HqbUrosIge+qQiZgugzHChphqVQyDCV2mFUc8SLQxqIka
zuVN0kA3NHu2kkH0nGmCI4hhmoK57p2s+N/yb/FTd79Lb+HSlvCPHRkB5/Bnh0gX9v
Q8ANpVMBcKXLh8VXMTtd4FUCpy594jIwHoJdYUTwl7K8AJLBIcwbkxuP5zO9JfdfBq
GgkwQOiVPdXz5EfNCgIdf6uDEabK9JUkR+OEybTCbkupNcVP52BbbwKnoVKzNqdF+2
bdVEoAXX1nHWQ==
Message-ID: <87wmcw6gmh.wl-herbert@gojira.at>
From: "Herbert J. Skuhra" <herbert@gojira.at>
To: stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent stable/14
In-Reply-To: <Z87VwY27sY8X0ySB@albert.catwhisker.org>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/31.0 Mule/6.0
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-Spamd-Result: default: False [-2.17 / 15.00];
MID_CONTAINS_FROM(1.00)[];
NEURAL_HAM_LONG(-0.98)[-0.983];
NEURAL_HAM_SHORT(-0.95)[-0.947];
NEURAL_HAM_MEDIUM(-0.74)[-0.739];
R_SPF_ALLOW(-0.20)[+ip4:94.130.200.20];
R_DKIM_ALLOW(-0.20)[gojira.at:s=mail202005];
MIME_GOOD(-0.10)[text/plain];
RCPT_COUNT_ONE(0.00)[1];
ASN(0.00)[asn:24940, ipnet:94.130.0.0/16, country:DE];
MIME_TRACE(0.00)[0:+];
FROM_HAS_DN(0.00)[];
DMARC_NA(0.00)[gojira.at];
ARC_NA(0.00)[];
FROM_EQ_ENVFROM(0.00)[];
RCVD_COUNT_ZERO(0.00)[0];
TO_DN_NONE(0.00)[];
MLMMJ_DEST(0.00)[stable@freebsd.org];
TO_MATCH_ENVRCPT_ALL(0.00)[];
DKIM_TRACE(0.00)[gojira.at:+]
X-Rspamd-Queue-Id: 4ZBLf81blmz3rwQ
X-Spamd-Bar: --
On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
>
> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> > Hello List Subscirbers,
> >
> > in the past the module was loaded automatically upon NTPD server startup.
> > It's no longer true, now it has to be loaded earlier.
> > Perhaps people running stable/14 might find this message useful.
Hmm, works for me on main and stable/14.
> So... I noticed this for (precisely) one of the five machines I have
> that track stable/14 -- the other 4 get mac_ntpd loaded automagically as
> usual.
>
> In the failing case, it seems that
>
> sysctl security.mac.version
>
> yielded
>
> sysctl: unknown oid 'security.mac.version'
I only get this if I build a kernel without "options MAC". But in this
no mac_* kernel modules are built and ntpd fails with:
Starting ntpd.
daemon control: got EOF
/etc/rc.d/ntpd: WARNING: failed to start ntpd
From nobody Mon Mar 10 16:12:57 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZBMPX0SFzz5r2xs
for <stable@mlmmj.nyi.freebsd.org>; Mon, 10 Mar 2025 16:13:04 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZBMPW1GcHz45RK
for <stable@freebsd.org>; Mon, 10 Mar 2025 16:13:02 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
none
Received: from kalamity.joker.local (124-18-40-20.area1c.commufa.jp [124.18.40.20])
(authenticated bits=0)
by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 52AGCvN8063711;
Tue, 11 Mar 2025 01:12:58 +0900 (JST)
(envelope-from junchoon@dec.sakura.ne.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp;
s=s2405; t=1741623178;
bh=qOSw2Iz/6x9Gl/3RmD1s8RD9RQYAiNPogVzmZH5OTGM=;
h=Date:From:To:Cc:Subject:In-Reply-To:References;
b=KY7K8qZadtgD4WgzmRRNZ9ofj8TJLfdhjePhbcQOnkGFMt/KgsOE8wwcD9SJqejKY
7i8QDCAn+yGDMnZoywTDsViGrMhHYhJSXH0Sj297bDG/5nmwTOcdk4sU9FDkN4Guei
uG9vHxG1BoWVbOHwY+OqYZifd0MaAXSk0axIqEYY=
Date: Tue, 11 Mar 2025 01:12:57 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: "Herbert J. Skuhra" <herbert@gojira.at>
Cc: stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
Message-Id: <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
In-Reply-To: <87wmcw6gmh.wl-herbert@gojira.at>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org>
<87wmcw6gmh.wl-herbert@gojira.at>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP]
X-Rspamd-Queue-Id: 4ZBMPW1GcHz45RK
X-Spamd-Bar: ----
On Mon, 10 Mar 2025 16:37:58 +0100
"Herbert J. Skuhra" <herbert@gojira.at> wrote:
> On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> >
> > On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> > > Hello List Subscirbers,
> > >
> > > in the past the module was loaded automatically upon NTPD server startup.
> > > It's no longer true, now it has to be loaded earlier.
> > > Perhaps people running stable/14 might find this message useful.
>
> Hmm, works for me on main and stable/14.
>
> > So... I noticed this for (precisely) one of the five machines I have
> > that track stable/14 -- the other 4 get mac_ntpd loaded automagically as
> > usual.
> >
> > In the failing case, it seems that
> >
> > sysctl security.mac.version
> >
> > yielded
> >
> > sysctl: unknown oid 'security.mac.version'
>
> I only get this if I build a kernel without "options MAC". But in this
> no mac_* kernel modules are built and ntpd fails with:
>
> Starting ntpd.
> daemon control: got EOF
> /etc/rc.d/ntpd: WARNING: failed to start ntpd
In this case, you'll find something like
Need MAC 'ntpd' policy enabled to drop root privileges
daemon child exited with code 255
in ntpd logfile (/var/db/ntpd.log in my case, but
possibly /var/log/messages by default).
--
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
From nobody Tue Mar 11 15:13:51 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZBy2p5LF0z5qgw3
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 15:13:54 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Received: from omta003.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "Client", Issuer "CA" (not verified))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZBy2p33K7z3QJN
for <stable@freebsd.org>; Tue, 11 Mar 2025 15:13:54 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Authentication-Results: mx1.freebsd.org;
none
Received: from shw-obgw-4004a.ext.cloudfilter.net ([10.228.9.227])
by cmsmtp with ESMTPS
id ry5RtiCGn9JM2s1Intn2kh; Tue, 11 Mar 2025 15:13:53 +0000
Received: from spqr.komquats.com ([70.66.136.217])
by cmsmtp with ESMTPSA
id s1IltavTGJhBPs1Imt3Lob; Tue, 11 Mar 2025 15:13:53 +0000
X-Auth-User: cschuber
X-Authority-Analysis: v=2.4 cv=QY3Fvdbv c=1 sm=1 tr=0 ts=67d05331
a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17
a=Vs1iUdzkB0EA:10 a=XldT38RWNwACPDQzwzUA:9 a=f39HIs4JDXVEJcu8Dj0A:9
a=CjuIK1q_8ugA:10 a=eHom-uw3n_oC2quLK6MA:9 a=De_Ol2h6w80A:10 a=6I5d2MoRAAAA:8
a=EkcXrb_YAAAA:8 a=YxBL1-UpAAAA:8 a=ics_IjAVWSmO8OVX31YA:9 a=BOg4e644cxQA:10
a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
by spqr.komquats.com (Postfix) with ESMTP id 4F96E1C1;
Tue, 11 Mar 2025 08:13:51 -0700 (PDT)
Received: by slippy.cwsent.com (Postfix, from userid 1000)
id 1D9B4B0; Tue, 11 Mar 2025 08:13:51 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
cc: "Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
In-reply-to: <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
Comments: In-reply-to Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
message dated "Tue, 11 Mar 2025 01:12:57 +0900."
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: multipart/mixed ;
boundary="==_Exmh_1741705954_68210"
Date: Tue, 11 Mar 2025 08:13:51 -0700
Message-Id: <20250311151351.1D9B4B0@slippy.cwsent.com>
X-CMAE-Envelope: MS4xfNhOXnQq4liDGV0gX9kCR0QlCTjuWUIls8igcEB9wgapkWME/GwvzLkbGsLeTbfX6A1t5drXcBQ8msG5aT3EoTMpG36xJVAnjiNUIVRyq2NRVV0HpDsd
kLOyqTkG9ohvA3e+pnVZHdzipbzG4iJWV2z5rrKhNGuSxQvdP36F2jaRGWqUdOSY4ghUtDiLKK7AnJffoy2DWb7AlJVYWnyVdt4jFGEDu1XlwSNSvXoy+7hA
aGpD8ydQ4R0+7bKEfEtn6NW1uv8/sePKBHNOR+2GRjY=
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]
X-Rspamd-Queue-Id: 4ZBy2p33K7z3QJN
X-Spamd-Bar: ----
This is a multipart MIME message.
--==_Exmh_1741705954_68210
Content-Type: text/plain; charset=us-ascii
In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
Tomoaki
AOKI writes:
> On Mon, 10 Mar 2025 16:37:58 +0100
> "Herbert J. Skuhra" <herbert@gojira.at> wrote:
>
> > On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> > >
> > > On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> > > > Hello List Subscirbers,
> > > >
> > > > in the past the module was loaded automatically upon NTPD server startu
> p.
> > > > It's no longer true, now it has to be loaded earlier.
> > > > Perhaps people running stable/14 might find this message useful.
> >
> > Hmm, works for me on main and stable/14.
> >
> > > So... I noticed this for (precisely) one of the five machines I have
> > > that track stable/14 -- the other 4 get mac_ntpd loaded automagically as
> > > usual.
> > >
> > > In the failing case, it seems that
> > >
> > > sysctl security.mac.version
> > >
> > > yielded
> > >
> > > sysctl: unknown oid 'security.mac.version'
> >
> > I only get this if I build a kernel without "options MAC". But in this
> > no mac_* kernel modules are built and ntpd fails with:
> >
> > Starting ntpd.
> > daemon control: got EOF
> > /etc/rc.d/ntpd: WARNING: failed to start ntpd
>
> In this case, you'll find something like
> Need MAC 'ntpd' policy enabled to drop root privileges
> daemon child exited with code 255
> in ntpd logfile (/var/db/ntpd.log in my case, but
> possibly /var/log/messages by default).
I don't understand why some systems (those in this thread) have a problem
not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are fine. I'd
like to try to understand the differences between those that work and those
that don't.
First of all, the ntpd rc script bails without saying why when it
encounters a problem. can_run_nonroot() simply returns a bad return code
leaving us to wonder why.
The first order of business is to produce a patch to indicate why it
bails. Please apply the attached patch and let me know where it fails.
Messages will be printed to stderr and to /var/log/messages (assuming
daemon.err is sent there).
>
> --
> Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
>
--==_Exmh_1741705954_68210
Content-Type: text/plain ; name="ntp.diff"; charset=us-ascii
Content-Description: ntp.diff
diff --git a/libexec/rc/rc.d/ntpd b/libexec/rc/rc.d/ntpd
index 8babda09455c..223b92a1ddc4 100755
--- a/libexec/rc/rc.d/ntpd
+++ b/libexec/rc/rc.d/ntpd
@@ -45,6 +45,7 @@ can_run_nonroot()
{
# If the admin set what uid to use, we don't change it.
if [ -n "${ntpd_user}" ]; then
+ logger -s -t "rc.d/ntpd" -p daemon.err "user ${ntpd_user} is not found, exiting"
return 1
fi
@@ -54,6 +55,7 @@ can_run_nonroot()
*-f* | *--driftfile* | *-i* | *--jaildir* | \
*-k* | *--keyfile* | *-l* | *--logfile* | \
*-p* | *--pidfile* | *-s* | *--statsdir* )
+ logger -s -t "rc.d/ntpd" -p daemon.err "user ${ntpd_user} cannot access files listed in command line, exiting"
return 1;;
esac
@@ -66,15 +68,32 @@ can_run_nonroot()
# privileges. Detect whether MAC is compiled into the kernel, load
# the policy module if not already present, then check whether the
# policy has been disabled via tunable or sysctl.
- [ -n "$(sysctl -qn security.mac.version)" ] || return 1
- sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
- [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1
+ if [ -z "$(sysctl -qn security.mac.version)" ]; then
+ logger -s -t "rc.d/ntpd" -p daemon.err "kernel does not support MAC, exiting"
+ return 1
+ fi
+ if ! sysctl -qn security.mac.ntpd >/dev/null; then
+ if ! kldload -qn mac_ntpd; then
+ logger -s -t "rc.d/ntpd" -p daemon.err "failed to load mac_ntpd, exiting"
+ return 1
+ fi
+ fi
+ if [ ! "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ]; then
+ logger -s -t "rc.d/ntpd" -p daemon.err "security.mac.ntpd.enabled is not enabled, exiting"
+ return 1
+ fi
# On older existing systems, the ntp dir may by owned by root, change
# it to ntpd to give the daemon create/write access to the driftfile.
if [ "$(stat -f %u ${_ntp_default_dir})" = "0" ]; then
- chown ntpd:ntpd "${_ntp_default_dir}" || return 1
- chmod 0755 "${_ntp_default_dir}" || return 1
+ if ! chown ntpd:ntpd "${_ntp_default_dir}"; then
+ logger -s -t "rc.d/ntpd" -p daemon.err "chown ${_ntp_default_dir} failed, exiting"
+ return 1
+ fi
+ if ! chmod 0755 "${_ntp_default_dir}"; then
+ logger -s -t "rc.d/ntpd" -p daemon.err "chmod ${_ntp_default_dir} failed, exiting"
+ return 1
+ fi
logger -s -t "rc.d/ntpd" -p daemon.notice \
"${_ntp_default_dir} updated to owner ntpd:ntpd, mode 0755"
fi
--==_Exmh_1741705954_68210
Content-Type: text/plain; charset=us-ascii
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e^(i*pi)+1=0
--==_Exmh_1741705954_68210--
From nobody Tue Mar 11 16:29:07 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZBzk25Z6pz5qmQx
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 16:29:30 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZBzk21wQJz3hNL
for <stable@freebsd.org>; Tue, 11 Mar 2025 16:29:29 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Authentication-Results: mx1.freebsd.org;
none
Received: from [192.168.7.70] (dom.potoki.eu [62.133.140.50])
(authenticated bits=0)
by plan-b.pwste.edu.pl (8.18.1/8.17.2) with ESMTPSA id 52BGT8lI060483
(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO);
Tue, 11 Mar 2025 17:29:08 +0100 (CET)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl;
s=plan-b-mailer; t=1741710551;
bh=Basuwd9AoYcLPn+s/k56A3NtbmtTQpXUbN2E5fgHPsQ=;
h=Date:Subject:To:Cc:References:From:In-Reply-To;
b=K/2E5xj/pee1Bu7ZWUBdKtvgM25VXCt4XqbJB1PmynOU66F0S/vA0HUY7PSmjj+fT
NIpFfJwuSFD/vNP2t19ImV13EhdLPHykkxR+VCnx+S172zFpm+IwEa+S0r1AKW6jMX
6bmk5e+xuWox8FZ70+u+8ka6HCv3yPybVrqHQ3xEBAHpaDPpi7IfUb8wP5TEqItvHV
1kvRpX5usmAh6+VwECAyHI43zI6CXKxl/2CnbDyv0rktaq0/3PaxEZeLTRxqqjspJl
oDJYEcD0+IJCclehPAjj1dqTG7LHkk1eeuFsbL8iTX3ejFsslfOl7tutjvmn75kCvG
Ee0dKtZSu6W2A==
X-Authentication-Warning: plan-b.pwste.edu.pl: Host dom.potoki.eu [62.133.140.50] claimed to be [192.168.7.70]
Message-ID: <a5407a66-40a9-49e9-9234-ec2e7e8fb520@plan-b.pwste.edu.pl>
Date: Tue, 11 Mar 2025 17:29:07 +0100
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
To: Cy Schubert <Cy.Schubert@cschubert.com>,
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
Cc: "Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com>
Content-Language: en-US
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Autocrypt: addr=zarychtam@plan-b.pwste.edu.pl; keydata=
xsBNBFfi3cMBCADLecMTFXad4uDXqv3eRuB4qJJ8G9tzzFezeRnnwxOsPdytW5ES2z1ibSrR
IsiImx6+PTqrAmXpTInxAi7yiZGdSiONRI4CCxKY9d1YFiNYT/2WyNXCekm9x29YeIU7x0JB
Llbz0f/9HC+styBIu2H+PY/X98Clzm110CS+n/b9l1AtiGxTiVFj7/uavYAKxH6LNWnbkuc5
v8EVNc7NkEcl5h7Z9X5NEtzDxTOiBIFQ/kOT7LAtkYUPo1lqLeOM2DtWSXTXQgXl0zJI4iP1
OAu4qQYm2nXwq4b2AH9peknelvnt1mpfgDCGSKnhc26q6ibTfMwydp+tvUtQIQYpA6b9ABEB
AAHNN01hcmVrIFphcnljaHRhIChQbGFuLWIpIDx6YXJ5Y2h0YW1AcGxhbi1iLnB3c3RlLmVk
dS5wbD7CwHcEEwEIACEFAlfi4LkCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQHZW8
vIFppoJXdgf8D9X3VRFSNaR9lthSx/+uqas17J3FJKBo1xMQsC2a+44vzNvYJSuPGLLJ+LW2
HPVazjP/BWZJbxOYpliY4zxNRU0YCp0BLIVLibc//yax+mE42FND/+NiIZhqJscl6MLPrSwo
sIwXec4XYkldkyqW/xBbBYXoIkBqdKB9j5j42Npy1IV/RizOSdmvTWY27ir8e/yGMR1RLr4F
8P5K3OWTdlGy2H2F/3J8bIPBLG6FpaIyLQw4dHSx8V02PYqDxK1cNo2kAOnU8PnZL/AGuMOH
iv3MN1VYL8ehcmpBBsrZGebQJxrjY2/5IaTSgp9xHYT70kshuU6Qb97vk1mOjNZxgc7ATQRX
4t3DAQgA10h6RCXuBLMHxq5B8X/ZIlj9sgLoeyfRdDZEc9rT2KUeUJVHDsbvOFf4/7F1ovWY
hJbA6GK/LUZeHHTjnbZcH1uDYQeHly4UOLxeEvhGoz4JhS2C7JzN/uRnwbdOAUbJr8rUj/IY
a7gk906rktsc/Ldrxrxh7O6WO0JCh2XO/p4pDfEwwB37g4xHprSab28ECYJ9JMbtA8Sy4M55
g3+GQ28FvSlGnx48OoGXU2BZdc1vZKSQmNOlikB+9/hDX8zdYWVfDaX1TLQ8Ib4+xTUmapza
mV/bxIsaZRBw+jFjLQHhTbIMfPEU+4mxFDvTdbKPruKPqVf1ydgMnPZWngowdwARAQABwsBf
BBgBCAAJBQJX4t3DAhsMAAoJEB2VvLyBaaaC6qkIAJs9sDPqrqW0bYoRfzY6XjDWQ59p9tJi
v8aogxacQNCfAu+WkJ8PNVUtC1dlVcG5NnZ80gXzd1rc8ueIvXlvdanUt/jZd8jbb3gaDbK3
wh1yMCGBl/1fOJTyEGYv1CRojv97KK89KP5+r8x1P1iHcSrunlDNqGxTMydNCwBH23QcOM+m
u4spKnJ/s0VRBkw3xoKBZfZza6fTQ4gTpAipjyk7ldOGBV+PvkKATdhK2yLwuWXhKbg/GRlD
1r5P0gxzSqfV4My+KJuc2EDcrqp1y0wOpE1m9iZqCcd0fup5f7HDsYlLWshr7NQl28f6+fQb
sylq/j672BHXsdeqf/Ip9V4=
In-Reply-To: <20250311151351.1D9B4B0@slippy.cwsent.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]
X-Rspamd-Queue-Id: 4ZBzk21wQJz3hNL
X-Spamd-Bar: ----
W dniu 11.03.2025 o 16:13, Cy Schubert pisze:
> In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
> Tomoaki
> AOKI writes:
>> On Mon, 10 Mar 2025 16:37:58 +0100
>> "Herbert J. Skuhra" <herbert@gojira.at> wrote:
>>
>>> On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
>>>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
>>>>> Hello List Subscirbers,
>>>>>
>>>>> in the past the module was loaded automatically upon NTPD server startu
>> p.
>>>>> It's no longer true, now it has to be loaded earlier.
>>>>> Perhaps people running stable/14 might find this message useful.
>>> Hmm, works for me on main and stable/14.
>>>
>>>> So... I noticed this for (precisely) one of the five machines I have
>>>> that track stable/14 -- the other 4 get mac_ntpd loaded automagically as
>>>> usual.
>>>>
>>>> In the failing case, it seems that
>>>>
>>>> sysctl security.mac.version
>>>>
>>>> yielded
>>>>
>>>> sysctl: unknown oid 'security.mac.version'
>>> I only get this if I build a kernel without "options MAC". But in this
>>> no mac_* kernel modules are built and ntpd fails with:
>>>
>>> Starting ntpd.
>>> daemon control: got EOF
>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
>> In this case, you'll find something like
>> Need MAC 'ntpd' policy enabled to drop root privileges
>> daemon child exited with code 255
>> in ntpd logfile (/var/db/ntpd.log in my case, but
>> possibly /var/log/messages by default).
> I don't understand why some systems (those in this thread) have a problem
> not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are fine. I'd
> like to try to understand the differences between those that work and those
> that don't.
>
> First of all, the ntpd rc script bails without saying why when it
> encounters a problem. can_run_nonroot() simply returns a bad return code
> leaving us to wonder why.
>
> The first order of business is to produce a patch to indicate why it
> bails. Please apply the attached patch and let me know where it fails.
> Messages will be printed to stderr and to /var/log/messages (assuming
> daemon.err is sent there).
>
>> --
>> Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
>>
>
>
>
> Cheers,
> Cy Schubert <Cy.Schubert@cschubert.com>
> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> NTP: <cy@nwtime.org> Web: https://nwtime.org
>
> e^(i*pi)+1=0
Output from the patch:
Mar 11 17:20:35 plan-b ntpd[60113]: ntpd 4.2.8p18-a (17): Starting
Mar 11 17:20:35 plan-b ntpd[60113]: Command line: /usr/sbin/ntpd -p
/var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd
Mar 11 17:20:35 plan-b ntpd[60113]:
----------------------------------------------------
Mar 11 17:20:35 plan-b ntpd[60113]: ntp-4 is maintained by Network Time
Foundation,
Mar 11 17:20:35 plan-b ntpd[60113]: Inc. (NTF), a non-profit 501(c)(3)
public-benefit
Mar 11 17:20:35 plan-b ntpd[60113]: corporation. Support and training
for ntp-4 are
Mar 11 17:20:35 plan-b ntpd[60113]: available at
https://www.nwtime.org/support
Mar 11 17:20:35 plan-b ntpd[60113]:
----------------------------------------------------
Mar 11 17:20:35 plan-b ntpd[60114]: switching logging to file /var/log/ntp
Mar 11 17:20:36 plan-b ntpd[60113]: daemon child exited with code 255
Mar 11 17:20:36 plan-b root[60118]: /etc/rc.d/ntpd: WARNING: failed to
start ntpd
Debugging output from from the unpatched /etc/rc.d/ntpd:
(...)
+ echo 'Starting ntpd.'
Starting ntpd.
+ [ -n '' ]
+ _cd=''
+ _doit=' /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u
ntpd:ntpd'
+ [ -n '' ]
+ [ -n '' ]
+ [ -n '' ]
+ [ -n '' ]
+ _doit=' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
/etc/ntp.conf -u ntpd:ntpd'
+ _run_rc_doit ' limits -C daemon  /usr/sbin/ntpd -p
/var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
+ local _m
+ debug 'run_rc_command: doit: limits -C daemon  /usr/sbin/ntpd -p
/var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
+ umask
+ _m=0022
+
+ eval ' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
/etc/ntp.conf -u ntpd:ntpd'
+ limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
/etc/ntp.conf -u ntpd:ntpd
daemon control: got EOF
+ _return=255
+ umask 0022
+ [ 255 -ne 0 ]
+ [ -z '' ]
+ return 1
+ warn 'failed to start ntpd'
+ [ -x /usr/bin/logger ]
+ logger '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
+ echo '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
/etc/rc.d/ntpd: WARNING: failed to start ntpd
+ return 1
--
Marek Zarychta
From nobody Tue Mar 11 17:13:12 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC0hp153Wz5qq1f
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 17:13:30 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC0hm4vMTz3nC9
for <stable@freebsd.org>; Tue, 11 Mar 2025 17:13:28 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Authentication-Results: mx1.freebsd.org;
dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=FNPOiZYd;
dmarc=pass (policy=quarantine) header.from=plan-b.pwste.edu.pl;
spf=pass (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl designates 2001:678:618::40 as permitted sender) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl
Received: from [192.168.7.70] (dom.potoki.eu [62.133.140.50])
(authenticated bits=0)
by plan-b.pwste.edu.pl (8.18.1/8.17.2) with ESMTPSA id 52BHDCG8061304
(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO);
Tue, 11 Mar 2025 18:13:13 +0100 (CET)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl;
s=plan-b-mailer; t=1741713195;
bh=BBfCggdqViWb5xSMCQJ+OeiutxU/FXPqupA28ZVVWU8=;
h=Date:Subject:From:To:Cc:References:In-Reply-To;
b=FNPOiZYdVuezg8i/k2m/vgGDDVfTWSbNGXK3EFox/UXCyyXFq/FBvf7v5RO6DFEaz
nqZosgxKv1OGUOPXWbJSIIS/jYLefjcc3BDkKxA4iSEHta6JvhfXo4XQ9yBjqFN1aZ
EqcEnF/P2cGzMAntOtco/73fedApwacbqPsjfNr/69NYf+G+a7FP0977pGh8WSO+6m
F5d/WaI894tb3yl4aaeuWbFPL0mldf78sx0MYHai34y+NtEZI55Yrizkoo027Hka61
Ml3YmgWtA1/7GpQ7suYQ8zBtcZ87ufNGe+IECV4eSETwUrnCoY96SAxzqPnpYnimK2
3+oUZzmiFDd8w==
X-Authentication-Warning: plan-b.pwste.edu.pl: Host dom.potoki.eu [62.133.140.50] claimed to be [192.168.7.70]
Message-ID: <f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>
Date: Tue, 11 Mar 2025 18:13:12 +0100
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
To: Cy Schubert <Cy.Schubert@cschubert.com>,
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
Cc: "Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com>
<a5407a66-40a9-49e9-9234-ec2e7e8fb520@plan-b.pwste.edu.pl>
Content-Language: en-US
Autocrypt: addr=zarychtam@plan-b.pwste.edu.pl; keydata=
xsBNBFfi3cMBCADLecMTFXad4uDXqv3eRuB4qJJ8G9tzzFezeRnnwxOsPdytW5ES2z1ibSrR
IsiImx6+PTqrAmXpTInxAi7yiZGdSiONRI4CCxKY9d1YFiNYT/2WyNXCekm9x29YeIU7x0JB
Llbz0f/9HC+styBIu2H+PY/X98Clzm110CS+n/b9l1AtiGxTiVFj7/uavYAKxH6LNWnbkuc5
v8EVNc7NkEcl5h7Z9X5NEtzDxTOiBIFQ/kOT7LAtkYUPo1lqLeOM2DtWSXTXQgXl0zJI4iP1
OAu4qQYm2nXwq4b2AH9peknelvnt1mpfgDCGSKnhc26q6ibTfMwydp+tvUtQIQYpA6b9ABEB
AAHNN01hcmVrIFphcnljaHRhIChQbGFuLWIpIDx6YXJ5Y2h0YW1AcGxhbi1iLnB3c3RlLmVk
dS5wbD7CwHcEEwEIACEFAlfi4LkCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQHZW8
vIFppoJXdgf8D9X3VRFSNaR9lthSx/+uqas17J3FJKBo1xMQsC2a+44vzNvYJSuPGLLJ+LW2
HPVazjP/BWZJbxOYpliY4zxNRU0YCp0BLIVLibc//yax+mE42FND/+NiIZhqJscl6MLPrSwo
sIwXec4XYkldkyqW/xBbBYXoIkBqdKB9j5j42Npy1IV/RizOSdmvTWY27ir8e/yGMR1RLr4F
8P5K3OWTdlGy2H2F/3J8bIPBLG6FpaIyLQw4dHSx8V02PYqDxK1cNo2kAOnU8PnZL/AGuMOH
iv3MN1VYL8ehcmpBBsrZGebQJxrjY2/5IaTSgp9xHYT70kshuU6Qb97vk1mOjNZxgc7ATQRX
4t3DAQgA10h6RCXuBLMHxq5B8X/ZIlj9sgLoeyfRdDZEc9rT2KUeUJVHDsbvOFf4/7F1ovWY
hJbA6GK/LUZeHHTjnbZcH1uDYQeHly4UOLxeEvhGoz4JhS2C7JzN/uRnwbdOAUbJr8rUj/IY
a7gk906rktsc/Ldrxrxh7O6WO0JCh2XO/p4pDfEwwB37g4xHprSab28ECYJ9JMbtA8Sy4M55
g3+GQ28FvSlGnx48OoGXU2BZdc1vZKSQmNOlikB+9/hDX8zdYWVfDaX1TLQ8Ib4+xTUmapza
mV/bxIsaZRBw+jFjLQHhTbIMfPEU+4mxFDvTdbKPruKPqVf1ydgMnPZWngowdwARAQABwsBf
BBgBCAAJBQJX4t3DAhsMAAoJEB2VvLyBaaaC6qkIAJs9sDPqrqW0bYoRfzY6XjDWQ59p9tJi
v8aogxacQNCfAu+WkJ8PNVUtC1dlVcG5NnZ80gXzd1rc8ueIvXlvdanUt/jZd8jbb3gaDbK3
wh1yMCGBl/1fOJTyEGYv1CRojv97KK89KP5+r8x1P1iHcSrunlDNqGxTMydNCwBH23QcOM+m
u4spKnJ/s0VRBkw3xoKBZfZza6fTQ4gTpAipjyk7ldOGBV+PvkKATdhK2yLwuWXhKbg/GRlD
1r5P0gxzSqfV4My+KJuc2EDcrqp1y0wOpE1m9iZqCcd0fup5f7HDsYlLWshr7NQl28f6+fQb
sylq/j672BHXsdeqf/Ip9V4=
In-Reply-To: <a5407a66-40a9-49e9-9234-ec2e7e8fb520@plan-b.pwste.edu.pl>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spamd-Result: default: False [-1.09 / 15.00];
SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE(1.00)[];
NEURAL_HAM_LONG(-0.97)[-0.974];
NEURAL_HAM_SHORT(-0.67)[-0.668];
URIBL_RED(0.50)[dec.sakura.ne.jp:email];
RCVD_DKIM_ARC_DNSWL_MED(-0.50)[];
NEURAL_HAM_MEDIUM(-0.34)[-0.343];
R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer];
RCVD_IN_DNSWL_MED(-0.20)[2001:678:618::40:from];
ONCE_RECEIVED(0.20)[];
BAD_REP_POLICIES(0.10)[];
HAS_ANON_DOMAIN(0.10)[];
MIME_GOOD(-0.10)[text/plain];
DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+];
MIME_TRACE(0.00)[0:+];
RCPT_COUNT_THREE(0.00)[4];
RCVD_TLS_ALL(0.00)[];
DMARC_POLICY_ALLOW(0.00)[plan-b.pwste.edu.pl,quarantine];
ARC_NA(0.00)[];
RCVD_COUNT_ONE(0.00)[1];
ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL];
TO_MATCH_ENVRCPT_SOME(0.00)[];
FROM_EQ_ENVFROM(0.00)[];
FROM_HAS_DN(0.00)[];
TO_DN_SOME(0.00)[];
MLMMJ_DEST(0.00)[stable@freebsd.org];
R_SPF_ALLOW(0.00)[+mx];
MID_RHS_MATCH_FROM(0.00)[];
RCVD_VIA_SMTP_AUTH(0.00)[];
HAS_XAW(0.00)[]
X-Rspamd-Queue-Id: 4ZC0hm4vMTz3nC9
X-Spamd-Bar: -
W dniu 11.03.2025 o 17:29, Marek Zarychta pisze:
> W dniu 11.03.2025 o 16:13, Cy Schubert pisze:
>> In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
>> Tomoaki
>> AOKI writes:
>>> On Mon, 10 Mar 2025 16:37:58 +0100
>>> "Herbert J. Skuhra" <herbert@gojira.at> wrote:
>>>
>>>> On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
>>>>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
>>>>>> Hello List Subscirbers,
>>>>>>
>>>>>> in the past the module was loaded automatically upon NTPD server
>>>>>> startu
>>> p.
>>>>>> It's no longer true, now it has to be loaded earlier.
>>>>>> Perhaps people running stable/14 might find this message useful.
>>>> Hmm, works for me on main and stable/14.
>>>>
>>>>> So... I noticed this for (precisely) one of the five machines I have
>>>>> that track stable/14 -- the other 4 get mac_ntpd loaded
>>>>> automagically as
>>>>> usual.
>>>>>
>>>>> In the failing case, it seems that
>>>>>
>>>>> Â Â Â Â sysctl security.mac.version
>>>>>
>>>>> yielded
>>>>>
>>>>> Â Â Â Â sysctl: unknown oid 'security.mac.version'
>>>> I only get this if I build a kernel without "options MAC". But in this
>>>> no mac_* kernel modules are built and ntpd fails with:
>>>>
>>>> Starting ntpd.
>>>> daemon control: got EOF
>>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
>>> In this case, you'll find something like
>>> Â Â Need MAC 'ntpd' policy enabled to drop root privileges
>>> Â Â daemon child exited with code 255
>>> in ntpd logfile (/var/db/ntpd.log in my case, but
>>> possibly /var/log/messages by default).
>> I don't understand why some systems (those in this thread) have a
>> problem
>> not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are
>> fine. I'd
>> like to try to understand the differences between those that work and
>> those
>> that don't.
>>
>> First of all, the ntpd rc script bails without saying why when it
>> encounters a problem. can_run_nonroot() simply returns a bad return code
>> leaving us to wonder why.
>>
>> The first order of business is to produce a patch to indicate why it
>> bails. Please apply the attached patch and let me know where it fails.
>> Messages will be printed to stderr and to /var/log/messages (assuming
>> daemon.err is sent there).
>>
>>> --
>>> Tomoaki AOKIÂ Â Â <junchoon@dec.sakura.ne.jp>
>>>
>>
>>
>>
>> Cheers,
>> Cy Schubert <Cy.Schubert@cschubert.com>
>> FreeBSD UNIX:Â <cy@FreeBSD.org>Â Â Web: https://FreeBSD.org
>> NTP:Â Â Â Â Â Â Â Â Â Â <cy@nwtime.org>Â Â Â Web:Â https://nwtime.org
>>
>> Â Â Â Â Â Â Â Â Â Â Â e^(i*pi)+1=0
>
> Output from the patch:
>
> Mar 11 17:20:35 plan-b ntpd[60113]: ntpd 4.2.8p18-a (17): Starting
> Mar 11 17:20:35 plan-b ntpd[60113]: Command line: /usr/sbin/ntpd -p
> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd
> Mar 11 17:20:35 plan-b ntpd[60113]:
> ----------------------------------------------------
> Mar 11 17:20:35 plan-b ntpd[60113]: ntp-4 is maintained by Network
> Time Foundation,
> Mar 11 17:20:35 plan-b ntpd[60113]: Inc. (NTF), a non-profit 501(c)(3)
> public-benefit
> Mar 11 17:20:35 plan-b ntpd[60113]: corporation. Support and training
> for ntp-4 are
> Mar 11 17:20:35 plan-b ntpd[60113]: available at
> https://www.nwtime.org/support
> Mar 11 17:20:35 plan-b ntpd[60113]:
> ----------------------------------------------------
> Mar 11 17:20:35 plan-b ntpd[60114]: switching logging to file
> /var/log/ntp
> Mar 11 17:20:36 plan-b ntpd[60113]: daemon child exited with code 255
> Mar 11 17:20:36 plan-b root[60118]: /etc/rc.d/ntpd: WARNING: failed to
> start ntpd
>
> Debugging output from from the unpatched /etc/rc.d/ntpd:
>
> (...)
>
> + echo 'Starting ntpd.'
> Starting ntpd.
> + [ -n '' ]
> + _cd=''
> + _doit=' /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u
> ntpd:ntpd'
> + [ -n '' ]
> + [ -n '' ]
> + [ -n '' ]
> + [ -n '' ]
> + _doit=' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid
> -c /etc/ntp.conf -u ntpd:ntpd'
> + _run_rc_doit ' limits -C daemon  /usr/sbin/ntpd -p
> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
> + local _m
> + debug 'run_rc_command: doit: limits -C daemon  /usr/sbin/ntpd -p
> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
> + umask
> + _m=0022
> +
> + eval ' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
> /etc/ntp.conf -u ntpd:ntpd'
> + limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
> /etc/ntp.conf -u ntpd:ntpd
> daemon control: got EOF
> + _return=255
> + umask 0022
> + [ 255 -ne 0 ]
> + [ -z '' ]
> + return 1
> + warn 'failed to start ntpd'
> + [ -x /usr/bin/logger ]
> + logger '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
> + echo '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
> /etc/rc.d/ntpd: WARNING: failed to start ntpd
> + return 1
>
The real problem is here:
+ [ -n '' ]
+ local 'fileopts=^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
\t]*logfile|^[ \t]*statsdir'
+ grep -E -q '^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
\t]*logfile|^[ \t]*statsdir' /etc/ntp.conf
+ return 1
To reproduce: use config matching the regex from the above, for example
add line:
logfile /var/log/ntp.log
to the ntp.conf
15-CURRENT is also affected this way. That's a bit odd that nobody
reported it yet.
Problems made by can_run_nonroot function can be fixed by removing lines
60-64 from the starting script.
https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L63
Cheers
--
Marek Zarychta
From nobody Tue Mar 11 17:20:36 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC0s36l6zz5qq8K
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 17:20:39 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Received: from omta003.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "Client", Issuer "CA" (not verified))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC0s34fGFz3pVb
for <stable@freebsd.org>; Tue, 11 Mar 2025 17:20:39 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Authentication-Results: mx1.freebsd.org;
none
Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183])
by cmsmtp with ESMTPS
id rwtQtiA8O9JM2s3HTtrLIQ; Tue, 11 Mar 2025 17:20:39 +0000
Received: from spqr.komquats.com ([70.66.136.217])
by cmsmtp with ESMTPSA
id s3HRtXipOWbOas3HRtidFb; Tue, 11 Mar 2025 17:20:39 +0000
X-Auth-User: cschuber
X-Authority-Analysis: v=2.4 cv=Q5lx4J2a c=1 sm=1 tr=0 ts=67d070e7
a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17
a=IkcTkHD0fZMA:10 a=Vs1iUdzkB0EA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8
a=NEAV23lmAAAA:8 a=YxBL1-UpAAAA:8 a=QHYmViodwV5IyVJEpTUA:9 a=3ZKOabzyN94A:10
a=QEXdDO2ut3YA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
by spqr.komquats.com (Postfix) with ESMTP id A10709C;
Tue, 11 Mar 2025 10:20:36 -0700 (PDT)
Received: by slippy.cwsent.com (Postfix, from userid 1000)
id 97C0C10F; Tue, 11 Mar 2025 10:20:36 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
cc: Cy Schubert <Cy.Schubert@cschubert.com>,
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>,
"Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
In-reply-to: <f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com> <a5407a66-40a9-49e9-9234-ec2e7e8fb520@plan-b.pwste.edu.pl> <f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>
Comments: In-reply-to Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
message dated "Tue, 11 Mar 2025 18:13:12 +0100."
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Date: Tue, 11 Mar 2025 10:20:36 -0700
Message-Id: <20250311172036.97C0C10F@slippy.cwsent.com>
X-CMAE-Envelope: MS4xfP1I6/Tm3PbVlpTbAoiveqKr4YiluHDhfCmc5wP7k20QuzwAKv8Uj7eORXJWEwgBJpAc+7Tk0/J8Dv5xWT6/nd+R0NDFSoTi+8heFDffWB/huSC9MXeh
ZJrCrqcrfpmSC91kutyAMve8hfdhgBTiAQTtsGFS5Q4T7A9GG0b9rnuNlTaaoZKN32Q6iB7BQaSCTQaSWBsR0R9HZvNHcG+R1VwP1ZXDYwI7TpDtI+uhYI41
BOljON/U/+krX1KPPk3G4bP4wJ6rttArl52XFiOHZ2oz6ZaNa6tcqsNwKZEJwBq1Uzkd1tiiRpEkVA0e3oPejA==
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]
X-Rspamd-Queue-Id: 4ZC0s34fGFz3pVb
X-Spamd-Bar: ----
In message <f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>,
Marek Za
rychta writes:
> W dniu 11.03.2025 o 17:29, Marek Zarychta pisze:
> > W dniu 11.03.2025 o 16:13, Cy Schubert pisze:
> >> In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
> >> Tomoaki
> >> AOKI writes:
> >>> On Mon, 10 Mar 2025 16:37:58 +0100
> >>> "Herbert J. Skuhra" <herbert@gojira.at> wrote:
> >>>
> >>>> On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> >>>>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> >>>>>> Hello List Subscirbers,
> >>>>>>
> >>>>>> in the past the module was loaded automatically upon NTPD server
> >>>>>> startu
> >>> p.
> >>>>>> It's no longer true, now it has to be loaded earlier.
> >>>>>> Perhaps people running stable/14 might find this message useful.
> >>>> Hmm, works for me on main and stable/14.
> >>>>
> >>>>> So... I noticed this for (precisely) one of the five machines I have
> >>>>> that track stable/14 -- the other 4 get mac_ntpd loaded
> >>>>> automagically as
> >>>>> usual.
> >>>>>
> >>>>> In the failing case, it seems that
> >>>>>
> >>>>> Â Â Â Â sysctl security.mac.version
> >>>>>
> >>>>> yielded
> >>>>>
> >>>>> Â Â Â Â sysctl: unknown oid 'security.mac.version'
> >>>> I only get this if I build a kernel without "options MAC". But in this
> >>>> no mac_* kernel modules are built and ntpd fails with:
> >>>>
> >>>> Starting ntpd.
> >>>> daemon control: got EOF
> >>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
> >>> In this case, you'll find something like
> >>> Â Â Need MAC 'ntpd' policy enabled to drop root privileges
> >>> Â Â daemon child exited with code 255
> >>> in ntpd logfile (/var/db/ntpd.log in my case, but
> >>> possibly /var/log/messages by default).
> >> I don't understand why some systems (those in this thread) have a
> >> problem
> >> not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are
> >> fine. I'd
> >> like to try to understand the differences between those that work and
> >> those
> >> that don't.
> >>
> >> First of all, the ntpd rc script bails without saying why when it
> >> encounters a problem. can_run_nonroot() simply returns a bad return code
> >> leaving us to wonder why.
> >>
> >> The first order of business is to produce a patch to indicate why it
> >> bails. Please apply the attached patch and let me know where it fails.
> >> Messages will be printed to stderr and to /var/log/messages (assuming
> >> daemon.err is sent there).
> >>
> >>> --
> >>> Tomoaki AOKIÂ Â Â <junchoon@dec.sakura.ne.jp>
> >>>
> >>
> >>
> >>
> >> Cheers,
> >> Cy Schubert <Cy.Schubert@cschubert.com>
> >> FreeBSD UNIX:Â <cy@FreeBSD.org>Â Â Web: https://FreeBSD.org
> >> NTP:Â Â Â Â Â Â Â Â Â Â <cy@nwtime.org>Â Â Â Web:Â https://nwtime.org
> >>
> >> Â Â Â Â Â Â Â Â Â Â Â e^(i*pi)+1=0
> >
> > Output from the patch:
> >
> > Mar 11 17:20:35 plan-b ntpd[60113]: ntpd 4.2.8p18-a (17): Starting
> > Mar 11 17:20:35 plan-b ntpd[60113]: Command line: /usr/sbin/ntpd -p
> > /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd
> > Mar 11 17:20:35 plan-b ntpd[60113]:
> > ----------------------------------------------------
> > Mar 11 17:20:35 plan-b ntpd[60113]: ntp-4 is maintained by Network
> > Time Foundation,
> > Mar 11 17:20:35 plan-b ntpd[60113]: Inc. (NTF), a non-profit 501(c)(3)
> > public-benefit
> > Mar 11 17:20:35 plan-b ntpd[60113]: corporation. Support and training
> > for ntp-4 are
> > Mar 11 17:20:35 plan-b ntpd[60113]: available at
> > https://www.nwtime.org/support
> > Mar 11 17:20:35 plan-b ntpd[60113]:
> > ----------------------------------------------------
> > Mar 11 17:20:35 plan-b ntpd[60114]: switching logging to file
> > /var/log/ntp
> > Mar 11 17:20:36 plan-b ntpd[60113]: daemon child exited with code 255
> > Mar 11 17:20:36 plan-b root[60118]: /etc/rc.d/ntpd: WARNING: failed to
> > start ntpd
> >
> > Debugging output from from the unpatched /etc/rc.d/ntpd:
> >
> > (...)
> >
> > + echo 'Starting ntpd.'
> > Starting ntpd.
> > + [ -n '' ]
> > + _cd=''
> > + _doit=' /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u
> > ntpd:ntpd'
> > + [ -n '' ]
> > + [ -n '' ]
> > + [ -n '' ]
> > + [ -n '' ]
> > + _doit=' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid
> > -c /etc/ntp.conf -u ntpd:ntpd'
> > + _run_rc_doit ' limits -C daemon  /usr/sbin/ntpd -p
> > /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
> > + local _m
> > + debug 'run_rc_command: doit: limits -C daemon  /usr/sbin/ntpd -p
> > /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
> > + umask
> > + _m=0022
> > +
> > + eval ' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
> > /etc/ntp.conf -u ntpd:ntpd'
> > + limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
> > /etc/ntp.conf -u ntpd:ntpd
> > daemon control: got EOF
> > + _return=255
> > + umask 0022
> > + [ 255 -ne 0 ]
> > + [ -z '' ]
> > + return 1
> > + warn 'failed to start ntpd'
> > + [ -x /usr/bin/logger ]
> > + logger '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
> > + echo '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
> > /etc/rc.d/ntpd: WARNING: failed to start ntpd
> > + return 1
> >
>
> The real problem is here:
> + [ -n '' ]
> + local 'fileopts=^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
> \t]*logfile|^[ \t]*statsdir'
> + grep -E -q '^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
> \t]*logfile|^[ \t]*statsdir' /etc/ntp.conf
> + return 1
>
> To reproduce: use config matching the regex from the above, for example
> add line:
>
> logfile /var/log/ntp.log
>
> to the ntp.conf
>
> 15-CURRENT is also affected this way. That's a bit odd that nobody
> reported it yet.
>
> Problems made by can_run_nonroot function can be fixed by removing lines
> 60-64 from the starting script.
>
> https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L63
What is in your ntpd_config in rc.conf?
>
>
> Cheers
>
> --
> Marek Zarychta
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e^(i*pi)+1=0
From nobody Tue Mar 11 17:25:03 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC0yR4FTLz5qq76
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 17:25:19 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC0yQ6k4lz3qtS
for <stable@freebsd.org>; Tue, 11 Mar 2025 17:25:18 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Authentication-Results: mx1.freebsd.org;
none
Received: from [192.168.7.70] (dom.potoki.eu [62.133.140.50])
(authenticated bits=0)
by plan-b.pwste.edu.pl (8.18.1/8.17.2) with ESMTPSA id 52BHP3MK061348
(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO);
Tue, 11 Mar 2025 18:25:04 +0100 (CET)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl;
s=plan-b-mailer; t=1741713904;
bh=gOh+rH6ladCtfPdTJOnPfXrHA8WtdugEyfdfrMCwd+M=;
h=Date:Subject:To:Cc:References:From:In-Reply-To;
b=Zrg7m3FmjZ6hF1gFF3+FDjppRGEYh/CVZN34Xhphx8T5zwKb3Ps9bnGmrRHlN+fXO
jUMMn2XWDllLHM/paLenAQgcLbxPNB721CdiZimtZBkVYoCuBMzl9gNzi67GP6JIC9
q1SoDUYYqKz+mSGoe11RFYU/rlcqTeyVMsmxwTSdZzJw/PQc6H27ZMIJ9ceHw86Vzt
D5yTSLRvIXBvKmVApcfsJxsfAn8orMo6UsohJErrnDrrAjGfiRmcN2xTRtcNcitVLx
zgX2X+8wyxZ8ny8PELusyhfXp/QB9pVjpAzDEb9NZFIK73MPlb3rlURSCO4/OphPZM
qUvNoXZUIUzWQ==
X-Authentication-Warning: plan-b.pwste.edu.pl: Host dom.potoki.eu [62.133.140.50] claimed to be [192.168.7.70]
Content-Type: multipart/alternative;
boundary="------------AE7s5oJnhOW0uW76c0IQR0yC"
Message-ID: <9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl>
Date: Tue, 11 Mar 2025 18:25:03 +0100
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
To: Cy Schubert <Cy.Schubert@cschubert.com>
Cc: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>,
"Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com>
<a5407a66-40a9-49e9-9234-ec2e7e8fb520@plan-b.pwste.edu.pl>
<f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>
<20250311172036.97C0C10F@slippy.cwsent.com>
Content-Language: en-US
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Autocrypt: addr=zarychtam@plan-b.pwste.edu.pl; keydata=
xsBNBFfi3cMBCADLecMTFXad4uDXqv3eRuB4qJJ8G9tzzFezeRnnwxOsPdytW5ES2z1ibSrR
IsiImx6+PTqrAmXpTInxAi7yiZGdSiONRI4CCxKY9d1YFiNYT/2WyNXCekm9x29YeIU7x0JB
Llbz0f/9HC+styBIu2H+PY/X98Clzm110CS+n/b9l1AtiGxTiVFj7/uavYAKxH6LNWnbkuc5
v8EVNc7NkEcl5h7Z9X5NEtzDxTOiBIFQ/kOT7LAtkYUPo1lqLeOM2DtWSXTXQgXl0zJI4iP1
OAu4qQYm2nXwq4b2AH9peknelvnt1mpfgDCGSKnhc26q6ibTfMwydp+tvUtQIQYpA6b9ABEB
AAHNN01hcmVrIFphcnljaHRhIChQbGFuLWIpIDx6YXJ5Y2h0YW1AcGxhbi1iLnB3c3RlLmVk
dS5wbD7CwHcEEwEIACEFAlfi4LkCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQHZW8
vIFppoJXdgf8D9X3VRFSNaR9lthSx/+uqas17J3FJKBo1xMQsC2a+44vzNvYJSuPGLLJ+LW2
HPVazjP/BWZJbxOYpliY4zxNRU0YCp0BLIVLibc//yax+mE42FND/+NiIZhqJscl6MLPrSwo
sIwXec4XYkldkyqW/xBbBYXoIkBqdKB9j5j42Npy1IV/RizOSdmvTWY27ir8e/yGMR1RLr4F
8P5K3OWTdlGy2H2F/3J8bIPBLG6FpaIyLQw4dHSx8V02PYqDxK1cNo2kAOnU8PnZL/AGuMOH
iv3MN1VYL8ehcmpBBsrZGebQJxrjY2/5IaTSgp9xHYT70kshuU6Qb97vk1mOjNZxgc7ATQRX
4t3DAQgA10h6RCXuBLMHxq5B8X/ZIlj9sgLoeyfRdDZEc9rT2KUeUJVHDsbvOFf4/7F1ovWY
hJbA6GK/LUZeHHTjnbZcH1uDYQeHly4UOLxeEvhGoz4JhS2C7JzN/uRnwbdOAUbJr8rUj/IY
a7gk906rktsc/Ldrxrxh7O6WO0JCh2XO/p4pDfEwwB37g4xHprSab28ECYJ9JMbtA8Sy4M55
g3+GQ28FvSlGnx48OoGXU2BZdc1vZKSQmNOlikB+9/hDX8zdYWVfDaX1TLQ8Ib4+xTUmapza
mV/bxIsaZRBw+jFjLQHhTbIMfPEU+4mxFDvTdbKPruKPqVf1ydgMnPZWngowdwARAQABwsBf
BBgBCAAJBQJX4t3DAhsMAAoJEB2VvLyBaaaC6qkIAJs9sDPqrqW0bYoRfzY6XjDWQ59p9tJi
v8aogxacQNCfAu+WkJ8PNVUtC1dlVcG5NnZ80gXzd1rc8ueIvXlvdanUt/jZd8jbb3gaDbK3
wh1yMCGBl/1fOJTyEGYv1CRojv97KK89KP5+r8x1P1iHcSrunlDNqGxTMydNCwBH23QcOM+m
u4spKnJ/s0VRBkw3xoKBZfZza6fTQ4gTpAipjyk7ldOGBV+PvkKATdhK2yLwuWXhKbg/GRlD
1r5P0gxzSqfV4My+KJuc2EDcrqp1y0wOpE1m9iZqCcd0fup5f7HDsYlLWshr7NQl28f6+fQb
sylq/j672BHXsdeqf/Ip9V4=
In-Reply-To: <20250311172036.97C0C10F@slippy.cwsent.com>
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]
X-Rspamd-Queue-Id: 4ZC0yQ6k4lz3qtS
X-Spamd-Bar: ----
This is a multi-part message in MIME format.
--------------AE7s5oJnhOW0uW76c0IQR0yC
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
W dniu 11.03.2025 o 18:20, Cy Schubert pisze:
> In message<f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>,
> Marek Za
> rychta writes:
>> W dniu 11.03.2025 o 17:29, Marek Zarychta pisze:
>>> W dniu 11.03.2025 o 16:13, Cy Schubert pisze:
>>>> In message<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
>>>> Tomoaki
>>>> AOKI writes:
>>>>> On Mon, 10 Mar 2025 16:37:58 +0100
>>>>> "Herbert J. Skuhra"<herbert@gojira.at> wrote:
>>>>>
>>>>>> On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
>>>>>>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
>>>>>>>> Hello List Subscirbers,
>>>>>>>>
>>>>>>>> in the past the module was loaded automatically upon NTPD server
>>>>>>>> startu
>>>>> p.
>>>>>>>> It's no longer true, now it has to be loaded earlier.
>>>>>>>> Perhaps people running stable/14 might find this message useful.
>>>>>> Hmm, works for me on main and stable/14.
>>>>>>
>>>>>>> So... I noticed this for (precisely) one of the five machines I have
>>>>>>> that track stable/14 -- the other 4 get mac_ntpd loaded
>>>>>>> automagically as
>>>>>>> usual.
>>>>>>>
>>>>>>> In the failing case, it seems that
>>>>>>>
>>>>>>> Â Â Â Â sysctl security.mac.version
>>>>>>>
>>>>>>> yielded
>>>>>>>
>>>>>>> Â Â Â Â sysctl: unknown oid 'security.mac.version'
>>>>>> I only get this if I build a kernel without "options MAC". But in this
>>>>>> no mac_* kernel modules are built and ntpd fails with:
>>>>>>
>>>>>> Starting ntpd.
>>>>>> daemon control: got EOF
>>>>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
>>>>> In this case, you'll find something like
>>>>> Â Â Need MAC 'ntpd' policy enabled to drop root privileges
>>>>> Â Â daemon child exited with code 255
>>>>> in ntpd logfile (/var/db/ntpd.log in my case, but
>>>>> possibly /var/log/messages by default).
>>>> I don't understand why some systems (those in this thread) have a
>>>> problem
>>>> not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are
>>>> fine. I'd
>>>> like to try to understand the differences between those that work and
>>>> those
>>>> that don't.
>>>>
>>>> First of all, the ntpd rc script bails without saying why when it
>>>> encounters a problem. can_run_nonroot() simply returns a bad return code
>>>> leaving us to wonder why.
>>>>
>>>> The first order of business is to produce a patch to indicate why it
>>>> bails. Please apply the attached patch and let me know where it fails.
>>>> Messages will be printed to stderr and to /var/log/messages (assuming
>>>> daemon.err is sent there).
>>>>
>>>>> --
>>>>> Tomoaki AOKI<junchoon@dec.sakura.ne.jp>
>>>>>
>>>>
>>>>
>>>> Cheers,
>>>> Cy Schubert<Cy.Schubert@cschubert.com>
>>>> FreeBSD UNIX:<cy@FreeBSD.org>Â Â Web:https://FreeBSD.org
>>>> NTP:<cy@nwtime.org>Â Â Â Web:https://nwtime.org
>>>>
>>>> Â Â Â Â Â Â Â Â Â Â Â e^(i*pi)+1=0
>>> Output from the patch:
>>>
>>> Mar 11 17:20:35 plan-b ntpd[60113]: ntpd 4.2.8p18-a (17): Starting
>>> Mar 11 17:20:35 plan-b ntpd[60113]: Command line: /usr/sbin/ntpd -p
>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd
>>> Mar 11 17:20:35 plan-b ntpd[60113]:
>>> ----------------------------------------------------
>>> Mar 11 17:20:35 plan-b ntpd[60113]: ntp-4 is maintained by Network
>>> Time Foundation,
>>> Mar 11 17:20:35 plan-b ntpd[60113]: Inc. (NTF), a non-profit 501(c)(3)
>>> public-benefit
>>> Mar 11 17:20:35 plan-b ntpd[60113]: corporation. Support and training
>>> for ntp-4 are
>>> Mar 11 17:20:35 plan-b ntpd[60113]: available at
>>> https://www.nwtime.org/support
>>> Mar 11 17:20:35 plan-b ntpd[60113]:
>>> ----------------------------------------------------
>>> Mar 11 17:20:35 plan-b ntpd[60114]: switching logging to file
>>> /var/log/ntp
>>> Mar 11 17:20:36 plan-b ntpd[60113]: daemon child exited with code 255
>>> Mar 11 17:20:36 plan-b root[60118]: /etc/rc.d/ntpd: WARNING: failed to
>>> start ntpd
>>>
>>> Debugging output from from the unpatched /etc/rc.d/ntpd:
>>>
>>> (...)
>>>
>>> + echo 'Starting ntpd.'
>>> Starting ntpd.
>>> + [ -n '' ]
>>> + _cd=''
>>> + _doit=' /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u
>>> ntpd:ntpd'
>>> + [ -n '' ]
>>> + [ -n '' ]
>>> + [ -n '' ]
>>> + [ -n '' ]
>>> + _doit=' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid
>>> -c /etc/ntp.conf -u ntpd:ntpd'
>>> + _run_rc_doit ' limits -C daemon  /usr/sbin/ntpd -p
>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
>>> + local _m
>>> + debug 'run_rc_command: doit: limits -C daemon  /usr/sbin/ntpd -p
>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
>>> + umask
>>> + _m=0022
>>> +
>>> + eval ' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
>>> /etc/ntp.conf -u ntpd:ntpd'
>>> + limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
>>> /etc/ntp.conf -u ntpd:ntpd
>>> daemon control: got EOF
>>> + _return=255
>>> + umask 0022
>>> + [ 255 -ne 0 ]
>>> + [ -z '' ]
>>> + return 1
>>> + warn 'failed to start ntpd'
>>> + [ -x /usr/bin/logger ]
>>> + logger '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
>>> + echo '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
>>> + return 1
>>>
>> The real problem is here:
>> + [ -n '' ]
>> + local 'fileopts=^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
>> \t]*logfile|^[ \t]*statsdir'
>> + grep -E -q '^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
>> \t]*logfile|^[ \t]*statsdir' /etc/ntp.conf
>> + return 1
>>
>> To reproduce: use config matching the regex from the above, for example
>> add line:
>>
>> logfile /var/log/ntp.log
>>
>> to the ntp.conf
>>
>> 15-CURRENT is also affected this way. That's a bit odd that nobody
>> reported it yet.
>>
>> Problems made by can_run_nonroot function can be fixed by removing lines
>> 60-64 from the starting script.
>>
>> https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L63
> What is in your ntpd_config in rc.conf?
# grep ntpd_config /etc/rc.conf /etc/defaults/rc.conf
/etc/defaults/rc.conf:ntpd_config="/etc/ntp.conf"Â Â Â # ntpd(8)
configuration file
--
Marek Zarychta
--------------AE7s5oJnhOW0uW76c0IQR0yC
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">W dniu 11.03.2025 o 18:20, Cy Schubert
pisze:<br>
</div>
<blockquote type="cite"
cite="mid:20250311172036.97C0C10F@slippy.cwsent.com">
<pre wrap="" class="moz-quote-pre">In message <a class="moz-txt-link-rfc2396E" href="mailto:f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl"><f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl></a>,
Marek Za
rychta writes:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">W dniu 11.03.2025 o 17:29, Marek Zarychta pisze:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">W dniu 11.03.2025 o 16:13, Cy Schubert pisze:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">In message <a class="moz-txt-link-rfc2396E" href="mailto:20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp"><20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp></a>,
Tomoaki
AOKI writes:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">On Mon, 10 Mar 2025 16:37:58 +0100
"Herbert J. Skuhra" <a class="moz-txt-link-rfc2396E" href="mailto:herbert@gojira.at"><herbert@gojira.at></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">Hello List Subscirbers,
in the past the module was loaded automatically upon NTPD server
startu
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="" class="moz-quote-pre">p.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">It's no longer true, now it has to be loaded earlier.
Perhaps people running stable/14 might find this message useful.
</pre>
</blockquote>
</blockquote>
<pre wrap="" class="moz-quote-pre">Hmm, works for me on main and stable/14.
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">So... I noticed this for (precisely) one of the five machines I have
that track stable/14 -- the other 4 get mac_ntpd loaded
automagically as
usual.
In the failing case, it seems that
    sysctl security.mac.version
yielded
    sysctl: unknown oid 'security.mac.version'
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">I only get this if I build a kernel without "options MAC". But in this
no mac_* kernel modules are built and ntpd fails with:
Starting ntpd.
daemon control: got EOF
/etc/rc.d/ntpd: WARNING: failed to start ntpd
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">In this case, you'll find something like
  Need MAC 'ntpd' policy enabled to drop root privileges
  daemon child exited with code 255
in ntpd logfile (/var/db/ntpd.log in my case, but
possibly /var/log/messages by default).
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">I don't understand why some systems (those in this thread) have a
problem
not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are
fine. I'd
like to try to understand the differences between those that work and
those
that don't.
First of all, the ntpd rc script bails without saying why when it
encounters a problem. can_run_nonroot() simply returns a bad return code
leaving us to wonder why.
The first order of business is to produce a patch to indicate why it
bails. Please apply the attached patch and let me know where it fails.
Messages will be printed to stderr and to /var/log/messages (assuming
daemon.err is sent there).
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">--
Tomoaki AOKIÂ Â Â <a class="moz-txt-link-rfc2396E" href="mailto:junchoon@dec.sakura.ne.jp"><junchoon@dec.sakura.ne.jp></a>
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
Cheers,
Cy Schubert <a class="moz-txt-link-rfc2396E" href="mailto:Cy.Schubert@cschubert.com"><Cy.Schubert@cschubert.com></a>
FreeBSD UNIX:Â <a class="moz-txt-link-rfc2396E" href="mailto:cy@FreeBSD.org"><cy@FreeBSD.org></a>Â Â Web: <a class="moz-txt-link-freetext" href="https://FreeBSD.org">https://FreeBSD.org</a>
NTP:Â Â Â Â Â Â Â Â Â Â <a class="moz-txt-link-rfc2396E" href="mailto:cy@nwtime.org"><cy@nwtime.org></a>Â Â Â Web:Â <a class="moz-txt-link-freetext" href="https://nwtime.org">https://nwtime.org</a>
           e^(i*pi)+1=0
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
Output from the patch:
Mar 11 17:20:35 plan-b ntpd[60113]: ntpd 4.2.8p18-a (17): Starting
Mar 11 17:20:35 plan-b ntpd[60113]: Command line: /usr/sbin/ntpd -p
/var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd
Mar 11 17:20:35 plan-b ntpd[60113]:
----------------------------------------------------
Mar 11 17:20:35 plan-b ntpd[60113]: ntp-4 is maintained by Network
Time Foundation,
Mar 11 17:20:35 plan-b ntpd[60113]: Inc. (NTF), a non-profit 501(c)(3)
public-benefit
Mar 11 17:20:35 plan-b ntpd[60113]: corporation. Support and training
for ntp-4 are
Mar 11 17:20:35 plan-b ntpd[60113]: available at
<a class="moz-txt-link-freetext" href="https://www.nwtime.org/support">https://www.nwtime.org/support</a>
Mar 11 17:20:35 plan-b ntpd[60113]:
----------------------------------------------------
Mar 11 17:20:35 plan-b ntpd[60114]: switching logging to file
/var/log/ntp
Mar 11 17:20:36 plan-b ntpd[60113]: daemon child exited with code 255
Mar 11 17:20:36 plan-b root[60118]: /etc/rc.d/ntpd: WARNING: failed to
start ntpd
Debugging output from from the unpatched /etc/rc.d/ntpd:
(...)
+ echo 'Starting ntpd.'
Starting ntpd.
+ [ -n '' ]
+ _cd=''
+ _doit=' /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u
ntpd:ntpd'
+ [ -n '' ]
+ [ -n '' ]
+ [ -n '' ]
+ [ -n '' ]
+ _doit=' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid
-c /etc/ntp.conf -u ntpd:ntpd'
+ _run_rc_doit ' limits -C daemon  /usr/sbin/ntpd -p
/var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
+ local _m
+ debug 'run_rc_command: doit: limits -C daemon  /usr/sbin/ntpd -p
/var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
+ umask
+ _m=0022
+
+ eval ' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
/etc/ntp.conf -u ntpd:ntpd'
+ limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
/etc/ntp.conf -u ntpd:ntpd
daemon control: got EOF
+ _return=255
+ umask 0022
+ [ 255 -ne 0 ]
+ [ -z '' ]
+ return 1
+ warn 'failed to start ntpd'
+ [ -x /usr/bin/logger ]
+ logger '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
+ echo '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
/etc/rc.d/ntpd: WARNING: failed to start ntpd
+ return 1
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
The real problem is here:
+ [ -n '' ]
+ local 'fileopts=^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
\t]*logfile|^[ \t]*statsdir'
+ grep -E -q '^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
\t]*logfile|^[ \t]*statsdir' /etc/ntp.conf
+ return 1
To reproduce: use config matching the regex from the above, for example
add line:
logfile /var/log/ntp.log
to the ntp.conf
15-CURRENT is also affected this way. That's a bit odd that nobody
reported it yet.
Problems made by can_run_nonroot function can be fixed by removing lines
60-64 from the starting script.
<a class="moz-txt-link-freetext" href="https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L63">https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L63</a>
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
What is in your ntpd_config in rc.conf?</pre>
</blockquote>
# grep ntpd_config /etc/rc.conf /etc/defaults/rc.conf<br>
/etc/defaults/rc.conf:ntpd_config="/etc/ntp.conf"Â Â Â # ntpd(8)
configuration file<span style="white-space: pre-wrap">
</span>
<pre class="moz-signature" cols="72">--
Marek Zarychta</pre>
</body>
</html>
--------------AE7s5oJnhOW0uW76c0IQR0yC--
From nobody Tue Mar 11 18:02:24 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC1nH1n4Wz5qsLc
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 18:02:27 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Received: from omta003.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "Client", Issuer "CA" (not verified))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC1nG6BH8z3wZZ
for <stable@freebsd.org>; Tue, 11 Mar 2025 18:02:26 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Authentication-Results: mx1.freebsd.org;
none
Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183])
by cmsmtp with ESMTPS
id rwtQtiA8O9JM2s3vutsWA6; Tue, 11 Mar 2025 18:02:26 +0000
Received: from spqr.komquats.com ([70.66.136.217])
by cmsmtp with ESMTPSA
id s3vttXu9vWbOas3vttijVo; Tue, 11 Mar 2025 18:02:26 +0000
X-Auth-User: cschuber
X-Authority-Analysis: v=2.4 cv=Q5lx4J2a c=1 sm=1 tr=0 ts=67d07ab2
a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17
a=IkcTkHD0fZMA:10 a=Vs1iUdzkB0EA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8
a=NEAV23lmAAAA:8 a=YxBL1-UpAAAA:8 a=W-lFs85HALtcq_ziPWoA:9 a=3ZKOabzyN94A:10
a=QEXdDO2ut3YA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
by spqr.komquats.com (Postfix) with ESMTP id A5EBEDF;
Tue, 11 Mar 2025 11:02:24 -0700 (PDT)
Received: by slippy.cwsent.com (Postfix, from userid 1000)
id 9C1ED289; Tue, 11 Mar 2025 11:02:24 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
cc: Cy Schubert <Cy.Schubert@cschubert.com>,
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>,
"Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
In-reply-to: <9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com> <a5407a66-40a9-49e9-9234-ec2e7e8fb520@plan-b.pwste.edu.pl> <f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl> <20250311172036.97C0C10F@slippy.cwsent.com> <9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl>
Comments: In-reply-to Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
message dated "Tue, 11 Mar 2025 18:25:03 +0100."
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Date: Tue, 11 Mar 2025 11:02:24 -0700
Message-Id: <20250311180224.9C1ED289@slippy.cwsent.com>
X-CMAE-Envelope: MS4xfOHZrhVN8pdztWlSNeizrsRToR/qHS1MGmVJKD8kAcwRQkbu1wjoRr8kmcYT/EGQN+hBNoce4eikV5jBKxoAwyGqhenvo7HFZc5MoC+4PEljMYkdAGMi
9AYlfUVtjEw/ts8SW+t6wmtGauM4I/WIgWRib/Hdues6Q0mMiJcUTBZsQ7Z87MExURNRHVuYf3itBDMy19X7vBdQkBpjoRoKoHd3D5kT+zRDUgtGrU6fhfrp
9dvT+r9EZQ7oKcysoHSVt+IlRZhLl9QWYamwfL9dCMHWDSh22OuYfoT2J8FXSEQyHErf7cTa9r/k3vnqKjo15w==
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]
X-Rspamd-Queue-Id: 4ZC1nG6BH8z3wZZ
X-Spamd-Bar: ----
In message <9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl>,
Marek Za
rychta writes:
> This is a multi-part message in MIME format.
> --------------AE7s5oJnhOW0uW76c0IQR0yC
> Content-Type: text/plain; charset=UTF-8; format=flowed
> Content-Transfer-Encoding: 8bit
>
> W dniu 11.03.2025 o 18:20, Cy Schubert pisze:
> > In message<f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>,
> > Marek Za
> > rychta writes:
> >> W dniu 11.03.2025 o 17:29, Marek Zarychta pisze:
> >>> W dniu 11.03.2025 o 16:13, Cy Schubert pisze:
> >>>> In message<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
> >>>> Tomoaki
> >>>> AOKI writes:
> >>>>> On Mon, 10 Mar 2025 16:37:58 +0100
> >>>>> "Herbert J. Skuhra"<herbert@gojira.at> wrote:
> >>>>>
> >>>>>> On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> >>>>>>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> >>>>>>>> Hello List Subscirbers,
> >>>>>>>>
> >>>>>>>> in the past the module was loaded automatically upon NTPD server
> >>>>>>>> startu
> >>>>> p.
> >>>>>>>> It's no longer true, now it has to be loaded earlier.
> >>>>>>>> Perhaps people running stable/14 might find this message useful.
> >>>>>> Hmm, works for me on main and stable/14.
> >>>>>>
> >>>>>>> So... I noticed this for (precisely) one of the five machines I have
> >>>>>>> that track stable/14 -- the other 4 get mac_ntpd loaded
> >>>>>>> automagically as
> >>>>>>> usual.
> >>>>>>>
> >>>>>>> In the failing case, it seems that
> >>>>>>>
> >>>>>>> Â Â Â Â sysctl security.mac.version
> >>>>>>>
> >>>>>>> yielded
> >>>>>>>
> >>>>>>> Â Â Â Â sysctl: unknown oid 'security.mac.version'
> >>>>>> I only get this if I build a kernel without "options MAC". But in this
> >>>>>> no mac_* kernel modules are built and ntpd fails with:
> >>>>>>
> >>>>>> Starting ntpd.
> >>>>>> daemon control: got EOF
> >>>>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
> >>>>> In this case, you'll find something like
> >>>>> Â Â Need MAC 'ntpd' policy enabled to drop root privileges
> >>>>> Â Â daemon child exited with code 255
> >>>>> in ntpd logfile (/var/db/ntpd.log in my case, but
> >>>>> possibly /var/log/messages by default).
> >>>> I don't understand why some systems (those in this thread) have a
> >>>> problem
> >>>> not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are
> >>>> fine. I'd
> >>>> like to try to understand the differences between those that work and
> >>>> those
> >>>> that don't.
> >>>>
> >>>> First of all, the ntpd rc script bails without saying why when it
> >>>> encounters a problem. can_run_nonroot() simply returns a bad return code
> >>>> leaving us to wonder why.
> >>>>
> >>>> The first order of business is to produce a patch to indicate why it
> >>>> bails. Please apply the attached patch and let me know where it fails.
> >>>> Messages will be printed to stderr and to /var/log/messages (assuming
> >>>> daemon.err is sent there).
> >>>>
> >>>>> --
> >>>>> Tomoaki AOKI<junchoon@dec.sakura.ne.jp>
> >>>>>
> >>>>
> >>>>
> >>>> Cheers,
> >>>> Cy Schubert<Cy.Schubert@cschubert.com>
> >>>> FreeBSD UNIX:<cy@FreeBSD.org>Â Â Web:https://FreeBSD.org
> >>>> NTP:<cy@nwtime.org>Â Â Â Web:https://nwtime.org
> >>>>
> >>>> Â Â Â Â Â Â Â Â Â Â Â e^(i*pi)+1=0
> >>> Output from the patch:
> >>>
> >>> Mar 11 17:20:35 plan-b ntpd[60113]: ntpd 4.2.8p18-a (17): Starting
> >>> Mar 11 17:20:35 plan-b ntpd[60113]: Command line: /usr/sbin/ntpd -p
> >>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd
> >>> Mar 11 17:20:35 plan-b ntpd[60113]:
> >>> ----------------------------------------------------
> >>> Mar 11 17:20:35 plan-b ntpd[60113]: ntp-4 is maintained by Network
> >>> Time Foundation,
> >>> Mar 11 17:20:35 plan-b ntpd[60113]: Inc. (NTF), a non-profit 501(c)(3)
> >>> public-benefit
> >>> Mar 11 17:20:35 plan-b ntpd[60113]: corporation. Support and training
> >>> for ntp-4 are
> >>> Mar 11 17:20:35 plan-b ntpd[60113]: available at
> >>> https://www.nwtime.org/support
> >>> Mar 11 17:20:35 plan-b ntpd[60113]:
> >>> ----------------------------------------------------
> >>> Mar 11 17:20:35 plan-b ntpd[60114]: switching logging to file
> >>> /var/log/ntp
> >>> Mar 11 17:20:36 plan-b ntpd[60113]: daemon child exited with code 255
> >>> Mar 11 17:20:36 plan-b root[60118]: /etc/rc.d/ntpd: WARNING: failed to
> >>> start ntpd
> >>>
> >>> Debugging output from from the unpatched /etc/rc.d/ntpd:
> >>>
> >>> (...)
> >>>
> >>> + echo 'Starting ntpd.'
> >>> Starting ntpd.
> >>> + [ -n '' ]
> >>> + _cd=''
> >>> + _doit=' /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u
> >>> ntpd:ntpd'
> >>> + [ -n '' ]
> >>> + [ -n '' ]
> >>> + [ -n '' ]
> >>> + [ -n '' ]
> >>> + _doit=' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid
> >>> -c /etc/ntp.conf -u ntpd:ntpd'
> >>> + _run_rc_doit ' limits -C daemon  /usr/sbin/ntpd -p
> >>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
> >>> + local _m
> >>> + debug 'run_rc_command: doit: limits -C daemon  /usr/sbin/ntpd -p
> >>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
> >>> + umask
> >>> + _m=0022
> >>> +
> >>> + eval ' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
> >>> /etc/ntp.conf -u ntpd:ntpd'
> >>> + limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
> >>> /etc/ntp.conf -u ntpd:ntpd
> >>> daemon control: got EOF
> >>> + _return=255
> >>> + umask 0022
> >>> + [ 255 -ne 0 ]
> >>> + [ -z '' ]
> >>> + return 1
> >>> + warn 'failed to start ntpd'
> >>> + [ -x /usr/bin/logger ]
> >>> + logger '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
> >>> + echo '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
> >>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
> >>> + return 1
> >>>
> >> The real problem is here:
> >> + [ -n '' ]
> >> + local 'fileopts=^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
> >> \t]*logfile|^[ \t]*statsdir'
> >> + grep -E -q '^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
> >> \t]*logfile|^[ \t]*statsdir' /etc/ntp.conf
> >> + return 1
> >>
> >> To reproduce: use config matching the regex from the above, for example
> >> add line:
> >>
> >> logfile /var/log/ntp.log
> >>
> >> to the ntp.conf
> >>
> >> 15-CURRENT is also affected this way. That's a bit odd that nobody
> >> reported it yet.
> >>
> >> Problems made by can_run_nonroot function can be fixed by removing lines
> >> 60-64 from the starting script.
> >>
> >> https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L63
> > What is in your ntpd_config in rc.conf?
> # grep ntpd_config /etc/rc.conf /etc/defaults/rc.conf
> /etc/defaults/rc.conf:ntpd_config="/etc/ntp.conf"Â Â Â # ntpd(8)
> configuration file
Without the patch I replied with, we're back to guessing. Yet, every feels
the problem is in a different part of the rc script.
The mystery is why are all my instances (13, 14, 15) working and yours not?
I have reverted the commit. A rewrite of the rc script will be required in
order to implement ntpd's chroot.
>
> --
> Marek Zarychta
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e^(i*pi)+1=0
From nobody Tue Mar 11 18:27:29 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC2Lk3L8Qz5qv0l
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 18:27:58 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC2Lj6P3Zz40qv
for <stable@freebsd.org>; Tue, 11 Mar 2025 18:27:57 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Authentication-Results: mx1.freebsd.org;
none
Received: from [192.168.7.70] (dom.potoki.eu [62.133.140.50])
(authenticated bits=0)
by plan-b.pwste.edu.pl (8.18.1/8.17.2) with ESMTPSA id 52BIRTpt061697
(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO);
Tue, 11 Mar 2025 19:27:30 +0100 (CET)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl;
s=plan-b-mailer; t=1741717655;
bh=StvThHbITo6tm4rVzWFc2k/hmo9fwETkBVwASlpBLng=;
h=Date:Subject:To:Cc:References:From:In-Reply-To;
b=oMYisMMDBMx1mxkiYLdgYNCWzYA7QZRGeK0alYqm+NE4t9MkX1fJikdvRxiTl8b5b
bLxkwWmDFFEnGfp0JKjXzLN2HYVUwGwEt1C4qE5sqpxaVUTM6Qabea1W2Jk/3x03Le
jHglDAiE1hvDa7TSem5WBECKrJA2MET/pOfJpLRUFUPFgpI38OJyo+cPMf9waPMSPI
V1CJOtCSLHe1MbxZpJHAbtAeyWDHxSzVJ1ym+ANJWmVc9CeLZtnF6cfJSeuSfcp0Pk
f8YRFo+PC0Ng3EurbnVqub+G7JqUmAII1K0BsmDgz639J+Xv0q4a/J4aUBAEiRUbm7
+Mcs5Pr4e6s2g==
X-Authentication-Warning: plan-b.pwste.edu.pl: Host dom.potoki.eu [62.133.140.50] claimed to be [192.168.7.70]
Message-ID: <2ac849e6-3851-47ad-9844-968cf0067ce2@plan-b.pwste.edu.pl>
Date: Tue, 11 Mar 2025 19:27:29 +0100
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
To: Cy Schubert <Cy.Schubert@cschubert.com>
Cc: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>,
"Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com>
<a5407a66-40a9-49e9-9234-ec2e7e8fb520@plan-b.pwste.edu.pl>
<f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>
<20250311172036.97C0C10F@slippy.cwsent.com>
<9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl>
<20250311180224.9C1ED289@slippy.cwsent.com>
Content-Language: en-US
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Autocrypt: addr=zarychtam@plan-b.pwste.edu.pl; keydata=
xsBNBFfi3cMBCADLecMTFXad4uDXqv3eRuB4qJJ8G9tzzFezeRnnwxOsPdytW5ES2z1ibSrR
IsiImx6+PTqrAmXpTInxAi7yiZGdSiONRI4CCxKY9d1YFiNYT/2WyNXCekm9x29YeIU7x0JB
Llbz0f/9HC+styBIu2H+PY/X98Clzm110CS+n/b9l1AtiGxTiVFj7/uavYAKxH6LNWnbkuc5
v8EVNc7NkEcl5h7Z9X5NEtzDxTOiBIFQ/kOT7LAtkYUPo1lqLeOM2DtWSXTXQgXl0zJI4iP1
OAu4qQYm2nXwq4b2AH9peknelvnt1mpfgDCGSKnhc26q6ibTfMwydp+tvUtQIQYpA6b9ABEB
AAHNN01hcmVrIFphcnljaHRhIChQbGFuLWIpIDx6YXJ5Y2h0YW1AcGxhbi1iLnB3c3RlLmVk
dS5wbD7CwHcEEwEIACEFAlfi4LkCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQHZW8
vIFppoJXdgf8D9X3VRFSNaR9lthSx/+uqas17J3FJKBo1xMQsC2a+44vzNvYJSuPGLLJ+LW2
HPVazjP/BWZJbxOYpliY4zxNRU0YCp0BLIVLibc//yax+mE42FND/+NiIZhqJscl6MLPrSwo
sIwXec4XYkldkyqW/xBbBYXoIkBqdKB9j5j42Npy1IV/RizOSdmvTWY27ir8e/yGMR1RLr4F
8P5K3OWTdlGy2H2F/3J8bIPBLG6FpaIyLQw4dHSx8V02PYqDxK1cNo2kAOnU8PnZL/AGuMOH
iv3MN1VYL8ehcmpBBsrZGebQJxrjY2/5IaTSgp9xHYT70kshuU6Qb97vk1mOjNZxgc7ATQRX
4t3DAQgA10h6RCXuBLMHxq5B8X/ZIlj9sgLoeyfRdDZEc9rT2KUeUJVHDsbvOFf4/7F1ovWY
hJbA6GK/LUZeHHTjnbZcH1uDYQeHly4UOLxeEvhGoz4JhS2C7JzN/uRnwbdOAUbJr8rUj/IY
a7gk906rktsc/Ldrxrxh7O6WO0JCh2XO/p4pDfEwwB37g4xHprSab28ECYJ9JMbtA8Sy4M55
g3+GQ28FvSlGnx48OoGXU2BZdc1vZKSQmNOlikB+9/hDX8zdYWVfDaX1TLQ8Ib4+xTUmapza
mV/bxIsaZRBw+jFjLQHhTbIMfPEU+4mxFDvTdbKPruKPqVf1ydgMnPZWngowdwARAQABwsBf
BBgBCAAJBQJX4t3DAhsMAAoJEB2VvLyBaaaC6qkIAJs9sDPqrqW0bYoRfzY6XjDWQ59p9tJi
v8aogxacQNCfAu+WkJ8PNVUtC1dlVcG5NnZ80gXzd1rc8ueIvXlvdanUt/jZd8jbb3gaDbK3
wh1yMCGBl/1fOJTyEGYv1CRojv97KK89KP5+r8x1P1iHcSrunlDNqGxTMydNCwBH23QcOM+m
u4spKnJ/s0VRBkw3xoKBZfZza6fTQ4gTpAipjyk7ldOGBV+PvkKATdhK2yLwuWXhKbg/GRlD
1r5P0gxzSqfV4My+KJuc2EDcrqp1y0wOpE1m9iZqCcd0fup5f7HDsYlLWshr7NQl28f6+fQb
sylq/j672BHXsdeqf/Ip9V4=
In-Reply-To: <20250311180224.9C1ED289@slippy.cwsent.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]
X-Rspamd-Queue-Id: 4ZC2Lj6P3Zz40qv
X-Spamd-Bar: ----
W dniu 11.03.2025 o 19:02, Cy Schubert pisze:
> In message <9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl>,
> Marek Za
> rychta writes:
>> This is a multi-part message in MIME format.
>> --------------AE7s5oJnhOW0uW76c0IQR0yC
>> Content-Type: text/plain; charset=UTF-8; format=flowed
>> Content-Transfer-Encoding: 8bit
>>
>> W dniu 11.03.2025 o 18:20, Cy Schubert pisze:
>>> In message<f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>,
>>> Marek Za
>>> rychta writes:
>>>> W dniu 11.03.2025 o 17:29, Marek Zarychta pisze:
>>>>> W dniu 11.03.2025 o 16:13, Cy Schubert pisze:
>>>>>> In message<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
>>>>>> Tomoaki
>>>>>> AOKI writes:
>>>>>>> On Mon, 10 Mar 2025 16:37:58 +0100
>>>>>>> "Herbert J. Skuhra"<herbert@gojira.at> wrote:
>>>>>>>
>>>>>>>> On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
>>>>>>>>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
>>>>>>>>>> Hello List Subscirbers,
>>>>>>>>>>
>>>>>>>>>> in the past the module was loaded automatically upon NTPD server
>>>>>>>>>> startu
>>>>>>> p.
>>>>>>>>>> It's no longer true, now it has to be loaded earlier.
>>>>>>>>>> Perhaps people running stable/14 might find this message useful.
>>>>>>>> Hmm, works for me on main and stable/14.
>>>>>>>>
>>>>>>>>> So... I noticed this for (precisely) one of the five machines I have
>>>>>>>>> that track stable/14 -- the other 4 get mac_ntpd loaded
>>>>>>>>> automagically as
>>>>>>>>> usual.
>>>>>>>>>
>>>>>>>>> In the failing case, it seems that
>>>>>>>>>
>>>>>>>>> Â Â Â Â sysctl security.mac.version
>>>>>>>>>
>>>>>>>>> yielded
>>>>>>>>>
>>>>>>>>> Â Â Â Â sysctl: unknown oid 'security.mac.version'
>>>>>>>> I only get this if I build a kernel without "options MAC". But in this
>>>>>>>> no mac_* kernel modules are built and ntpd fails with:
>>>>>>>>
>>>>>>>> Starting ntpd.
>>>>>>>> daemon control: got EOF
>>>>>>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
>>>>>>> In this case, you'll find something like
>>>>>>> Â Â Need MAC 'ntpd' policy enabled to drop root privileges
>>>>>>> Â Â daemon child exited with code 255
>>>>>>> in ntpd logfile (/var/db/ntpd.log in my case, but
>>>>>>> possibly /var/log/messages by default).
>>>>>> I don't understand why some systems (those in this thread) have a
>>>>>> problem
>>>>>> not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are
>>>>>> fine. I'd
>>>>>> like to try to understand the differences between those that work and
>>>>>> those
>>>>>> that don't.
>>>>>>
>>>>>> First of all, the ntpd rc script bails without saying why when it
>>>>>> encounters a problem. can_run_nonroot() simply returns a bad return code
>>>>>> leaving us to wonder why.
>>>>>>
>>>>>> The first order of business is to produce a patch to indicate why it
>>>>>> bails. Please apply the attached patch and let me know where it fails.
>>>>>> Messages will be printed to stderr and to /var/log/messages (assuming
>>>>>> daemon.err is sent there).
>>>>>>
>>>>>>> --
>>>>>>> Tomoaki AOKI<junchoon@dec.sakura.ne.jp>
>>>>>>>
>>>>>>
>>>>>> Cheers,
>>>>>> Cy Schubert<Cy.Schubert@cschubert.com>
>>>>>> FreeBSD UNIX:<cy@FreeBSD.org>Â Â Web:https://FreeBSD.org
>>>>>> NTP:<cy@nwtime.org>Â Â Â Web:https://nwtime.org
>>>>>>
>>>>>> Â Â Â Â Â Â Â Â Â Â Â e^(i*pi)+1=0
>>>>> Output from the patch:
>>>>>
>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: ntpd 4.2.8p18-a (17): Starting
>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: Command line: /usr/sbin/ntpd -p
>>>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd
>>>>> Mar 11 17:20:35 plan-b ntpd[60113]:
>>>>> ----------------------------------------------------
>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: ntp-4 is maintained by Network
>>>>> Time Foundation,
>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: Inc. (NTF), a non-profit 501(c)(3)
>>>>> public-benefit
>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: corporation. Support and training
>>>>> for ntp-4 are
>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: available at
>>>>> https://www.nwtime.org/support
>>>>> Mar 11 17:20:35 plan-b ntpd[60113]:
>>>>> ----------------------------------------------------
>>>>> Mar 11 17:20:35 plan-b ntpd[60114]: switching logging to file
>>>>> /var/log/ntp
>>>>> Mar 11 17:20:36 plan-b ntpd[60113]: daemon child exited with code 255
>>>>> Mar 11 17:20:36 plan-b root[60118]: /etc/rc.d/ntpd: WARNING: failed to
>>>>> start ntpd
>>>>>
>>>>> Debugging output from from the unpatched /etc/rc.d/ntpd:
>>>>>
>>>>> (...)
>>>>>
>>>>> + echo 'Starting ntpd.'
>>>>> Starting ntpd.
>>>>> + [ -n '' ]
>>>>> + _cd=''
>>>>> + _doit=' /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u
>>>>> ntpd:ntpd'
>>>>> + [ -n '' ]
>>>>> + [ -n '' ]
>>>>> + [ -n '' ]
>>>>> + [ -n '' ]
>>>>> + _doit=' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid
>>>>> -c /etc/ntp.conf -u ntpd:ntpd'
>>>>> + _run_rc_doit ' limits -C daemon  /usr/sbin/ntpd -p
>>>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
>>>>> + local _m
>>>>> + debug 'run_rc_command: doit: limits -C daemon  /usr/sbin/ntpd -p
>>>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
>>>>> + umask
>>>>> + _m=0022
>>>>> +
>>>>> + eval ' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
>>>>> /etc/ntp.conf -u ntpd:ntpd'
>>>>> + limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
>>>>> /etc/ntp.conf -u ntpd:ntpd
>>>>> daemon control: got EOF
>>>>> + _return=255
>>>>> + umask 0022
>>>>> + [ 255 -ne 0 ]
>>>>> + [ -z '' ]
>>>>> + return 1
>>>>> + warn 'failed to start ntpd'
>>>>> + [ -x /usr/bin/logger ]
>>>>> + logger '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
>>>>> + echo '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
>>>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
>>>>> + return 1
>>>>>
>>>> The real problem is here:
>>>> + [ -n '' ]
>>>> + local 'fileopts=^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
>>>> \t]*logfile|^[ \t]*statsdir'
>>>> + grep -E -q '^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
>>>> \t]*logfile|^[ \t]*statsdir' /etc/ntp.conf
>>>> + return 1
>>>>
>>>> To reproduce: use config matching the regex from the above, for example
>>>> add line:
>>>>
>>>> logfile /var/log/ntp.log
>>>>
>>>> to the ntp.conf
>>>>
>>>> 15-CURRENT is also affected this way. That's a bit odd that nobody
>>>> reported it yet.
>>>>
>>>> Problems made by can_run_nonroot function can be fixed by removing lines
>>>> 60-64 from the starting script.
>>>>
>>>> https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L63
>>> What is in your ntpd_config in rc.conf?
>> # grep ntpd_config /etc/rc.conf /etc/defaults/rc.conf
>> /etc/defaults/rc.conf:ntpd_config="/etc/ntp.conf"Â Â Â # ntpd(8)
>> configuration file
> Without the patch I replied with, we're back to guessing. Yet, every feels
> the problem is in a different part of the rc script.
>
> The mystery is why are all my instances (13, 14, 15) working and yours not?
>
> I have reverted the commit. A rewrite of the rc script will be required in
> order to implement ntpd's chroot.
>
I don't know. It's the same bug from the beginning, but it reveals in
different ways. It looks like the early exit from can_run_nonroot
function prevented loading mac_ntpd.ko module. All affected setups in my
case had set options: logfile, keys and driftfile what is probably still
completely fine. These configs are old, but the syntax is still correct
and I believe using ntp keys or setting logfile from the config directly
shouldn't be banished.
With kind regards,
--
Marek Zarychta
From nobody Tue Mar 11 19:01:01 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC35B53d0z5qwfr
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 19:01:18 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC3596Y78z446R
for <stable@freebsd.org>; Tue, 11 Mar 2025 19:01:17 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
none
Received: from kalamity.joker.local (124-18-40-20.area1c.commufa.jp [124.18.40.20])
(authenticated bits=0)
by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 52BJ12Wl096012;
Wed, 12 Mar 2025 04:01:03 +0900 (JST)
(envelope-from junchoon@dec.sakura.ne.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp;
s=s2405; t=1741719663;
bh=rQEE46zIImzSX3d5SdDmoM7OHEvxSU/QOqe/HkNKBr0=;
h=Date:From:To:Cc:Subject:In-Reply-To:References;
b=gTQeebrwb7Zgpb7p4R7KEvu0FLLnO/lS5lDY3Tq4tQ51qVkwqfplHT1OrR7c0Xr2a
C2muYcDRUwQXKEgxtDqw4TvrstB9FnjzbzWv+mCC1RAAJIhX0UEXWMqeHvZE8xQuKw
sTcjwDK+CgKbc878K68rxOvKbDkku4L2XIynOI8c=
Date: Wed, 12 Mar 2025 04:01:01 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: Cy Schubert <Cy.Schubert@cschubert.com>
Cc: "Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
Message-Id: <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>
In-Reply-To: <20250311151351.1D9B4B0@slippy.cwsent.com>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org>
<87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP]
X-Rspamd-Queue-Id: 4ZC3596Y78z446R
X-Spamd-Bar: ----
On Tue, 11 Mar 2025 08:13:51 -0700
Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
> Tomoaki
> AOKI writes:
> > On Mon, 10 Mar 2025 16:37:58 +0100
> > "Herbert J. Skuhra" <herbert@gojira.at> wrote:
> >
> > > On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> > > >
> > > > On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> > > > > Hello List Subscirbers,
> > > > >
> > > > > in the past the module was loaded automatically upon NTPD server startu
> > p.
> > > > > It's no longer true, now it has to be loaded earlier.
> > > > > Perhaps people running stable/14 might find this message useful.
> > >
> > > Hmm, works for me on main and stable/14.
> > >
> > > > So... I noticed this for (precisely) one of the five machines I have
> > > > that track stable/14 -- the other 4 get mac_ntpd loaded automagically as
> > > > usual.
> > > >
> > > > In the failing case, it seems that
> > > >
> > > > sysctl security.mac.version
> > > >
> > > > yielded
> > > >
> > > > sysctl: unknown oid 'security.mac.version'
> > >
> > > I only get this if I build a kernel without "options MAC". But in this
> > > no mac_* kernel modules are built and ntpd fails with:
> > >
> > > Starting ntpd.
> > > daemon control: got EOF
> > > /etc/rc.d/ntpd: WARNING: failed to start ntpd
> >
> > In this case, you'll find something like
> > Need MAC 'ntpd' policy enabled to drop root privileges
> > daemon child exited with code 255
> > in ntpd logfile (/var/db/ntpd.log in my case, but
> > possibly /var/log/messages by default).
>
> I don't understand why some systems (those in this thread) have a problem
> not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are fine. I'd
> like to try to understand the differences between those that work and those
> that don't.
>
> First of all, the ntpd rc script bails without saying why when it
> encounters a problem. can_run_nonroot() simply returns a bad return code
> leaving us to wonder why.
>
> The first order of business is to produce a patch to indicate why it
> bails. Please apply the attached patch and let me know where it fails.
> Messages will be printed to stderr and to /var/log/messages (assuming
> daemon.err is sent there).
The output after patch (without loading mac_ntpd.ko manually):
Mar 12 03:27:35 ***** rc.d/ntpd[2581]: user cannot access files
listed in command line, exiting
Mar 12 03:27:35 ***** root[2589]: /etc/rc: WARNING: failed to start ntpd
See
https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021308.html
for my options related with ntpd.
>
> >
> > --
> > Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
--
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
From nobody Tue Mar 11 19:06:00 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC3Bg3MZsz5qx4N
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 19:06:03 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Received: from omta004.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "Client", Issuer "CA" (not verified))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC3Bg2Zs5z45Rx
for <stable@freebsd.org>; Tue, 11 Mar 2025 19:06:03 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Authentication-Results: mx1.freebsd.org;
none
Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142])
by cmsmtp with ESMTPS
id s0vStHOe15Mqys4vStdJRw; Tue, 11 Mar 2025 19:06:02 +0000
Received: from spqr.komquats.com ([70.66.136.217])
by cmsmtp with ESMTPSA
id s4vQtdkYWQwcXs4vRt9e8o; Tue, 11 Mar 2025 19:06:02 +0000
X-Auth-User: cschuber
X-Authority-Analysis: v=2.4 cv=DaW0qetW c=1 sm=1 tr=0 ts=67d0899a
a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17
a=IkcTkHD0fZMA:10 a=Vs1iUdzkB0EA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8
a=NEAV23lmAAAA:8 a=YxBL1-UpAAAA:8 a=VM8mGfUmjFOU6-vOyj8A:9 a=3ZKOabzyN94A:10
a=QEXdDO2ut3YA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
by spqr.komquats.com (Postfix) with ESMTP id 559687B;
Tue, 11 Mar 2025 12:06:00 -0700 (PDT)
Received: by slippy.cwsent.com (Postfix, from userid 1000)
id 4DD4814; Tue, 11 Mar 2025 12:06:00 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
cc: Cy Schubert <Cy.Schubert@cschubert.com>,
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>,
"Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
In-reply-to: <2ac849e6-3851-47ad-9844-968cf0067ce2@plan-b.pwste.edu.pl>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com> <a5407a66-40a9-49e9-9234-ec2e7e8fb520@plan-b.pwste.edu.pl> <f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl> <20250311172036.97C0C10F@slippy.cwsent.com> <9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl> <20250311180224.9C1ED289@slippy.cwsent.com> <2ac849e6-3851-47ad-9844-968cf0067ce2@plan-b.pwste.edu.pl>
Comments: In-reply-to Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
message dated "Tue, 11 Mar 2025 19:27:29 +0100."
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Date: Tue, 11 Mar 2025 12:06:00 -0700
Message-Id: <20250311190600.4DD4814@slippy.cwsent.com>
X-CMAE-Envelope: MS4xfLMsxRI25TBDNAumXOASPAXZJzTlO23fhpcAR1/3+KO9Wy3f7G2+oNWXMMSN2HoLnEAmVcD2J+VZ6y04JcuN+Q5HZT9QwamTM5wN54d4JHgTRctuSyP8
p3bTqxTFS5cTVh/4hEO8RhfNlW/P2JZdJiQSsPo2hQMoHr6BuZYGpaMjImqLk6dFAKxf0Rsq+jFz03QNEW+w44u9R20n0zaKPn61xfl9XzYGuNcUxHZCgSXE
zw0JvWiQNjuoWpNLGt9n71r0WzzLhrYeDgFOIF5m6jqm4fF0KaPgkXr3RA+/qsvl852wS+PIDDqFMyqKQKxd9g==
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]
X-Rspamd-Queue-Id: 4ZC3Bg2Zs5z45Rx
X-Spamd-Bar: ----
In message <2ac849e6-3851-47ad-9844-968cf0067ce2@plan-b.pwste.edu.pl>,
Marek Za
rychta writes:
> W dniu 11.03.2025 o 19:02, Cy Schubert pisze:
> > In message <9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl>,
> > Marek Za
> > rychta writes:
> >> This is a multi-part message in MIME format.
> >> --------------AE7s5oJnhOW0uW76c0IQR0yC
> >> Content-Type: text/plain; charset=UTF-8; format=flowed
> >> Content-Transfer-Encoding: 8bit
> >>
> >> W dniu 11.03.2025 o 18:20, Cy Schubert pisze:
> >>> In message<f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>,
> >>> Marek Za
> >>> rychta writes:
> >>>> W dniu 11.03.2025 o 17:29, Marek Zarychta pisze:
> >>>>> W dniu 11.03.2025 o 16:13, Cy Schubert pisze:
> >>>>>> In message<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
> >>>>>> Tomoaki
> >>>>>> AOKI writes:
> >>>>>>> On Mon, 10 Mar 2025 16:37:58 +0100
> >>>>>>> "Herbert J. Skuhra"<herbert@gojira.at> wrote:
> >>>>>>>
> >>>>>>>> On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> >>>>>>>>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> >>>>>>>>>> Hello List Subscirbers,
> >>>>>>>>>>
> >>>>>>>>>> in the past the module was loaded automatically upon NTPD server
> >>>>>>>>>> startu
> >>>>>>> p.
> >>>>>>>>>> It's no longer true, now it has to be loaded earlier.
> >>>>>>>>>> Perhaps people running stable/14 might find this message useful.
> >>>>>>>> Hmm, works for me on main and stable/14.
> >>>>>>>>
> >>>>>>>>> So... I noticed this for (precisely) one of the five machines I hav
> e
> >>>>>>>>> that track stable/14 -- the other 4 get mac_ntpd loaded
> >>>>>>>>> automagically as
> >>>>>>>>> usual.
> >>>>>>>>>
> >>>>>>>>> In the failing case, it seems that
> >>>>>>>>>
> >>>>>>>>> Â Â Â Â sysctl security.mac.version
> >>>>>>>>>
> >>>>>>>>> yielded
> >>>>>>>>>
> >>>>>>>>> Â Â Â Â sysctl: unknown oid 'security.mac.version'
> >>>>>>>> I only get this if I build a kernel without "options MAC". But in th
> is
> >>>>>>>> no mac_* kernel modules are built and ntpd fails with:
> >>>>>>>>
> >>>>>>>> Starting ntpd.
> >>>>>>>> daemon control: got EOF
> >>>>>>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
> >>>>>>> In this case, you'll find something like
> >>>>>>> Â Â Need MAC 'ntpd' policy enabled to drop root privileges
> >>>>>>> Â Â daemon child exited with code 255
> >>>>>>> in ntpd logfile (/var/db/ntpd.log in my case, but
> >>>>>>> possibly /var/log/messages by default).
> >>>>>> I don't understand why some systems (those in this thread) have a
> >>>>>> problem
> >>>>>> not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are
> >>>>>> fine. I'd
> >>>>>> like to try to understand the differences between those that work and
> >>>>>> those
> >>>>>> that don't.
> >>>>>>
> >>>>>> First of all, the ntpd rc script bails without saying why when it
> >>>>>> encounters a problem. can_run_nonroot() simply returns a bad return co
> de
> >>>>>> leaving us to wonder why.
> >>>>>>
> >>>>>> The first order of business is to produce a patch to indicate why it
> >>>>>> bails. Please apply the attached patch and let me know where it fails.
> >>>>>> Messages will be printed to stderr and to /var/log/messages (assuming
> >>>>>> daemon.err is sent there).
> >>>>>>
> >>>>>>> --
> >>>>>>> Tomoaki AOKI<junchoon@dec.sakura.ne.jp>
> >>>>>>>
> >>>>>>
> >>>>>> Cheers,
> >>>>>> Cy Schubert<Cy.Schubert@cschubert.com>
> >>>>>> FreeBSD UNIX:<cy@FreeBSD.org>Â Â Web:https://FreeBSD.org
> >>>>>> NTP:<cy@nwtime.org>Â Â Â Web:https://nwtime.org
> >>>>>>
> >>>>>> Â Â Â Â Â Â Â Â Â Â Â e^(i*pi)+1=0
> >>>>> Output from the patch:
> >>>>>
> >>>>> Mar 11 17:20:35 plan-b ntpd[60113]: ntpd 4.2.8p18-a (17): Starting
> >>>>> Mar 11 17:20:35 plan-b ntpd[60113]: Command line: /usr/sbin/ntpd -p
> >>>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd
> >>>>> Mar 11 17:20:35 plan-b ntpd[60113]:
> >>>>> ----------------------------------------------------
> >>>>> Mar 11 17:20:35 plan-b ntpd[60113]: ntp-4 is maintained by Network
> >>>>> Time Foundation,
> >>>>> Mar 11 17:20:35 plan-b ntpd[60113]: Inc. (NTF), a non-profit 501(c)(3)
> >>>>> public-benefit
> >>>>> Mar 11 17:20:35 plan-b ntpd[60113]: corporation. Support and training
> >>>>> for ntp-4 are
> >>>>> Mar 11 17:20:35 plan-b ntpd[60113]: available at
> >>>>> https://www.nwtime.org/support
> >>>>> Mar 11 17:20:35 plan-b ntpd[60113]:
> >>>>> ----------------------------------------------------
> >>>>> Mar 11 17:20:35 plan-b ntpd[60114]: switching logging to file
> >>>>> /var/log/ntp
> >>>>> Mar 11 17:20:36 plan-b ntpd[60113]: daemon child exited with code 255
> >>>>> Mar 11 17:20:36 plan-b root[60118]: /etc/rc.d/ntpd: WARNING: failed to
> >>>>> start ntpd
> >>>>>
> >>>>> Debugging output from from the unpatched /etc/rc.d/ntpd:
> >>>>>
> >>>>> (...)
> >>>>>
> >>>>> + echo 'Starting ntpd.'
> >>>>> Starting ntpd.
> >>>>> + [ -n '' ]
> >>>>> + _cd=''
> >>>>> + _doit=' /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -
> u
> >>>>> ntpd:ntpd'
> >>>>> + [ -n '' ]
> >>>>> + [ -n '' ]
> >>>>> + [ -n '' ]
> >>>>> + [ -n '' ]
> >>>>> + _doit=' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid
> >>>>> -c /etc/ntp.conf -u ntpd:ntpd'
> >>>>> + _run_rc_doit ' limits -C daemon  /usr/sbin/ntpd -p
> >>>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
> >>>>> + local _m
> >>>>> + debug 'run_rc_command: doit: limits -C daemon  /usr/sbin/ntpd -p
> >>>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
> >>>>> + umask
> >>>>> + _m=0022
> >>>>> +
> >>>>> + eval ' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid
> -c
> >>>>> /etc/ntp.conf -u ntpd:ntpd'
> >>>>> + limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
> >>>>> /etc/ntp.conf -u ntpd:ntpd
> >>>>> daemon control: got EOF
> >>>>> + _return=255
> >>>>> + umask 0022
> >>>>> + [ 255 -ne 0 ]
> >>>>> + [ -z '' ]
> >>>>> + return 1
> >>>>> + warn 'failed to start ntpd'
> >>>>> + [ -x /usr/bin/logger ]
> >>>>> + logger '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
> >>>>> + echo '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
> >>>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
> >>>>> + return 1
> >>>>>
> >>>> The real problem is here:
> >>>> + [ -n '' ]
> >>>> + local 'fileopts=^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
> >>>> \t]*logfile|^[ \t]*statsdir'
> >>>> + grep -E -q '^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
> >>>> \t]*logfile|^[ \t]*statsdir' /etc/ntp.conf
> >>>> + return 1
> >>>>
> >>>> To reproduce: use config matching the regex from the above, for example
> >>>> add line:
> >>>>
> >>>> logfile /var/log/ntp.log
> >>>>
> >>>> to the ntp.conf
> >>>>
> >>>> 15-CURRENT is also affected this way. That's a bit odd that nobody
> >>>> reported it yet.
> >>>>
> >>>> Problems made by can_run_nonroot function can be fixed by removing lines
> >>>> 60-64 from the starting script.
> >>>>
> >>>> https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L6
> 3
> >>> What is in your ntpd_config in rc.conf?
> >> # grep ntpd_config /etc/rc.conf /etc/defaults/rc.conf
> >> /etc/defaults/rc.conf:ntpd_config="/etc/ntp.conf"Â Â Â # ntpd(8)
> >> configuration file
> > Without the patch I replied with, we're back to guessing. Yet, every feels
> > the problem is in a different part of the rc script.
> >
> > The mystery is why are all my instances (13, 14, 15) working and yours not?
> >
> > I have reverted the commit. A rewrite of the rc script will be required in
> > order to implement ntpd's chroot.
> >
> I don't know. It's the same bug from the beginning, but it reveals in
> different ways. It looks like the early exit from can_run_nonroot
> function prevented loading mac_ntpd.ko module. All affected setups in my
> case had set options: logfile, keys and driftfile what is probably still
> completely fine. These configs are old, but the syntax is still correct
> and I believe using ntp keys or setting logfile from the config directly
> shouldn't be banished.
Aside from my commit to use -u instead of su, the script hasn't changed,
except for comments, since 2022. The problem must be your config, somewhere.
Reverting the script to rely in su instead of ntpd handling setuid()
itself, though helping you now see that the commit wasn't the problem, was
needless. Patching your script with the suggested error messaging patch
would have given us clarity to the problem rather than randomly reverting
commits until it magically worked.
You need to apply the error messaging patch or we continue to *guess* what
the problem might be. Guessing is not a smart debugging strategy. Sitting
here at my desk I do not have any useful information beyond guesses.
Sorry for the rant but I've worked on software support, sysadmin, and
various development roles throughout my 50+ year career. When users provide
little to no information to go on all we are left with is to guess. Right
now my guess is that there is something wrong with your setup. Beyond that
I don't know because the only information I have is, it doesn't work for
you. And since I cannot reproduce your problem here on 15-CURRENT,
14.2-RELEASE, or 13.5-RELEASE, I have no additional visibility into your
problem.
I need data.
>
> With kind regards,
>
> --
> Marek Zarychta
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e^(i*pi)+1=0
From nobody Tue Mar 11 19:08:10 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC3FB6Jlmz5qx99
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 19:08:14 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Received: from omta003.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "Client", Issuer "CA" (not verified))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC3FB2Ms1z46VL
for <stable@freebsd.org>; Tue, 11 Mar 2025 19:08:14 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Authentication-Results: mx1.freebsd.org;
none
Received: from shw-obgw-4002a.ext.cloudfilter.net ([10.228.9.250])
by cmsmtp with ESMTPS
id rzottiGbi9JM2s4xZtuLvm; Tue, 11 Mar 2025 19:08:13 +0000
Received: from spqr.komquats.com ([70.66.136.217])
by cmsmtp with ESMTPSA
id s4xXtTueLl5eGs4xYts1Ic; Tue, 11 Mar 2025 19:08:13 +0000
X-Auth-User: cschuber
X-Authority-Analysis: v=2.4 cv=EO6l0EZC c=1 sm=1 tr=0 ts=67d08a1d
a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17
a=kj9zAlcOel0A:10 a=Vs1iUdzkB0EA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8
a=YxBL1-UpAAAA:8 a=vNMN55ow3BrqeX2XkccA:9 a=CjuIK1q_8ugA:10
a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
by spqr.komquats.com (Postfix) with ESMTP id EB1C47E;
Tue, 11 Mar 2025 12:08:10 -0700 (PDT)
Received: by slippy.cwsent.com (Postfix, from userid 1000)
id CA65A203; Tue, 11 Mar 2025 12:08:10 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
cc: Cy Schubert <Cy.Schubert@cschubert.com>,
"Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
In-reply-to: <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com> <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>
Comments: In-reply-to Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
message dated "Wed, 12 Mar 2025 04:01:01 +0900."
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 11 Mar 2025 12:08:10 -0700
Message-Id: <20250311190810.CA65A203@slippy.cwsent.com>
X-CMAE-Envelope: MS4xfJeoyxTTj6ZKaGx48DMEd/LQhhsaGRUuZRufCJO0V6v/9C6eMiEwUGjzDYbsgUhjoHFB0pi/OTG8RVZJ9Lk4Junhc4Z461bVE5AALx8gpgktVIMwD/a9
KiBzwGBa0F0NtHyhoWWiKsX9/MFtZ02zJiVfczXZUsd26gTrPPVnTQ7X+AGNao3LEfEGqJ/bCL9hxkHvM96U7bIEbPt23A7uJGmFVTNc4liZohW7kCBYfGnP
6Lr05XgafaeizJWYNRzyur1j2EzrAGaGqJy3zefTDBQ=
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]
X-Rspamd-Queue-Id: 4ZC3FB2Ms1z46VL
X-Spamd-Bar: ----
In message <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>,
Tomoaki
AOKI writes:
> On Tue, 11 Mar 2025 08:13:51 -0700
> Cy Schubert <Cy.Schubert@cschubert.com> wrote:
>
> > In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
> > Tomoaki
> > AOKI writes:
> > > On Mon, 10 Mar 2025 16:37:58 +0100
> > > "Herbert J. Skuhra" <herbert@gojira.at> wrote:
> > >
> > > > On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> > > > >
> > > > > On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> > > > > > Hello List Subscirbers,
> > > > > >
> > > > > > in the past the module was loaded automatically upon NTPD server st
> artu
> > > p.
> > > > > > It's no longer true, now it has to be loaded earlier.
> > > > > > Perhaps people running stable/14 might find this message useful.
> > > >
> > > > Hmm, works for me on main and stable/14.
> > > >
> > > > > So... I noticed this for (precisely) one of the five machines I have
> > > > > that track stable/14 -- the other 4 get mac_ntpd loaded automagically
> as
> > > > > usual.
> > > > >
> > > > > In the failing case, it seems that
> > > > >
> > > > > sysctl security.mac.version
> > > > >
> > > > > yielded
> > > > >
> > > > > sysctl: unknown oid 'security.mac.version'
> > > >
> > > > I only get this if I build a kernel without "options MAC". But in this
> > > > no mac_* kernel modules are built and ntpd fails with:
> > > >
> > > > Starting ntpd.
> > > > daemon control: got EOF
> > > > /etc/rc.d/ntpd: WARNING: failed to start ntpd
> > >
> > > In this case, you'll find something like
> > > Need MAC 'ntpd' policy enabled to drop root privileges
> > > daemon child exited with code 255
> > > in ntpd logfile (/var/db/ntpd.log in my case, but
> > > possibly /var/log/messages by default).
> >
> > I don't understand why some systems (those in this thread) have a problem
> > not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are fine. I'd
>
> > like to try to understand the differences between those that work and those
>
> > that don't.
> >
> > First of all, the ntpd rc script bails without saying why when it
> > encounters a problem. can_run_nonroot() simply returns a bad return code
> > leaving us to wonder why.
> >
> > The first order of business is to produce a patch to indicate why it
> > bails. Please apply the attached patch and let me know where it fails.
> > Messages will be printed to stderr and to /var/log/messages (assuming
> > daemon.err is sent there).
>
> The output after patch (without loading mac_ntpd.ko manually):
>
> Mar 12 03:27:35 ***** rc.d/ntpd[2581]: user cannot access files
> listed in command line, exiting
> Mar 12 03:27:35 ***** root[2589]: /etc/rc: WARNING: failed to start ntpd
>
> See
> https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/0
> 21308.html
> for my options related with ntpd.
Is this before ntpd -u commit was reverted or after?
Please grep ntpd /etc/rc.conf.
>
> >
> > >
> > > --
> > > Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
>
>
> --
> Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e^(i*pi)+1=0
From nobody Tue Mar 11 19:15:54 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC3Q94l1gz5qxbg
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 19:16:01 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC3Q91LqGz47k8
for <stable@freebsd.org>; Tue, 11 Mar 2025 19:16:00 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
none
Received: from kalamity.joker.local (124-18-40-20.area1c.commufa.jp [124.18.40.20])
(authenticated bits=0)
by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 52BJFsl3098335;
Wed, 12 Mar 2025 04:15:55 +0900 (JST)
(envelope-from junchoon@dec.sakura.ne.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp;
s=s2405; t=1741720555;
bh=quu2iNk+eaxYMo5Ef5gWXdbd+FeQpr2mVKx8kOsf0nI=;
h=Date:From:To:Cc:Subject:In-Reply-To:References;
b=RECx2q5kOjb6fOMA1ifLF5rF67xGjRYGc2swIDpbKL70FwCurk/JZyzdRiCtMU1nG
9r5ZDF3Ficy+wd72ZnHyadLpF3rAdxwdrTxtHHubTP1pkEot5orcFSImaINDgGFG/Y
DxINFtn5mFQO4MeHHL2CqQ9FF2nYOj9Vd3ATxFi0=
Date: Wed, 12 Mar 2025 04:15:54 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: Cy Schubert <Cy.Schubert@cschubert.com>
Cc: "Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
Message-Id: <20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>
In-Reply-To: <20250311190810.CA65A203@slippy.cwsent.com>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org>
<87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com>
<20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>
<20250311190810.CA65A203@slippy.cwsent.com>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP]
X-Rspamd-Queue-Id: 4ZC3Q91LqGz47k8
X-Spamd-Bar: ----
On Tue, 11 Mar 2025 12:08:10 -0700
Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> In message <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>,
> Tomoaki
> AOKI writes:
> > On Tue, 11 Mar 2025 08:13:51 -0700
> > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> >
> > > In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
> > > Tomoaki
> > > AOKI writes:
> > > > On Mon, 10 Mar 2025 16:37:58 +0100
> > > > "Herbert J. Skuhra" <herbert@gojira.at> wrote:
> > > >
> > > > > On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> > > > > >
> > > > > > On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> > > > > > > Hello List Subscirbers,
> > > > > > >
> > > > > > > in the past the module was loaded automatically upon NTPD server st
> > artu
> > > > p.
> > > > > > > It's no longer true, now it has to be loaded earlier.
> > > > > > > Perhaps people running stable/14 might find this message useful.
> > > > >
> > > > > Hmm, works for me on main and stable/14.
> > > > >
> > > > > > So... I noticed this for (precisely) one of the five machines I have
> > > > > > that track stable/14 -- the other 4 get mac_ntpd loaded automagically
> > as
> > > > > > usual.
> > > > > >
> > > > > > In the failing case, it seems that
> > > > > >
> > > > > > sysctl security.mac.version
> > > > > >
> > > > > > yielded
> > > > > >
> > > > > > sysctl: unknown oid 'security.mac.version'
> > > > >
> > > > > I only get this if I build a kernel without "options MAC". But in this
> > > > > no mac_* kernel modules are built and ntpd fails with:
> > > > >
> > > > > Starting ntpd.
> > > > > daemon control: got EOF
> > > > > /etc/rc.d/ntpd: WARNING: failed to start ntpd
> > > >
> > > > In this case, you'll find something like
> > > > Need MAC 'ntpd' policy enabled to drop root privileges
> > > > daemon child exited with code 255
> > > > in ntpd logfile (/var/db/ntpd.log in my case, but
> > > > possibly /var/log/messages by default).
> > >
> > > I don't understand why some systems (those in this thread) have a problem
> > > not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are fine. I'd
> >
> > > like to try to understand the differences between those that work and those
> >
> > > that don't.
> > >
> > > First of all, the ntpd rc script bails without saying why when it
> > > encounters a problem. can_run_nonroot() simply returns a bad return code
> > > leaving us to wonder why.
> > >
> > > The first order of business is to produce a patch to indicate why it
> > > bails. Please apply the attached patch and let me know where it fails.
> > > Messages will be printed to stderr and to /var/log/messages (assuming
> > > daemon.err is sent there).
> >
> > The output after patch (without loading mac_ntpd.ko manually):
> >
> > Mar 12 03:27:35 ***** rc.d/ntpd[2581]: user cannot access files
> > listed in command line, exiting
> > Mar 12 03:27:35 ***** root[2589]: /etc/rc: WARNING: failed to start ntpd
> >
> > See
> > https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/0
> > 21308.html
> > for my options related with ntpd.
>
> Is this before ntpd -u commit was reverted or after?
Before revert. As I don't pull updates after I read your post which
included the patch.
> Please grep ntpd /etc/rc.conf.
Result stripping comments.
% grep ntpd /etc/rc.conf
ntpd_flags="-4 -g -x -f /var/db/ntp/ntpd.drift -l /var/log/ntpd.log"
ntpd_config="/etc/ntp/ntp.conf"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
daily_ntpd_leapfile_enable="YES"
%
Regards.
>
> >
> > >
> > > >
> > > > --
> > > > Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
> >
> >
> > --
> > Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
>
>
> --
> Cheers,
> Cy Schubert <Cy.Schubert@cschubert.com>
> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> NTP: <cy@nwtime.org> Web: https://nwtime.org
>
> e^(i*pi)+1=0
--
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
From nobody Tue Mar 11 19:18:49 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC3TR6QQtz5qxL1
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 19:18:51 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Received: from omta003.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "Client", Issuer "CA" (not verified))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC3TR5JxBz49pw
for <stable@freebsd.org>; Tue, 11 Mar 2025 19:18:51 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Authentication-Results: mx1.freebsd.org;
none
Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142])
by cmsmtp with ESMTPS
id s0vStiKDX9JM2s57rtueau; Tue, 11 Mar 2025 19:18:51 +0000
Received: from spqr.komquats.com ([70.66.136.217])
by cmsmtp with ESMTPSA
id s57qtdnnKQwcXs57qt9fyo; Tue, 11 Mar 2025 19:18:51 +0000
X-Auth-User: cschuber
X-Authority-Analysis: v=2.4 cv=DaW0qetW c=1 sm=1 tr=0 ts=67d08c9b
a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17
a=kj9zAlcOel0A:10 a=Vs1iUdzkB0EA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8
a=YxBL1-UpAAAA:8 a=vNMN55ow3BrqeX2XkccA:9 a=CjuIK1q_8ugA:10
a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
by spqr.komquats.com (Postfix) with ESMTP id A269FD6;
Tue, 11 Mar 2025 12:18:49 -0700 (PDT)
Received: by slippy.cwsent.com (Postfix, from userid 1000)
id 7F1B4110; Tue, 11 Mar 2025 12:18:49 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
cc: Cy Schubert <Cy.Schubert@cschubert.com>,
"Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
In-reply-to: <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com> <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>
Comments: In-reply-to Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
message dated "Wed, 12 Mar 2025 04:01:01 +0900."
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 11 Mar 2025 12:18:49 -0700
Message-Id: <20250311191849.7F1B4110@slippy.cwsent.com>
X-CMAE-Envelope: MS4xfD2zQY72eXYS3LzBOnyovCyzrRt/OFR4GUWVRA0Y2Pwsqs/HaQiOUeww5y6xaD02rP55YHZA4hh+JbNSTdxGE5Fv9JOOWRgz21BZV+v4s4hDa3wfAx6L
IgmT21PFSR6wRsEMYXojQZwj2JhSTt08kPkAS8OAjtCORr1U52lWQ8BlC6vdTw4yesaH5wIGQy50KvXt/xdP3WuXqHJ4vTU8KxgBmpFje1CcGnpTHXrpF5TO
SUnofJJdVc8sD+TYGTtuKkxQ+0xfzUS4vr41jlPt4Kg=
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]
X-Rspamd-Queue-Id: 4ZC3TR5JxBz49pw
X-Spamd-Bar: ----
In message <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>,
Tomoaki
AOKI writes:
> On Tue, 11 Mar 2025 08:13:51 -0700
> Cy Schubert <Cy.Schubert@cschubert.com> wrote:
>
> > In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
> > Tomoaki
> > AOKI writes:
> > > On Mon, 10 Mar 2025 16:37:58 +0100
> > > "Herbert J. Skuhra" <herbert@gojira.at> wrote:
> > >
> > > > On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> > > > >
> > > > > On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> > > > > > Hello List Subscirbers,
> > > > > >
> > > > > > in the past the module was loaded automatically upon NTPD server st
> artu
> > > p.
> > > > > > It's no longer true, now it has to be loaded earlier.
> > > > > > Perhaps people running stable/14 might find this message useful.
> > > >
> > > > Hmm, works for me on main and stable/14.
> > > >
> > > > > So... I noticed this for (precisely) one of the five machines I have
> > > > > that track stable/14 -- the other 4 get mac_ntpd loaded automagically
> as
> > > > > usual.
> > > > >
> > > > > In the failing case, it seems that
> > > > >
> > > > > sysctl security.mac.version
> > > > >
> > > > > yielded
> > > > >
> > > > > sysctl: unknown oid 'security.mac.version'
> > > >
> > > > I only get this if I build a kernel without "options MAC". But in this
> > > > no mac_* kernel modules are built and ntpd fails with:
> > > >
> > > > Starting ntpd.
> > > > daemon control: got EOF
> > > > /etc/rc.d/ntpd: WARNING: failed to start ntpd
> > >
> > > In this case, you'll find something like
> > > Need MAC 'ntpd' policy enabled to drop root privileges
> > > daemon child exited with code 255
> > > in ntpd logfile (/var/db/ntpd.log in my case, but
> > > possibly /var/log/messages by default).
> >
> > I don't understand why some systems (those in this thread) have a problem
> > not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are fine. I'd
>
> > like to try to understand the differences between those that work and those
>
> > that don't.
> >
> > First of all, the ntpd rc script bails without saying why when it
> > encounters a problem. can_run_nonroot() simply returns a bad return code
> > leaving us to wonder why.
> >
> > The first order of business is to produce a patch to indicate why it
> > bails. Please apply the attached patch and let me know where it fails.
> > Messages will be printed to stderr and to /var/log/messages (assuming
> > daemon.err is sent there).
>
> The output after patch (without loading mac_ntpd.ko manually):
>
> Mar 12 03:27:35 ***** rc.d/ntpd[2581]: user cannot access files
> listed in command line, exiting
> Mar 12 03:27:35 ***** root[2589]: /etc/rc: WARNING: failed to start ntpd
>
> See
> https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/0
> 21308.html
> for my options related with ntpd.
Looking at the URL you have posted, you cannot use -f nor the -l options.
Remove them and put the corresponding statements into your /etc/ntp.conf.
Or put ntpd_user=root into your rc.conf file.
The reason we do this is files may not be accessible.
>
> >
> > >
> > > --
> > > Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
>
>
> --
> Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e^(i*pi)+1=0
From nobody Tue Mar 11 19:21:03 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC3X15Gm8z5qxfm
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 19:21:05 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Received: from omta003.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "Client", Issuer "CA" (not verified))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC3X14Bvyz4D3T
for <stable@freebsd.org>; Tue, 11 Mar 2025 19:21:05 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Authentication-Results: mx1.freebsd.org;
none
Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142])
by cmsmtp with ESMTPS
id rz1EtiEPw9JM2s5A1tuhqh; Tue, 11 Mar 2025 19:21:05 +0000
Received: from spqr.komquats.com ([70.66.136.217])
by cmsmtp with ESMTPSA
id s59ztdoNRQwcXs5A0t9gIm; Tue, 11 Mar 2025 19:21:05 +0000
X-Auth-User: cschuber
X-Authority-Analysis: v=2.4 cv=DaW0qetW c=1 sm=1 tr=0 ts=67d08d21
a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17
a=kj9zAlcOel0A:10 a=Vs1iUdzkB0EA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8
a=YxBL1-UpAAAA:8 a=PMssRl9mujQ5eVyqgZEA:9 a=CjuIK1q_8ugA:10
a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
by spqr.komquats.com (Postfix) with ESMTP id 43B6CDE;
Tue, 11 Mar 2025 12:21:03 -0700 (PDT)
Received: by slippy.cwsent.com (Postfix, from userid 1000)
id 3C51A300; Tue, 11 Mar 2025 12:21:03 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
cc: Cy Schubert <Cy.Schubert@cschubert.com>,
"Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
In-reply-to: <20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com> <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp> <20250311190810.CA65A203@slippy.cwsent.com> <20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>
Comments: In-reply-to Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
message dated "Wed, 12 Mar 2025 04:15:54 +0900."
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 11 Mar 2025 12:21:03 -0700
Message-Id: <20250311192103.3C51A300@slippy.cwsent.com>
X-CMAE-Envelope: MS4xfLKxf7ro5Gr6JnzuaaLwQ7GTKAPnl4XAEJrTwn64dJEbNcXhX33CWRcwFBxB9ZccyO8GTouq25ETDVFQJjGoXXkOzWu3Jrgap2Gp4W1aAiWqWjHlx/YH
8YzXPKGKSNZO1qlttb8zblRZ6TxIMuo+jG522PMOKNbqPavzAjYWYQ+MH22WtK97q43leftxAf50VGfsueeT19hH7VUfpVWftUoDXRtQ+sKE2nm7oTbUMnJg
TPuwuhIJomWsyD5+pV0DzWb9QX8L5/hp4C7B4XY8i+A=
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]
X-Rspamd-Queue-Id: 4ZC3X14Bvyz4D3T
X-Spamd-Bar: ----
In message <20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>,
Tomoaki
AOKI writes:
> On Tue, 11 Mar 2025 12:08:10 -0700
> Cy Schubert <Cy.Schubert@cschubert.com> wrote:
>
> > In message <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>,
> > Tomoaki
> > AOKI writes:
> > > On Tue, 11 Mar 2025 08:13:51 -0700
> > > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> > >
> > > > In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
> > > > Tomoaki
> > > > AOKI writes:
> > > > > On Mon, 10 Mar 2025 16:37:58 +0100
> > > > > "Herbert J. Skuhra" <herbert@gojira.at> wrote:
> > > > >
> > > > > > On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> > > > > > >
> > > > > > > On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> > > > > > > > Hello List Subscirbers,
> > > > > > > >
> > > > > > > > in the past the module was loaded automatically upon NTPD serve
> r st
> > > artu
> > > > > p.
> > > > > > > > It's no longer true, now it has to be loaded earlier.
> > > > > > > > Perhaps people running stable/14 might find this message useful
> .
> > > > > >
> > > > > > Hmm, works for me on main and stable/14.
> > > > > >
> > > > > > > So... I noticed this for (precisely) one of the five machines I h
> ave
> > > > > > > that track stable/14 -- the other 4 get mac_ntpd loaded automagic
> ally
> > > as
> > > > > > > usual.
> > > > > > >
> > > > > > > In the failing case, it seems that
> > > > > > >
> > > > > > > sysctl security.mac.version
> > > > > > >
> > > > > > > yielded
> > > > > > >
> > > > > > > sysctl: unknown oid 'security.mac.version'
> > > > > >
> > > > > > I only get this if I build a kernel without "options MAC". But in t
> his
> > > > > > no mac_* kernel modules are built and ntpd fails with:
> > > > > >
> > > > > > Starting ntpd.
> > > > > > daemon control: got EOF
> > > > > > /etc/rc.d/ntpd: WARNING: failed to start ntpd
> > > > >
> > > > > In this case, you'll find something like
> > > > > Need MAC 'ntpd' policy enabled to drop root privileges
> > > > > daemon child exited with code 255
> > > > > in ntpd logfile (/var/db/ntpd.log in my case, but
> > > > > possibly /var/log/messages by default).
> > > >
> > > > I don't understand why some systems (those in this thread) have a probl
> em
> > > > not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are fine.
> I'd
> > >
> > > > like to try to understand the differences between those that work and t
> hose
> > >
> > > > that don't.
> > > >
> > > > First of all, the ntpd rc script bails without saying why when it
> > > > encounters a problem. can_run_nonroot() simply returns a bad return cod
> e
> > > > leaving us to wonder why.
> > > >
> > > > The first order of business is to produce a patch to indicate why it
> > > > bails. Please apply the attached patch and let me know where it fails.
> > > > Messages will be printed to stderr and to /var/log/messages (assuming
> > > > daemon.err is sent there).
> > >
> > > The output after patch (without loading mac_ntpd.ko manually):
> > >
> > > Mar 12 03:27:35 ***** rc.d/ntpd[2581]: user cannot access files
> > > listed in command line, exiting
> > > Mar 12 03:27:35 ***** root[2589]: /etc/rc: WARNING: failed to start ntpd
> > >
> > > See
> > > https://lists.freebsd.org/archives/dev-commits-src-branches/2025-Februa
> ry/0
> > > 21308.html
> > > for my options related with ntpd.
> >
> > Is this before ntpd -u commit was reverted or after?
>
> Before revert. As I don't pull updates after I read your post which
> included the patch.
>
>
> > Please grep ntpd /etc/rc.conf.
>
> Result stripping comments.
>
> % grep ntpd /etc/rc.conf
> ntpd_flags="-4 -g -x -f /var/db/ntp/ntpd.drift -l /var/log/ntpd.log"
This is your problem. Remove the -f and -l arguments and put the logfile
and driftfile ntp.conf statements instead.
> ntpd_config="/etc/ntp/ntp.conf"
> ntpd_enable="YES"
> ntpd_sync_on_start="YES"
> daily_ntpd_leapfile_enable="YES"
> %
>
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e^(i*pi)+1=0
From nobody Tue Mar 11 19:52:38 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC4FF5q3Lz5r0Pm
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 19:53:21 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC4FC5lmRz4HRt
for <stable@freebsd.org>; Tue, 11 Mar 2025 19:53:19 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Authentication-Results: mx1.freebsd.org;
none
Received: from [192.168.7.70] (dom.potoki.eu [62.133.140.50])
(authenticated bits=0)
by plan-b.pwste.edu.pl (8.18.1/8.17.2) with ESMTPSA id 52BJqdLd002364
(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO);
Tue, 11 Mar 2025 20:52:39 +0100 (CET)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl;
s=plan-b-mailer; t=1741722766;
bh=sJZpaq5/b7Q+WnejujLVFH8Pxe0GfrYybXkpYcVgUKQ=;
h=Date:Subject:To:Cc:References:From:In-Reply-To;
b=NV2E/QKPZDT6KXz81HwiMvEiyY7wgTrRO3/gVuHsnddL4CnLUyx/8Ae5/mUaIi0ZN
H5qh+NqXNclI2Q38J5IHmacwRFdVeeS41Fr7azYWWi5uXtl1+qiuKMCLWJjwpnNnwR
5+qQH1WTnPJUgnvZXQjvGQYKFUMv6mHvqHWXG8H53TEinYTMJMAcvHC9BtZtGrh7MY
6lGAaL/bpL6s8XiJpkdO6XiCBof6VdrSfrwn3IyiYp8X1dB+bJZ3lg/M1FTziXEdl4
K0vcW5ji+Cfa5LFfH+SL4SK240vLA/1mBAQiWsEl/DmPIR7jcocEz89D1Lq+t8MJqT
hBR6x6e6XKnvw==
X-Authentication-Warning: plan-b.pwste.edu.pl: Host dom.potoki.eu [62.133.140.50] claimed to be [192.168.7.70]
Content-Type: multipart/alternative;
boundary="------------DOa45fOEFt3RPa3J3HNcRaVj"
Message-ID: <c256aafe-27c0-403e-9089-554bfe9f4178@plan-b.pwste.edu.pl>
Date: Tue, 11 Mar 2025 20:52:38 +0100
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
To: Cy Schubert <Cy.Schubert@cschubert.com>
Cc: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>,
"Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com>
<a5407a66-40a9-49e9-9234-ec2e7e8fb520@plan-b.pwste.edu.pl>
<f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>
<20250311172036.97C0C10F@slippy.cwsent.com>
<9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl>
<20250311180224.9C1ED289@slippy.cwsent.com>
<2ac849e6-3851-47ad-9844-968cf0067ce2@plan-b.pwste.edu.pl>
<20250311190600.4DD4814@slippy.cwsent.com>
Content-Language: en-US
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Autocrypt: addr=zarychtam@plan-b.pwste.edu.pl; keydata=
xsBNBFfi3cMBCADLecMTFXad4uDXqv3eRuB4qJJ8G9tzzFezeRnnwxOsPdytW5ES2z1ibSrR
IsiImx6+PTqrAmXpTInxAi7yiZGdSiONRI4CCxKY9d1YFiNYT/2WyNXCekm9x29YeIU7x0JB
Llbz0f/9HC+styBIu2H+PY/X98Clzm110CS+n/b9l1AtiGxTiVFj7/uavYAKxH6LNWnbkuc5
v8EVNc7NkEcl5h7Z9X5NEtzDxTOiBIFQ/kOT7LAtkYUPo1lqLeOM2DtWSXTXQgXl0zJI4iP1
OAu4qQYm2nXwq4b2AH9peknelvnt1mpfgDCGSKnhc26q6ibTfMwydp+tvUtQIQYpA6b9ABEB
AAHNN01hcmVrIFphcnljaHRhIChQbGFuLWIpIDx6YXJ5Y2h0YW1AcGxhbi1iLnB3c3RlLmVk
dS5wbD7CwHcEEwEIACEFAlfi4LkCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQHZW8
vIFppoJXdgf8D9X3VRFSNaR9lthSx/+uqas17J3FJKBo1xMQsC2a+44vzNvYJSuPGLLJ+LW2
HPVazjP/BWZJbxOYpliY4zxNRU0YCp0BLIVLibc//yax+mE42FND/+NiIZhqJscl6MLPrSwo
sIwXec4XYkldkyqW/xBbBYXoIkBqdKB9j5j42Npy1IV/RizOSdmvTWY27ir8e/yGMR1RLr4F
8P5K3OWTdlGy2H2F/3J8bIPBLG6FpaIyLQw4dHSx8V02PYqDxK1cNo2kAOnU8PnZL/AGuMOH
iv3MN1VYL8ehcmpBBsrZGebQJxrjY2/5IaTSgp9xHYT70kshuU6Qb97vk1mOjNZxgc7ATQRX
4t3DAQgA10h6RCXuBLMHxq5B8X/ZIlj9sgLoeyfRdDZEc9rT2KUeUJVHDsbvOFf4/7F1ovWY
hJbA6GK/LUZeHHTjnbZcH1uDYQeHly4UOLxeEvhGoz4JhS2C7JzN/uRnwbdOAUbJr8rUj/IY
a7gk906rktsc/Ldrxrxh7O6WO0JCh2XO/p4pDfEwwB37g4xHprSab28ECYJ9JMbtA8Sy4M55
g3+GQ28FvSlGnx48OoGXU2BZdc1vZKSQmNOlikB+9/hDX8zdYWVfDaX1TLQ8Ib4+xTUmapza
mV/bxIsaZRBw+jFjLQHhTbIMfPEU+4mxFDvTdbKPruKPqVf1ydgMnPZWngowdwARAQABwsBf
BBgBCAAJBQJX4t3DAhsMAAoJEB2VvLyBaaaC6qkIAJs9sDPqrqW0bYoRfzY6XjDWQ59p9tJi
v8aogxacQNCfAu+WkJ8PNVUtC1dlVcG5NnZ80gXzd1rc8ueIvXlvdanUt/jZd8jbb3gaDbK3
wh1yMCGBl/1fOJTyEGYv1CRojv97KK89KP5+r8x1P1iHcSrunlDNqGxTMydNCwBH23QcOM+m
u4spKnJ/s0VRBkw3xoKBZfZza6fTQ4gTpAipjyk7ldOGBV+PvkKATdhK2yLwuWXhKbg/GRlD
1r5P0gxzSqfV4My+KJuc2EDcrqp1y0wOpE1m9iZqCcd0fup5f7HDsYlLWshr7NQl28f6+fQb
sylq/j672BHXsdeqf/Ip9V4=
In-Reply-To: <20250311190600.4DD4814@slippy.cwsent.com>
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]
X-Rspamd-Queue-Id: 4ZC4FC5lmRz4HRt
X-Spamd-Bar: ----
This is a multi-part message in MIME format.
--------------DOa45fOEFt3RPa3J3HNcRaVj
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
W dniu 11.03.2025 o 20:06, Cy Schubert pisze:
> In message<2ac849e6-3851-47ad-9844-968cf0067ce2@plan-b.pwste.edu.pl>,
> Marek Za
> rychta writes:
>> W dniu 11.03.2025 o 19:02, Cy Schubert pisze:
>>> In message<9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl>,
>>> Marek Za
>>> rychta writes:
>>>> This is a multi-part message in MIME format.
>>>> --------------AE7s5oJnhOW0uW76c0IQR0yC
>>>> Content-Type: text/plain; charset=UTF-8; format=flowed
>>>> Content-Transfer-Encoding: 8bit
>>>>
>>>> W dniu 11.03.2025 o 18:20, Cy Schubert pisze:
>>>>> In message<f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>,
>>>>> Marek Za
>>>>> rychta writes:
>>>>>> W dniu 11.03.2025 o 17:29, Marek Zarychta pisze:
>>>>>>> W dniu 11.03.2025 o 16:13, Cy Schubert pisze:
>>>>>>>> In message<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
>>>>>>>> Tomoaki
>>>>>>>> AOKI writes:
>>>>>>>>> On Mon, 10 Mar 2025 16:37:58 +0100
>>>>>>>>> "Herbert J. Skuhra"<herbert@gojira.at> wrote:
>>>>>>>>>
>>>>>>>>>> On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
>>>>>>>>>>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
>>>>>>>>>>>> Hello List Subscirbers,
>>>>>>>>>>>>
>>>>>>>>>>>> in the past the module was loaded automatically upon NTPD server
>>>>>>>>>>>> startu
>>>>>>>>> p.
>>>>>>>>>>>> It's no longer true, now it has to be loaded earlier.
>>>>>>>>>>>> Perhaps people running stable/14 might find this message useful.
>>>>>>>>>> Hmm, works for me on main and stable/14.
>>>>>>>>>>
>>>>>>>>>>> So... I noticed this for (precisely) one of the five machines I hav
>> e
>>>>>>>>>>> that track stable/14 -- the other 4 get mac_ntpd loaded
>>>>>>>>>>> automagically as
>>>>>>>>>>> usual.
>>>>>>>>>>>
>>>>>>>>>>> In the failing case, it seems that
>>>>>>>>>>>
>>>>>>>>>>> Â Â Â Â sysctl security.mac.version
>>>>>>>>>>>
>>>>>>>>>>> yielded
>>>>>>>>>>>
>>>>>>>>>>> Â Â Â Â sysctl: unknown oid 'security.mac.version'
>>>>>>>>>> I only get this if I build a kernel without "options MAC". But in th
>> is
>>>>>>>>>> no mac_* kernel modules are built and ntpd fails with:
>>>>>>>>>>
>>>>>>>>>> Starting ntpd.
>>>>>>>>>> daemon control: got EOF
>>>>>>>>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
>>>>>>>>> In this case, you'll find something like
>>>>>>>>> Â Â Need MAC 'ntpd' policy enabled to drop root privileges
>>>>>>>>> Â Â daemon child exited with code 255
>>>>>>>>> in ntpd logfile (/var/db/ntpd.log in my case, but
>>>>>>>>> possibly /var/log/messages by default).
>>>>>>>> I don't understand why some systems (those in this thread) have a
>>>>>>>> problem
>>>>>>>> not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are
>>>>>>>> fine. I'd
>>>>>>>> like to try to understand the differences between those that work and
>>>>>>>> those
>>>>>>>> that don't.
>>>>>>>>
>>>>>>>> First of all, the ntpd rc script bails without saying why when it
>>>>>>>> encounters a problem. can_run_nonroot() simply returns a bad return co
>> de
>>>>>>>> leaving us to wonder why.
>>>>>>>>
>>>>>>>> The first order of business is to produce a patch to indicate why it
>>>>>>>> bails. Please apply the attached patch and let me know where it fails.
>>>>>>>> Messages will be printed to stderr and to /var/log/messages (assuming
>>>>>>>> daemon.err is sent there).
>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Tomoaki AOKI<junchoon@dec.sakura.ne.jp>
>>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Cy Schubert<Cy.Schubert@cschubert.com>
>>>>>>>> FreeBSD UNIX:<cy@FreeBSD.org>Â Â Web:https://FreeBSD.org
>>>>>>>> NTP:<cy@nwtime.org>Â Â Â Web:https://nwtime.org
>>>>>>>>
>>>>>>>> Â Â Â Â Â Â Â Â Â Â Â e^(i*pi)+1=0
>>>>>>> Output from the patch:
>>>>>>>
>>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: ntpd 4.2.8p18-a (17): Starting
>>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: Command line: /usr/sbin/ntpd -p
>>>>>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd
>>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]:
>>>>>>> ----------------------------------------------------
>>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: ntp-4 is maintained by Network
>>>>>>> Time Foundation,
>>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: Inc. (NTF), a non-profit 501(c)(3)
>>>>>>> public-benefit
>>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: corporation. Support and training
>>>>>>> for ntp-4 are
>>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: available at
>>>>>>> https://www.nwtime.org/support
>>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]:
>>>>>>> ----------------------------------------------------
>>>>>>> Mar 11 17:20:35 plan-b ntpd[60114]: switching logging to file
>>>>>>> /var/log/ntp
>>>>>>> Mar 11 17:20:36 plan-b ntpd[60113]: daemon child exited with code 255
>>>>>>> Mar 11 17:20:36 plan-b root[60118]: /etc/rc.d/ntpd: WARNING: failed to
>>>>>>> start ntpd
>>>>>>>
>>>>>>> Debugging output from from the unpatched /etc/rc.d/ntpd:
>>>>>>>
>>>>>>> (...)
>>>>>>>
>>>>>>> + echo 'Starting ntpd.'
>>>>>>> Starting ntpd.
>>>>>>> + [ -n '' ]
>>>>>>> + _cd=''
>>>>>>> + _doit=' /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -
>> u
>>>>>>> ntpd:ntpd'
>>>>>>> + [ -n '' ]
>>>>>>> + [ -n '' ]
>>>>>>> + [ -n '' ]
>>>>>>> + [ -n '' ]
>>>>>>> + _doit=' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid
>>>>>>> -c /etc/ntp.conf -u ntpd:ntpd'
>>>>>>> + _run_rc_doit ' limits -C daemon  /usr/sbin/ntpd -p
>>>>>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
>>>>>>> + local _m
>>>>>>> + debug 'run_rc_command: doit: limits -C daemon  /usr/sbin/ntpd -p
>>>>>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
>>>>>>> + umask
>>>>>>> + _m=0022
>>>>>>> +
>>>>>>> + eval ' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid
>> -c
>>>>>>> /etc/ntp.conf -u ntpd:ntpd'
>>>>>>> + limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
>>>>>>> /etc/ntp.conf -u ntpd:ntpd
>>>>>>> daemon control: got EOF
>>>>>>> + _return=255
>>>>>>> + umask 0022
>>>>>>> + [ 255 -ne 0 ]
>>>>>>> + [ -z '' ]
>>>>>>> + return 1
>>>>>>> + warn 'failed to start ntpd'
>>>>>>> + [ -x /usr/bin/logger ]
>>>>>>> + logger '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
>>>>>>> + echo '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
>>>>>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
>>>>>>> + return 1
>>>>>>>
>>>>>> The real problem is here:
>>>>>> + [ -n '' ]
>>>>>> + local 'fileopts=^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
>>>>>> \t]*logfile|^[ \t]*statsdir'
>>>>>> + grep -E -q '^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
>>>>>> \t]*logfile|^[ \t]*statsdir' /etc/ntp.conf
>>>>>> + return 1
>>>>>>
>>>>>> To reproduce: use config matching the regex from the above, for example
>>>>>> add line:
>>>>>>
>>>>>> logfile /var/log/ntp.log
>>>>>>
>>>>>> to the ntp.conf
>>>>>>
>>>>>> 15-CURRENT is also affected this way. That's a bit odd that nobody
>>>>>> reported it yet.
>>>>>>
>>>>>> Problems made by can_run_nonroot function can be fixed by removing lines
>>>>>> 60-64 from the starting script.
>>>>>>
>>>>>> https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L6
>> 3
>>>>> What is in your ntpd_config in rc.conf?
>>>> # grep ntpd_config /etc/rc.conf /etc/defaults/rc.conf
>>>> /etc/defaults/rc.conf:ntpd_config="/etc/ntp.conf"Â Â Â # ntpd(8)
>>>> configuration file
>>> Without the patch I replied with, we're back to guessing. Yet, every feels
>>> the problem is in a different part of the rc script.
>>>
>>> The mystery is why are all my instances (13, 14, 15) working and yours not?
>>>
>>> I have reverted the commit. A rewrite of the rc script will be required in
>>> order to implement ntpd's chroot.
>>>
>> I don't know. It's the same bug from the beginning, but it reveals in
>> different ways. It looks like the early exit from can_run_nonroot
>> function prevented loading mac_ntpd.ko module. All affected setups in my
>> case had set options: logfile, keys and driftfile what is probably still
>> completely fine. These configs are old, but the syntax is still correct
>> and I believe using ntp keys or setting logfile from the config directly
>> shouldn't be banished.
> Aside from my commit to use -u instead of su, the script hasn't changed,
> except for comments, since 2022. The problem must be your config, somewhere.
>
> Reverting the script to rely in su instead of ntpd handling setuid()
> itself, though helping you now see that the commit wasn't the problem, was
> needless. Patching your script with the suggested error messaging patch
> would have given us clarity to the problem rather than randomly reverting
> commits until it magically worked.
>
> You need to apply the error messaging patch or we continue to *guess* what
> the problem might be. Guessing is not a smart debugging strategy. Sitting
> here at my desk I do not have any useful information beyond guesses.
>
> Sorry for the rant but I've worked on software support, sysadmin, and
> various development roles throughout my 50+ year career. When users provide
> little to no information to go on all we are left with is to guess. Right
> now my guess is that there is something wrong with your setup. Beyond that
> I don't know because the only information I have is, it doesn't work for
> you. And since I cannot reproduce your problem here on 15-CURRENT,
> 14.2-RELEASE, or 13.5-RELEASE, I have no additional visibility into your
> problem.
>
> I need data.
>
Dear Committer,
in the past (and now, after the revert of commit
521f66715afb312b356afafc68cbc044a436a753), NTPD was run as root. The
change introduced in 521f66715afb312b356afafc68cbc044a436a753 no longer
allowed root, but with mac_ntpd.ko loaded it was possible to start NTPD
using the ntpd user account. Removing line 63 from the startup scripts
[1], regardless of the change introduced by
521f66715afb312b356afafc68cbc044a436a753, allows NTPD servers to be
started using the ntpd user account on all my affected machines.
Furthermore, all affected machines have "logfile", "keys" and
"driftfile" set, and NTPD works fine on them using the ntpd account if
only mac_ntpd is loaded. So indeed the topic "heads up: mac_ntpd has to
be explicitly loaded in recent stable/14" was unfortunate. Sorry for the
noise and bringing this up, because probably in the past on all these
machines NTPD was started using UID 0. Please allow me to apologize, I
simply missed a change made 7 years ago in the line 63 (grep -E -q
"${fileopts}" "${ntpd_config}" && return 1) and I was 100% sure that all
my servers use the mac_ntpd.ko policy and the NTPD daemon is started
under UID 123. Only few of them was behaving this way, the most of them
still used UID 0 to run the daemon.
Dear Subscribers,
please forgive me for making unnecessary noise again.
I am so embarrassed that I will not write another post on this thread today.
Yours sincerely
1.https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L63
--
Marek Zarychta
--------------DOa45fOEFt3RPa3J3HNcRaVj
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">W dniu 11.03.2025 o 20:06, Cy Schubert
pisze:<br>
</div>
<blockquote type="cite"
cite="mid:20250311190600.4DD4814@slippy.cwsent.com">
<pre wrap="" class="moz-quote-pre">In message <a class="moz-txt-link-rfc2396E" href="mailto:2ac849e6-3851-47ad-9844-968cf0067ce2@plan-b.pwste.edu.pl"><2ac849e6-3851-47ad-9844-968cf0067ce2@plan-b.pwste.edu.pl></a>,
Marek Za
rychta writes:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">W dniu 11.03.2025 o 19:02, Cy Schubert pisze:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">In message <a class="moz-txt-link-rfc2396E" href="mailto:9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl"><9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl></a>,
Marek Za
rychta writes:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">This is a multi-part message in MIME format.
--------------AE7s5oJnhOW0uW76c0IQR0yC
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
W dniu 11.03.2025 o 18:20, Cy Schubert pisze:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">In message<a class="moz-txt-link-rfc2396E" href="mailto:f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl"><f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl></a>,
Marek Za
rychta writes:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">W dniu 11.03.2025 o 17:29, Marek Zarychta pisze:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">W dniu 11.03.2025 o 16:13, Cy Schubert pisze:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">In message<a class="moz-txt-link-rfc2396E" href="mailto:20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp"><20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp></a>,
Tomoaki
AOKI writes:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">On Mon, 10 Mar 2025 16:37:58 +0100
"Herbert J. Skuhra"<a class="moz-txt-link-rfc2396E" href="mailto:herbert@gojira.at"><herbert@gojira.at></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">Hello List Subscirbers,
in the past the module was loaded automatically upon NTPD server
startu
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="" class="moz-quote-pre">p.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">It's no longer true, now it has to be loaded earlier.
Perhaps people running stable/14 might find this message useful.
</pre>
</blockquote>
</blockquote>
<pre wrap="" class="moz-quote-pre">Hmm, works for me on main and stable/14.
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">So... I noticed this for (precisely) one of the five machines I hav
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="" class="moz-quote-pre">e
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">that track stable/14 -- the other 4 get mac_ntpd loaded
automagically as
usual.
In the failing case, it seems that
    sysctl security.mac.version
yielded
    sysctl: unknown oid 'security.mac.version'
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">I only get this if I build a kernel without "options MAC". But in th
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="" class="moz-quote-pre">is
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">no mac_* kernel modules are built and ntpd fails with:
Starting ntpd.
daemon control: got EOF
/etc/rc.d/ntpd: WARNING: failed to start ntpd
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">In this case, you'll find something like
  Need MAC 'ntpd' policy enabled to drop root privileges
  daemon child exited with code 255
in ntpd logfile (/var/db/ntpd.log in my case, but
possibly /var/log/messages by default).
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">I don't understand why some systems (those in this thread) have a
problem
not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are
fine. I'd
like to try to understand the differences between those that work and
those
that don't.
First of all, the ntpd rc script bails without saying why when it
encounters a problem. can_run_nonroot() simply returns a bad return co
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="" class="moz-quote-pre">de
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">leaving us to wonder why.
The first order of business is to produce a patch to indicate why it
bails. Please apply the attached patch and let me know where it fails.
Messages will be printed to stderr and to /var/log/messages (assuming
daemon.err is sent there).
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">--
Tomoaki AOKI<a class="moz-txt-link-rfc2396E" href="mailto:junchoon@dec.sakura.ne.jp"><junchoon@dec.sakura.ne.jp></a>
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
Cheers,
Cy Schubert<a class="moz-txt-link-rfc2396E" href="mailto:Cy.Schubert@cschubert.com"><Cy.Schubert@cschubert.com></a>
FreeBSD UNIX:<a class="moz-txt-link-rfc2396E" href="mailto:cy@FreeBSD.org"><cy@FreeBSD.org></a>Â Â Web:<a class="moz-txt-link-freetext" href="https://FreeBSD.org">https://FreeBSD.org</a>
NTP:<a class="moz-txt-link-rfc2396E" href="mailto:cy@nwtime.org"><cy@nwtime.org></a>Â Â Â Web:<a class="moz-txt-link-freetext" href="https://nwtime.org">https://nwtime.org</a>
           e^(i*pi)+1=0
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">Output from the patch:
Mar 11 17:20:35 plan-b ntpd[60113]: ntpd 4.2.8p18-a (17): Starting
Mar 11 17:20:35 plan-b ntpd[60113]: Command line: /usr/sbin/ntpd -p
/var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd
Mar 11 17:20:35 plan-b ntpd[60113]:
----------------------------------------------------
Mar 11 17:20:35 plan-b ntpd[60113]: ntp-4 is maintained by Network
Time Foundation,
Mar 11 17:20:35 plan-b ntpd[60113]: Inc. (NTF), a non-profit 501(c)(3)
public-benefit
Mar 11 17:20:35 plan-b ntpd[60113]: corporation. Support and training
for ntp-4 are
Mar 11 17:20:35 plan-b ntpd[60113]: available at
<a class="moz-txt-link-freetext" href="https://www.nwtime.org/support">https://www.nwtime.org/support</a>
Mar 11 17:20:35 plan-b ntpd[60113]:
----------------------------------------------------
Mar 11 17:20:35 plan-b ntpd[60114]: switching logging to file
/var/log/ntp
Mar 11 17:20:36 plan-b ntpd[60113]: daemon child exited with code 255
Mar 11 17:20:36 plan-b root[60118]: /etc/rc.d/ntpd: WARNING: failed to
start ntpd
Debugging output from from the unpatched /etc/rc.d/ntpd:
(...)
+ echo 'Starting ntpd.'
Starting ntpd.
+ [ -n '' ]
+ _cd=''
+ _doit=' /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="" class="moz-quote-pre">u
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">ntpd:ntpd'
+ [ -n '' ]
+ [ -n '' ]
+ [ -n '' ]
+ [ -n '' ]
+ _doit=' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid
-c /etc/ntp.conf -u ntpd:ntpd'
+ _run_rc_doit ' limits -C daemon  /usr/sbin/ntpd -p
/var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
+ local _m
+ debug 'run_rc_command: doit: limits -C daemon  /usr/sbin/ntpd -p
/var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
+ umask
+ _m=0022
+
+ eval ' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="" class="moz-quote-pre">-c
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">/etc/ntp.conf -u ntpd:ntpd'
+ limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
/etc/ntp.conf -u ntpd:ntpd
daemon control: got EOF
+ _return=255
+ umask 0022
+ [ 255 -ne 0 ]
+ [ -z '' ]
+ return 1
+ warn 'failed to start ntpd'
+ [ -x /usr/bin/logger ]
+ logger '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
+ echo '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
/etc/rc.d/ntpd: WARNING: failed to start ntpd
+ return 1
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">The real problem is here:
+ [ -n '' ]
+ local 'fileopts=^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
\t]*logfile|^[ \t]*statsdir'
+ grep -E -q '^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
\t]*logfile|^[ \t]*statsdir' /etc/ntp.conf
+ return 1
To reproduce: use config matching the regex from the above, for example
add line:
logfile /var/log/ntp.log
to the ntp.conf
15-CURRENT is also affected this way. That's a bit odd that nobody
reported it yet.
Problems made by can_run_nonroot function can be fixed by removing lines
60-64 from the starting script.
<a class="moz-txt-link-freetext" href="https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L6">https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L6</a>
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="" class="moz-quote-pre">3
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">What is in your ntpd_config in rc.conf?
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre"># grep ntpd_config /etc/rc.conf /etc/defaults/rc.conf
/etc/defaults/rc.conf:ntpd_config="/etc/ntp.conf"Â Â Â # ntpd(8)
configuration file
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">Without the patch I replied with, we're back to guessing. Yet, every feels
the problem is in a different part of the rc script.
The mystery is why are all my instances (13, 14, 15) working and yours not?
I have reverted the commit. A rewrite of the rc script will be required in
order to implement ntpd's chroot.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">I don't know. It's the same bug from the beginning, but it reveals in
different ways. It looks like the early exit from can_run_nonroot
function prevented loading mac_ntpd.ko module. All affected setups in my
case had set options: logfile, keys and driftfile what is probably still
completely fine. These configs are old, but the syntax is still correct
and I believe using ntp keys or setting logfile from the config directly
shouldn't be banished.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
Aside from my commit to use -u instead of su, the script hasn't changed,
except for comments, since 2022. The problem must be your config, somewhere.
Reverting the script to rely in su instead of ntpd handling setuid()
itself, though helping you now see that the commit wasn't the problem, was
needless. Patching your script with the suggested error messaging patch
would have given us clarity to the problem rather than randomly reverting
commits until it magically worked.
You need to apply the error messaging patch or we continue to *guess* what
the problem might be. Guessing is not a smart debugging strategy. Sitting
here at my desk I do not have any useful information beyond guesses.
Sorry for the rant but I've worked on software support, sysadmin, and
various development roles throughout my 50+ year career. When users provide
little to no information to go on all we are left with is to guess. Right
now my guess is that there is something wrong with your setup. Beyond that
I don't know because the only information I have is, it doesn't work for
you. And since I cannot reproduce your problem here on 15-CURRENT,
14.2-RELEASE, or 13.5-RELEASE, I have no additional visibility into your
problem.
I need data.
</pre>
</blockquote>
<p>Dear Committer,<br>
</p>
<p><span class="HwtZe" lang="en"><span class="jCAhz ChMk0b"><span
class="ryNqvb">in the past (and now, after the revert of
commit 521f66715afb312b356afafc68cbc044a436a753), NTPD was
run as root.</span></span> <span class="jCAhz ChMk0b"><span
class="ryNqvb">The change introduced in
521f66715afb312b356afafc68cbc044a436a753 no longer allowed
root, but with mac_ntpd.ko loaded it was possible to start
NTPD using the ntpd user account.</span></span> <span
class="jCAhz ChMk0b"><span class="ryNqvb">Removing line 63
from the startup scripts [1], regardless of the change
introduced by 521f66715afb312b356afafc68cbc044a436a753,
allows NTPD servers to be started using the ntpd user
account on all my affected machines.</span></span> <span
class="jCAhz ChMk0b"><span class="ryNqvb">Furthermore, all
affected machines have "logfile", "keys" and "driftfile"
set, and NTPD works fine on them using the ntpd account if
only mac_ntpd is loaded.</span></span> <span
class="jCAhz ChMk0b"><span class="ryNqvb">So indeed the topic
"heads up: mac_ntpd has to be explicitly loaded in recent
stable/14" was unfortunate.</span></span> <span
class="jCAhz ChMk0b"><span class="ryNqvb">Sorry for the noise
and bringing this up, because probably in the past on all
these machines NTPD was started using UID 0.
Please allow me to apologize, I simply missed a change made
7 years ago in the line 63 (grep -E -q "${fileopts}"
"${ntpd_config}" && return 1) and I was 100% sure
that all my servers use the mac_ntpd.ko policy and the NTPD
daemon is started under UID 123. Only few of them was
behaving this way, the most of them still used UID 0 to run
the daemon.<br>
</span></span></span></p>
<p><span class="HwtZe" lang="en"><span class="jCAhz ChMk0b"><span
class="ryNqvb">Dear Subscribers,</span></span></span></p>
<p><span class="HwtZe" lang="en"><span class="jCAhz ChMk0b"><span
class="ryNqvb">please forgive me for making unnecessary
noise again.</span></span></span><span
class="jCAhz ChMk0b C1N51c">
<div class="lizc5d"><span class="jzUr5c" lang="en">I am so
embarrassed that I will not write another post on this
thread today.</span></div>
</span><span class="HwtZe" lang="en"><span class="jCAhz ChMk0b"><span
class="ryNqvb"></span></span><span class="jCAhz ChMk0b"><span
class="ryNqvb"> <br>
</span></span></span></p>
<p><span class="HwtZe" lang="en"><span class="jCAhz ChMk0b"><span
class="ryNqvb">Yours sincerely</span></span></span></p>
<pre class="moz-signature" cols="72">1. <a class="moz-txt-link-freetext" href="https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L63">https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L63</a>
--
Marek Zarychta</pre>
</body>
</html>
--------------DOa45fOEFt3RPa3J3HNcRaVj--
From nobody Tue Mar 11 20:14:59 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC4kH4lN4z5r1mp
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 20:15:03 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Received: from omta003.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "Client", Issuer "CA" (not verified))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC4kH2bj4z4KSp
for <stable@freebsd.org>; Tue, 11 Mar 2025 20:15:03 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Authentication-Results: mx1.freebsd.org;
none
Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142])
by cmsmtp with ESMTPS
id s0vStiKDb9JM2s60Etw23H; Tue, 11 Mar 2025 20:15:02 +0000
Received: from spqr.komquats.com ([70.66.136.217])
by cmsmtp with ESMTPSA
id s60Bte1qmQwcXs60Ct9n9A; Tue, 11 Mar 2025 20:15:02 +0000
X-Auth-User: cschuber
X-Authority-Analysis: v=2.4 cv=DaW0qetW c=1 sm=1 tr=0 ts=67d099c6
a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17
a=IkcTkHD0fZMA:10 a=Vs1iUdzkB0EA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8
a=NEAV23lmAAAA:8 a=YxBL1-UpAAAA:8 a=o3YD0TG0PssvUdb4thkA:9 a=3ZKOabzyN94A:10
a=QEXdDO2ut3YA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
by spqr.komquats.com (Postfix) with ESMTP id 6D91E18D;
Tue, 11 Mar 2025 13:14:59 -0700 (PDT)
Received: by slippy.cwsent.com (Postfix, from userid 1000)
id 38CE7303; Tue, 11 Mar 2025 13:14:59 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
cc: Cy Schubert <Cy.Schubert@cschubert.com>,
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>,
"Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
In-reply-to: <c256aafe-27c0-403e-9089-554bfe9f4178@plan-b.pwste.edu.pl>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com> <a5407a66-40a9-49e9-9234-ec2e7e8fb520@plan-b.pwste.edu.pl> <f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl> <20250311172036.97C0C10F@slippy.cwsent.com> <9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl> <20250311180224.9C1ED289@slippy.cwsent.com> <2ac849e6-3851-47ad-9844-968cf0067ce2@plan-b.pwste.edu.pl> <20250311190600.4DD4814@slippy.cwsent.com> <c256aafe-27c0-403e-9089-554bfe9f4178@plan-b.pwste.edu.pl>
Comments: In-reply-to Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
message dated "Tue, 11 Mar 2025 20:52:38 +0100."
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Date: Tue, 11 Mar 2025 13:14:59 -0700
Message-Id: <20250311201459.38CE7303@slippy.cwsent.com>
X-CMAE-Envelope: MS4xfMMjgoM8CT+UrQN60D3vWnDygY0qKjBGVBH24juNtqZnkI4hhORf6I/2rTon64CsAwLrYv26lCD8LbaPtjhKqCmMDtH4wFqPv1ozzTMiiPpnhNf/042g
de63ggafBHEDKJBUlmfwiXZQUEWmsNwfc+DzOAMY5nbMDpt90EEnZzW6P6UpZLj02ms68bOnA7yaixIQCEMMkEFx6C3GzRU+wgZ8SfHkKSgVUoa2u7hMp2hZ
5ZugDfG5uUznKJ7RVGNdNg++hwhnpd6wvUU1DdvkBcYuhsQN4Qqfz8vXajT4I8G6DH2xdbqpsW1fl6kMfJEY1w==
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]
X-Rspamd-Queue-Id: 4ZC4kH2bj4z4KSp
X-Spamd-Bar: ----
In message <c256aafe-27c0-403e-9089-554bfe9f4178@plan-b.pwste.edu.pl>,
Marek Za
rychta writes:
> This is a multi-part message in MIME format.
> --------------DOa45fOEFt3RPa3J3HNcRaVj
> Content-Type: text/plain; charset=UTF-8; format=flowed
> Content-Transfer-Encoding: 8bit
>
> W dniu 11.03.2025 o 20:06, Cy Schubert pisze:
> > In message<2ac849e6-3851-47ad-9844-968cf0067ce2@plan-b.pwste.edu.pl>,
> > Marek Za
> > rychta writes:
> >> W dniu 11.03.2025 o 19:02, Cy Schubert pisze:
> >>> In message<9756f69e-c849-4a01-b7c0-4b89a57e1b1f@plan-b.pwste.edu.pl>,
> >>> Marek Za
> >>> rychta writes:
> >>>> This is a multi-part message in MIME format.
> >>>> --------------AE7s5oJnhOW0uW76c0IQR0yC
> >>>> Content-Type: text/plain; charset=UTF-8; format=flowed
> >>>> Content-Transfer-Encoding: 8bit
> >>>>
> >>>> W dniu 11.03.2025 o 18:20, Cy Schubert pisze:
> >>>>> In message<f63d67b5-6e05-481f-9560-06150eb5adbf@plan-b.pwste.edu.pl>,
> >>>>> Marek Za
> >>>>> rychta writes:
> >>>>>> W dniu 11.03.2025 o 17:29, Marek Zarychta pisze:
> >>>>>>> W dniu 11.03.2025 o 16:13, Cy Schubert pisze:
> >>>>>>>> In message<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
> ,
> >>>>>>>> Tomoaki
> >>>>>>>> AOKI writes:
> >>>>>>>>> On Mon, 10 Mar 2025 16:37:58 +0100
> >>>>>>>>> "Herbert J. Skuhra"<herbert@gojira.at> wrote:
> >>>>>>>>>
> >>>>>>>>>> On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> >>>>>>>>>>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> >>>>>>>>>>>> Hello List Subscirbers,
> >>>>>>>>>>>>
> >>>>>>>>>>>> in the past the module was loaded automatically upon NTPD server
> >>>>>>>>>>>> startu
> >>>>>>>>> p.
> >>>>>>>>>>>> It's no longer true, now it has to be loaded earlier.
> >>>>>>>>>>>> Perhaps people running stable/14 might find this message useful.
> >>>>>>>>>> Hmm, works for me on main and stable/14.
> >>>>>>>>>>
> >>>>>>>>>>> So... I noticed this for (precisely) one of the five machines I h
> av
> >> e
> >>>>>>>>>>> that track stable/14 -- the other 4 get mac_ntpd loaded
> >>>>>>>>>>> automagically as
> >>>>>>>>>>> usual.
> >>>>>>>>>>>
> >>>>>>>>>>> In the failing case, it seems that
> >>>>>>>>>>>
> >>>>>>>>>>> Â Â Â Â sysctl security.mac.version
> >>>>>>>>>>>
> >>>>>>>>>>> yielded
> >>>>>>>>>>>
> >>>>>>>>>>> Â Â Â Â sysctl: unknown oid 'security.mac.version'
> >>>>>>>>>> I only get this if I build a kernel without "options MAC". But in
> th
> >> is
> >>>>>>>>>> no mac_* kernel modules are built and ntpd fails with:
> >>>>>>>>>>
> >>>>>>>>>> Starting ntpd.
> >>>>>>>>>> daemon control: got EOF
> >>>>>>>>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
> >>>>>>>>> In this case, you'll find something like
> >>>>>>>>> Â Â Need MAC 'ntpd' policy enabled to drop root privileges
> >>>>>>>>> Â Â daemon child exited with code 255
> >>>>>>>>> in ntpd logfile (/var/db/ntpd.log in my case, but
> >>>>>>>>> possibly /var/log/messages by default).
> >>>>>>>> I don't understand why some systems (those in this thread) have a
> >>>>>>>> problem
> >>>>>>>> not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are
> >>>>>>>> fine. I'd
> >>>>>>>> like to try to understand the differences between those that work an
> d
> >>>>>>>> those
> >>>>>>>> that don't.
> >>>>>>>>
> >>>>>>>> First of all, the ntpd rc script bails without saying why when it
> >>>>>>>> encounters a problem. can_run_nonroot() simply returns a bad return
> co
> >> de
> >>>>>>>> leaving us to wonder why.
> >>>>>>>>
> >>>>>>>> The first order of business is to produce a patch to indicate why
> it
> >>>>>>>> bails. Please apply the attached patch and let me know where it fail
> s.
> >>>>>>>> Messages will be printed to stderr and to /var/log/messages (assumin
> g
> >>>>>>>> daemon.err is sent there).
> >>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Tomoaki AOKI<junchoon@dec.sakura.ne.jp>
> >>>>>>>>>
> >>>>>>>> Cheers,
> >>>>>>>> Cy Schubert<Cy.Schubert@cschubert.com>
> >>>>>>>> FreeBSD UNIX:<cy@FreeBSD.org>Â Â Web:https://FreeBSD.org
> >>>>>>>> NTP:<cy@nwtime.org>Â Â Â Web:https://nwtime.org
> >>>>>>>>
> >>>>>>>> Â Â Â Â Â Â Â Â Â Â Â e^(i*pi)+1=0
> >>>>>>> Output from the patch:
> >>>>>>>
> >>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: ntpd 4.2.8p18-a (17): Starting
> >>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: Command line: /usr/sbin/ntpd -p
> >>>>>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd
> >>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]:
> >>>>>>> ----------------------------------------------------
> >>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: ntp-4 is maintained by Network
> >>>>>>> Time Foundation,
> >>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: Inc. (NTF), a non-profit 501(c)(3
> )
> >>>>>>> public-benefit
> >>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: corporation. Support and traini
> ng
> >>>>>>> for ntp-4 are
> >>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]: available at
> >>>>>>> https://www.nwtime.org/support
> >>>>>>> Mar 11 17:20:35 plan-b ntpd[60113]:
> >>>>>>> ----------------------------------------------------
> >>>>>>> Mar 11 17:20:35 plan-b ntpd[60114]: switching logging to file
> >>>>>>> /var/log/ntp
> >>>>>>> Mar 11 17:20:36 plan-b ntpd[60113]: daemon child exited with code 255
> >>>>>>> Mar 11 17:20:36 plan-b root[60118]: /etc/rc.d/ntpd: WARNING: failed t
> o
> >>>>>>> start ntpd
> >>>>>>>
> >>>>>>> Debugging output from from the unpatched /etc/rc.d/ntpd:
> >>>>>>>
> >>>>>>> (...)
> >>>>>>>
> >>>>>>> + echo 'Starting ntpd.'
> >>>>>>> Starting ntpd.
> >>>>>>> + [ -n '' ]
> >>>>>>> + _cd=''
> >>>>>>> + _doit=' /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.confÂ
> -
> >> u
> >>>>>>> ntpd:ntpd'
> >>>>>>> + [ -n '' ]
> >>>>>>> + [ -n '' ]
> >>>>>>> + [ -n '' ]
> >>>>>>> + [ -n '' ]
> >>>>>>> + _doit=' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.p
> id
> >>>>>>> -c /etc/ntp.conf -u ntpd:ntpd'
> >>>>>>> + _run_rc_doit ' limits -C daemon  /usr/sbin/ntpd -p
> >>>>>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
> >>>>>>> + local _m
> >>>>>>> + debug 'run_rc_command: doit: limits -C daemon  /usr/sbin/ntpd
> -p
> >>>>>>> /var/db/ntp/ntpd.pid -c /etc/ntp.conf -u ntpd:ntpd'
> >>>>>>> + umask
> >>>>>>> + _m=0022
> >>>>>>> +
> >>>>>>> + eval ' limits -C daemon  /usr/sbin/ntpd -p /var/db/ntp/ntpd.pi
> d
> >> -c
> >>>>>>> /etc/ntp.conf -u ntpd:ntpd'
> >>>>>>> + limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
> >>>>>>> /etc/ntp.conf -u ntpd:ntpd
> >>>>>>> daemon control: got EOF
> >>>>>>> + _return=255
> >>>>>>> + umask 0022
> >>>>>>> + [ 255 -ne 0 ]
> >>>>>>> + [ -z '' ]
> >>>>>>> + return 1
> >>>>>>> + warn 'failed to start ntpd'
> >>>>>>> + [ -x /usr/bin/logger ]
> >>>>>>> + logger '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
> >>>>>>> + echo '/etc/rc.d/ntpd: WARNING: failed to start ntpd'
> >>>>>>> /etc/rc.d/ntpd: WARNING: failed to start ntpd
> >>>>>>> + return 1
> >>>>>>>
> >>>>>> The real problem is here:
> >>>>>> + [ -n '' ]
> >>>>>> + local 'fileopts=^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
> >>>>>> \t]*logfile|^[ \t]*statsdir'
> >>>>>> + grep -E -q '^[ \t]*crypto|^[ \t]*driftfile|^[ \t]*key|^[
> >>>>>> \t]*logfile|^[ \t]*statsdir' /etc/ntp.conf
> >>>>>> + return 1
> >>>>>>
> >>>>>> To reproduce: use config matching the regex from the above, for exampl
> e
> >>>>>> add line:
> >>>>>>
> >>>>>> logfile /var/log/ntp.log
> >>>>>>
> >>>>>> to the ntp.conf
> >>>>>>
> >>>>>> 15-CURRENT is also affected this way. That's a bit odd that nobody
> >>>>>> reported it yet.
> >>>>>>
> >>>>>> Problems made by can_run_nonroot function can be fixed by removing lin
> es
> >>>>>> 60-64 from the starting script.
> >>>>>>
> >>>>>> https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#
> L6
> >> 3
> >>>>> What is in your ntpd_config in rc.conf?
> >>>> # grep ntpd_config /etc/rc.conf /etc/defaults/rc.conf
> >>>> /etc/defaults/rc.conf:ntpd_config="/etc/ntp.conf"Â Â Â # ntpd(8)
> >>>> configuration file
> >>> Without the patch I replied with, we're back to guessing. Yet, every feel
> s
> >>> the problem is in a different part of the rc script.
> >>>
> >>> The mystery is why are all my instances (13, 14, 15) working and yours no
> t?
> >>>
> >>> I have reverted the commit. A rewrite of the rc script will be required i
> n
> >>> order to implement ntpd's chroot.
> >>>
> >> I don't know. It's the same bug from the beginning, but it reveals in
> >> different ways. It looks like the early exit from can_run_nonroot
> >> function prevented loading mac_ntpd.ko module. All affected setups in my
> >> case had set options: logfile, keys and driftfile what is probably still
> >> completely fine. These configs are old, but the syntax is still correct
> >> and I believe using ntp keys or setting logfile from the config directly
> >> shouldn't be banished.
> > Aside from my commit to use -u instead of su, the script hasn't changed,
> > except for comments, since 2022. The problem must be your config, somewhere
> .
> >
> > Reverting the script to rely in su instead of ntpd handling setuid()
> > itself, though helping you now see that the commit wasn't the problem, was
> > needless. Patching your script with the suggested error messaging patch
> > would have given us clarity to the problem rather than randomly reverting
> > commits until it magically worked.
> >
> > You need to apply the error messaging patch or we continue to *guess* what
> > the problem might be. Guessing is not a smart debugging strategy. Sitting
> > here at my desk I do not have any useful information beyond guesses.
> >
> > Sorry for the rant but I've worked on software support, sysadmin, and
> > various development roles throughout my 50+ year career. When users provide
> > little to no information to go on all we are left with is to guess. Right
> > now my guess is that there is something wrong with your setup. Beyond that
> > I don't know because the only information I have is, it doesn't work for
> > you. And since I cannot reproduce your problem here on 15-CURRENT,
> > 14.2-RELEASE, or 13.5-RELEASE, I have no additional visibility into your
> > problem.
> >
> > I need data.
> >
> Dear Committer,
>
> in the past (and now, after the revert of commit
> 521f66715afb312b356afafc68cbc044a436a753), NTPD was run as root. The
> change introduced in 521f66715afb312b356afafc68cbc044a436a753 no longer
> allowed root, but with mac_ntpd.ko loaded it was possible to start NTPD
> using the ntpd user account. Removing line 63 from the startup scripts
> [1], regardless of the change introduced by
> 521f66715afb312b356afafc68cbc044a436a753, allows NTPD servers to be
> started using the ntpd user account on all my affected machines.
> Furthermore, all affected machines have "logfile", "keys" and
> "driftfile" set, and NTPD works fine on them using the ntpd account if
> only mac_ntpd is loaded. So indeed the topic "heads up: mac_ntpd has to
> be explicitly loaded in recent stable/14" was unfortunate. Sorry for the
> noise and bringing this up, because probably in the past on all these
> machines NTPD was started using UID 0. Please allow me to apologize, I
> simply missed a change made 7 years ago in the line 63 (grep -E -q
> "${fileopts}" "${ntpd_config}" && return 1) and I was 100% sure that all
> my servers use the mac_ntpd.ko policy and the NTPD daemon is started
> under UID 123. Only few of them was behaving this way, the most of them
> still used UID 0 to run the daemon.
>
> Dear Subscribers,
>
> please forgive me for making unnecessary noise again.
>
> I am so embarrassed that I will not write another post on this thread today.
>
> Yours sincerely
>
> 1.https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/rc.d/ntpd#L63
> --
> Marek Zarychta
>
The -u commit was the first step toward implementing ntpd chroot
(--jaildir=). As we've seen the rc(8) plumbing is incompatible with this
goal. The fact that it doesn't produce any error messages, silently failing
makes it difficult to understand where the problem is. (We have this same
issue at $JOB.)
Using ntpd under root account is a security issue. It has had some RCE
(remote code execution) vulnerabilities. Running it non-root somewhat
mitigates this. The planned running it chrooted (--jaildir=) will protect
users systems even more.
Putting my security administrator hat on (a role I have at $JOB), users are
advised to run ntpd non-root whenever possible. This is also the best
advice for most other daemons as well, if one can do this. It limits the
exposure should one be hit by a zero day RCE or an unpatched machine.
It's recommended ntpd be run under the ntpd account. It's safer that way.
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e^(i*pi)+1=0
From nobody Tue Mar 11 22:41:00 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC7yw1ddhz5r94r
for <stable@mlmmj.nyi.freebsd.org>; Tue, 11 Mar 2025 22:41:12 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC7yv3Ygxz3LWk
for <stable@freebsd.org>; Tue, 11 Mar 2025 22:41:10 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
none
Received: from kalamity.joker.local (124-18-40-20.area1c.commufa.jp [124.18.40.20])
(authenticated bits=0)
by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 52BMf0Iq031801;
Wed, 12 Mar 2025 07:41:01 +0900 (JST)
(envelope-from junchoon@dec.sakura.ne.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp;
s=s2405; t=1741732862;
bh=ihoQS0tTehZ551+sT02+TgicI0llaMHmPzYkH73Dbh0=;
h=Date:From:To:Cc:Subject:In-Reply-To:References;
b=jH+YR2C0GBLbPWAjyE8P9GL5uKWRF56n/x9sdBNXr5jtUfyapw/K7w7MiWueIBbo2
pm8qD1WoalVVdc1pf76DP9PkpBmZAcnnv5kLTRfsboq2WrRLrGZQlXCANwYF7LR+Lc
ZsAFBM5HWTRMF29XqUZ2sheZVWBeeLr7Hip2yf2Q=
Date: Wed, 12 Mar 2025 07:41:00 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: Cy Schubert <Cy.Schubert@cschubert.com>
Cc: "Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
Message-Id: <20250312074100.17f51ecf414b2084def5820e@dec.sakura.ne.jp>
In-Reply-To: <20250311192103.3C51A300@slippy.cwsent.com>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org>
<87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com>
<20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>
<20250311190810.CA65A203@slippy.cwsent.com>
<20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>
<20250311192103.3C51A300@slippy.cwsent.com>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP]
X-Rspamd-Queue-Id: 4ZC7yv3Ygxz3LWk
X-Spamd-Bar: ----
On Tue, 11 Mar 2025 12:21:03 -0700
Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> In message <20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>,
> Tomoaki
> AOKI writes:
> > On Tue, 11 Mar 2025 12:08:10 -0700
> > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> >
> > > In message <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>,
> > > Tomoaki
> > > AOKI writes:
> > > > On Tue, 11 Mar 2025 08:13:51 -0700
> > > > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> > > >
> > > > > In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>,
> > > > > Tomoaki
> > > > > AOKI writes:
> > > > > > On Mon, 10 Mar 2025 16:37:58 +0100
> > > > > > "Herbert J. Skuhra" <herbert@gojira.at> wrote:
> > > > > >
> > > > > > > On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> > > > > > > >
> > > > > > > > On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> > > > > > > > > Hello List Subscirbers,
> > > > > > > > >
> > > > > > > > > in the past the module was loaded automatically upon NTPD serve
> > r st
> > > > artu
> > > > > > p.
> > > > > > > > > It's no longer true, now it has to be loaded earlier.
> > > > > > > > > Perhaps people running stable/14 might find this message useful
> > .
> > > > > > >
> > > > > > > Hmm, works for me on main and stable/14.
> > > > > > >
> > > > > > > > So... I noticed this for (precisely) one of the five machines I h
> > ave
> > > > > > > > that track stable/14 -- the other 4 get mac_ntpd loaded automagic
> > ally
> > > > as
> > > > > > > > usual.
> > > > > > > >
> > > > > > > > In the failing case, it seems that
> > > > > > > >
> > > > > > > > sysctl security.mac.version
> > > > > > > >
> > > > > > > > yielded
> > > > > > > >
> > > > > > > > sysctl: unknown oid 'security.mac.version'
> > > > > > >
> > > > > > > I only get this if I build a kernel without "options MAC". But in t
> > his
> > > > > > > no mac_* kernel modules are built and ntpd fails with:
> > > > > > >
> > > > > > > Starting ntpd.
> > > > > > > daemon control: got EOF
> > > > > > > /etc/rc.d/ntpd: WARNING: failed to start ntpd
> > > > > >
> > > > > > In this case, you'll find something like
> > > > > > Need MAC 'ntpd' policy enabled to drop root privileges
> > > > > > daemon child exited with code 255
> > > > > > in ntpd logfile (/var/db/ntpd.log in my case, but
> > > > > > possibly /var/log/messages by default).
> > > > >
> > > > > I don't understand why some systems (those in this thread) have a probl
> > em
> > > > > not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are fine.
> > I'd
> > > >
> > > > > like to try to understand the differences between those that work and t
> > hose
> > > >
> > > > > that don't.
> > > > >
> > > > > First of all, the ntpd rc script bails without saying why when it
> > > > > encounters a problem. can_run_nonroot() simply returns a bad return cod
> > e
> > > > > leaving us to wonder why.
> > > > >
> > > > > The first order of business is to produce a patch to indicate why it
> > > > > bails. Please apply the attached patch and let me know where it fails.
> > > > > Messages will be printed to stderr and to /var/log/messages (assuming
> > > > > daemon.err is sent there).
> > > >
> > > > The output after patch (without loading mac_ntpd.ko manually):
> > > >
> > > > Mar 12 03:27:35 ***** rc.d/ntpd[2581]: user cannot access files
> > > > listed in command line, exiting
> > > > Mar 12 03:27:35 ***** root[2589]: /etc/rc: WARNING: failed to start ntpd
> > > >
> > > > See
> > > > https://lists.freebsd.org/archives/dev-commits-src-branches/2025-Februa
> > ry/0
> > > > 21308.html
> > > > for my options related with ntpd.
> > >
> > > Is this before ntpd -u commit was reverted or after?
> >
> > Before revert. As I don't pull updates after I read your post which
> > included the patch.
> >
> >
> > > Please grep ntpd /etc/rc.conf.
> >
> > Result stripping comments.
> >
> > % grep ntpd /etc/rc.conf
> > ntpd_flags="-4 -g -x -f /var/db/ntp/ntpd.drift -l /var/log/ntpd.log"
>
> This is your problem. Remove the -f and -l arguments and put the logfile
> and driftfile ntp.conf statements instead.
Wait, another way that works?!
So I should consider it as a bug in ntpd.
If the statements in ntpd.conf works, command line options should work
just the same way (usually, if configuration files and command line
option has the same functionalities, command line option is preferred
to override, like /etc/make.conf and `make` command line).
Anyway, I'll try it once the ongoing heavy rebuilds finished.
>
> > ntpd_config="/etc/ntp/ntp.conf"
> > ntpd_enable="YES"
> > ntpd_sync_on_start="YES"
> > daily_ntpd_leapfile_enable="YES"
> > %
> >
>
>
> --
> Cheers,
> Cy Schubert <Cy.Schubert@cschubert.com>
> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> NTP: <cy@nwtime.org> Web: https://nwtime.org
>
> e^(i*pi)+1=0
--
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
From nobody Wed Mar 12 00:08:46 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZC9w15QTkz5rFWb
for <stable@mlmmj.nyi.freebsd.org>; Wed, 12 Mar 2025 00:08:49 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Received: from omta004.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "Client", Issuer "CA" (not verified))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZC9w13fN0z3VVm
for <stable@freebsd.org>; Wed, 12 Mar 2025 00:08:49 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Authentication-Results: mx1.freebsd.org;
none
Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183])
by cmsmtp with ESMTPS
id s7FDtHoge5Mqys9eStkPv4; Wed, 12 Mar 2025 00:08:48 +0000
Received: from spqr.komquats.com ([70.66.136.217])
by cmsmtp with ESMTPSA
id s9eQtZQ5OWbOas9eRtjSts; Wed, 12 Mar 2025 00:08:48 +0000
X-Auth-User: cschuber
X-Authority-Analysis: v=2.4 cv=Q5lx4J2a c=1 sm=1 tr=0 ts=67d0d090
a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17
a=kj9zAlcOel0A:10 a=Vs1iUdzkB0EA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8
a=YxBL1-UpAAAA:8 a=t1IqWvudJjojm5J1_28A:9 a=CjuIK1q_8ugA:10
a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
by spqr.komquats.com (Postfix) with ESMTP id 388962AA;
Tue, 11 Mar 2025 17:08:46 -0700 (PDT)
Received: by slippy.cwsent.com (Postfix, from userid 1000)
id 2D2C2292; Tue, 11 Mar 2025 17:08:46 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
cc: Cy Schubert <Cy.Schubert@cschubert.com>,
"Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
In-reply-to: <20250312074100.17f51ecf414b2084def5820e@dec.sakura.ne.jp>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com> <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp> <20250311190810.CA65A203@slippy.cwsent.com> <20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp> <20250311192103.3C51A300@slippy.cwsent.com> <20250312074100.17f51ecf414b2084def5820e@dec.sakura.ne.jp>
Comments: In-reply-to Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
message dated "Wed, 12 Mar 2025 07:41:00 +0900."
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 11 Mar 2025 17:08:46 -0700
Message-Id: <20250312000846.2D2C2292@slippy.cwsent.com>
X-CMAE-Envelope: MS4xfP7aXHFh+h2WywcmceDNT9kZxWG6CGyBwUzKUdex5uvRa1Nv14w6v7dIUFYsiF2TYs4/vfeUZfumoWpXia3zHzNeyevFRfUwGDQ5q/1nqNbJVtQwC07J
3y3y3iySS4aBQqnrlb3EC2QaxDnRGH/FxBK1wSzbc2QSFUGndAKNdQ803eKSY/UJardGaG3IvpqVLJx1iiJoeBfktZMCPoAPJVeMX2F8SXDkko5FzqLjD6nW
5honELig2V/waW48eA79JjPGR36m7pAcHv7f53y36ps=
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]
X-Rspamd-Queue-Id: 4ZC9w13fN0z3VVm
X-Spamd-Bar: ----
In message <20250312074100.17f51ecf414b2084def5820e@dec.sakura.ne.jp>,
Tomoaki
AOKI writes:
> On Tue, 11 Mar 2025 12:21:03 -0700
> Cy Schubert <Cy.Schubert@cschubert.com> wrote:
>
> > In message <20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>,
> > Tomoaki
> > AOKI writes:
> > > On Tue, 11 Mar 2025 12:08:10 -0700
> > > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> > >
> > > > In message <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>,
> > > > Tomoaki
> > > > AOKI writes:
> > > > > On Tue, 11 Mar 2025 08:13:51 -0700
> > > > > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> > > > >
> > > > > > In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.j
> p>,
> > > > > > Tomoaki
> > > > > > AOKI writes:
> > > > > > > On Mon, 10 Mar 2025 16:37:58 +0100
> > > > > > > "Herbert J. Skuhra" <herbert@gojira.at> wrote:
> > > > > > >
> > > > > > > > On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> > > > > > > > >
> > > > > > > > > On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrot
> e:
> > > > > > > > > > Hello List Subscirbers,
> > > > > > > > > >
> > > > > > > > > > in the past the module was loaded automatically upon NTPD s
> erve
> > > r st
> > > > > artu
> > > > > > > p.
> > > > > > > > > > It's no longer true, now it has to be loaded earlier.
> > > > > > > > > > Perhaps people running stable/14 might find this message us
> eful
> > > .
> > > > > > > >
> > > > > > > > Hmm, works for me on main and stable/14.
> > > > > > > >
> > > > > > > > > So... I noticed this for (precisely) one of the five machines
> I h
> > > ave
> > > > > > > > > that track stable/14 -- the other 4 get mac_ntpd loaded autom
> agic
> > > ally
> > > > > as
> > > > > > > > > usual.
> > > > > > > > >
> > > > > > > > > In the failing case, it seems that
> > > > > > > > >
> > > > > > > > > sysctl security.mac.version
> > > > > > > > >
> > > > > > > > > yielded
> > > > > > > > >
> > > > > > > > > sysctl: unknown oid 'security.mac.version'
> > > > > > > >
> > > > > > > > I only get this if I build a kernel without "options MAC". But
> in t
> > > his
> > > > > > > > no mac_* kernel modules are built and ntpd fails with:
> > > > > > > >
> > > > > > > > Starting ntpd.
> > > > > > > > daemon control: got EOF
> > > > > > > > /etc/rc.d/ntpd: WARNING: failed to start ntpd
> > > > > > >
> > > > > > > In this case, you'll find something like
> > > > > > > Need MAC 'ntpd' policy enabled to drop root privileges
> > > > > > > daemon child exited with code 255
> > > > > > > in ntpd logfile (/var/db/ntpd.log in my case, but
> > > > > > > possibly /var/log/messages by default).
> > > > > >
> > > > > > I don't understand why some systems (those in this thread) have a p
> robl
> > > em
> > > > > > not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are f
> ine.
> > > I'd
> > > > >
> > > > > > like to try to understand the differences between those that work a
> nd t
> > > hose
> > > > >
> > > > > > that don't.
> > > > > >
> > > > > > First of all, the ntpd rc script bails without saying why when it
> > > > > > encounters a problem. can_run_nonroot() simply returns a bad return
> cod
> > > e
> > > > > > leaving us to wonder why.
> > > > > >
> > > > > > The first order of business is to produce a patch to indicate why
> it
> > > > > > bails. Please apply the attached patch and let me know where it fai
> ls.
> > > > > > Messages will be printed to stderr and to /var/log/messages (assumi
> ng
> > > > > > daemon.err is sent there).
> > > > >
> > > > > The output after patch (without loading mac_ntpd.ko manually):
> > > > >
> > > > > Mar 12 03:27:35 ***** rc.d/ntpd[2581]: user cannot access files
> > > > > listed in command line, exiting
> > > > > Mar 12 03:27:35 ***** root[2589]: /etc/rc: WARNING: failed to start n
> tpd
> > > > >
> > > > > See
> > > > > https://lists.freebsd.org/archives/dev-commits-src-branches/2025-Fe
> brua
> > > ry/0
> > > > > 21308.html
> > > > > for my options related with ntpd.
> > > >
> > > > Is this before ntpd -u commit was reverted or after?
> > >
> > > Before revert. As I don't pull updates after I read your post which
> > > included the patch.
> > >
> > >
> > > > Please grep ntpd /etc/rc.conf.
> > >
> > > Result stripping comments.
> > >
> > > % grep ntpd /etc/rc.conf
> > > ntpd_flags="-4 -g -x -f /var/db/ntp/ntpd.drift -l /var/log/ntpd.log"
> >
> > This is your problem. Remove the -f and -l arguments and put the logfile
> > and driftfile ntp.conf statements instead.
>
> Wait, another way that works?!
> So I should consider it as a bug in ntpd.
> If the statements in ntpd.conf works, command line options should work
> just the same way (usually, if configuration files and command line
> option has the same functionalities, command line option is preferred
> to override, like /etc/make.conf and `make` command line).\
No, this is not a bug in ntpd.
rc(8) issues,
su ntpd /usr/sbin/ntpd ... ntpd args
If files are owned by root ntpd may not have access to them and it will
fail to start.
If we do,
/usr/sbin/ntpd -u ntpd:ntpd ... other ntpd args
ntpd will start as root, open its files, then setuid(ntpd) to change the
account it's running under. This is how we, FreeBSD, have implemented it.
This is an artifact of rc(8). And this is why we need mac_ntpd.ko. Because
ntpd -u will initiate its use of the clock, then switch to the ntpd UID.
The su ntpd /usr/sbin/ntpd approach starts ntpd under the ntpd account from
the very start. We need the kernel module in this case.
I will rework the ntpd rc script to a) not use the rc(8) plumbing and b)
chroot itself. Both of these are better security than we currently have.
The patch was the first step in deprecating mac_ntpd and the first step to
putting ntpd into its own chroot.
What you have described is not a bug but an artifact how we invoke ntpd
under FreeBSD, specifically the su.
>
> Anyway, I'll try it once the ongoing heavy rebuilds finished.
>
>
> >
> > > ntpd_config="/etc/ntp/ntp.conf"
> > > ntpd_enable="YES"
> > > ntpd_sync_on_start="YES"
> > > daily_ntpd_leapfile_enable="YES"
> > > %
> > >
> >
> >
> > --
> > Cheers,
> > Cy Schubert <Cy.Schubert@cschubert.com>
> > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> > NTP: <cy@nwtime.org> Web: https://nwtime.org
> >
> > e^(i*pi)+1=0
>
>
> --
> Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e^(i*pi)+1=0
From nobody Wed Mar 12 12:18:06 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZCV5g5tC1z5qsJy
for <stable@mlmmj.nyi.freebsd.org>; Wed, 12 Mar 2025 12:18:15 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZCV5g17Ktz41jd
for <stable@freebsd.org>; Wed, 12 Mar 2025 12:18:14 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
none
Received: from kalamity.joker.local (124-18-40-20.area1c.commufa.jp [124.18.40.20])
(authenticated bits=0)
by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 52CCI6F7066110;
Wed, 12 Mar 2025 21:18:07 +0900 (JST)
(envelope-from junchoon@dec.sakura.ne.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp;
s=s2405; t=1741781887;
bh=TbxPcJ15ypNeSvpZX9I9H4k9vnDJvtMxPSLbQRP9/W4=;
h=Date:From:To:Cc:Subject:In-Reply-To:References;
b=LpMn6P6+tEDJ5RTeR1ciZH3TtypsgoEZBGm3/lzS2mSNa3976Oapi3lJ3rCySMRqV
XZGdr+46hbiM3lnvi1jhHHIGxKtqie+esuaboWId3DZEX24i1AUt9Teq/d6uXQYHWD
Moeqpsi1ZVUgF//EHgcwc1pq82DpDW/N28KIrWEA=
Date: Wed, 12 Mar 2025 21:18:06 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: Cy Schubert <Cy.Schubert@cschubert.com>
Cc: "Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
Message-Id: <20250312211806.012942ff753b3dd61bb3e68b@dec.sakura.ne.jp>
In-Reply-To: <20250312000846.2D2C2292@slippy.cwsent.com>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org>
<87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com>
<20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>
<20250311190810.CA65A203@slippy.cwsent.com>
<20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>
<20250311192103.3C51A300@slippy.cwsent.com>
<20250312074100.17f51ecf414b2084def5820e@dec.sakura.ne.jp>
<20250312000846.2D2C2292@slippy.cwsent.com>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP]
X-Rspamd-Queue-Id: 4ZCV5g17Ktz41jd
X-Spamd-Bar: ----
On Tue, 11 Mar 2025 17:08:46 -0700
Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> In message <20250312074100.17f51ecf414b2084def5820e@dec.sakura.ne.jp>,
> Tomoaki
> AOKI writes:
> > On Tue, 11 Mar 2025 12:21:03 -0700
> > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> >
> > > In message <20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>,
> > > Tomoaki
> > > AOKI writes:
> > > > On Tue, 11 Mar 2025 12:08:10 -0700
> > > > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> > > >
> > > > > In message <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>,
> > > > > Tomoaki
> > > > > AOKI writes:
> > > > > > On Tue, 11 Mar 2025 08:13:51 -0700
> > > > > > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> > > > > >
> > > > > > > In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.j
> > p>,
> > > > > > > Tomoaki
> > > > > > > AOKI writes:
> > > > > > > > On Mon, 10 Mar 2025 16:37:58 +0100
> > > > > > > > "Herbert J. Skuhra" <herbert@gojira.at> wrote:
> > > > > > > >
> > > > > > > > > On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> > > > > > > > > >
> > > > > > > > > > On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrot
> > e:
> > > > > > > > > > > Hello List Subscirbers,
> > > > > > > > > > >
> > > > > > > > > > > in the past the module was loaded automatically upon NTPD s
> > erve
> > > > r st
> > > > > > artu
> > > > > > > > p.
> > > > > > > > > > > It's no longer true, now it has to be loaded earlier.
> > > > > > > > > > > Perhaps people running stable/14 might find this message us
> > eful
> > > > .
> > > > > > > > >
> > > > > > > > > Hmm, works for me on main and stable/14.
> > > > > > > > >
> > > > > > > > > > So... I noticed this for (precisely) one of the five machines
> > I h
> > > > ave
> > > > > > > > > > that track stable/14 -- the other 4 get mac_ntpd loaded autom
> > agic
> > > > ally
> > > > > > as
> > > > > > > > > > usual.
> > > > > > > > > >
> > > > > > > > > > In the failing case, it seems that
> > > > > > > > > >
> > > > > > > > > > sysctl security.mac.version
> > > > > > > > > >
> > > > > > > > > > yielded
> > > > > > > > > >
> > > > > > > > > > sysctl: unknown oid 'security.mac.version'
> > > > > > > > >
> > > > > > > > > I only get this if I build a kernel without "options MAC". But
> > in t
> > > > his
> > > > > > > > > no mac_* kernel modules are built and ntpd fails with:
> > > > > > > > >
> > > > > > > > > Starting ntpd.
> > > > > > > > > daemon control: got EOF
> > > > > > > > > /etc/rc.d/ntpd: WARNING: failed to start ntpd
> > > > > > > >
> > > > > > > > In this case, you'll find something like
> > > > > > > > Need MAC 'ntpd' policy enabled to drop root privileges
> > > > > > > > daemon child exited with code 255
> > > > > > > > in ntpd logfile (/var/db/ntpd.log in my case, but
> > > > > > > > possibly /var/log/messages by default).
> > > > > > >
> > > > > > > I don't understand why some systems (those in this thread) have a p
> > robl
> > > > em
> > > > > > > not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are f
> > ine.
> > > > I'd
> > > > > >
> > > > > > > like to try to understand the differences between those that work a
> > nd t
> > > > hose
> > > > > >
> > > > > > > that don't.
> > > > > > >
> > > > > > > First of all, the ntpd rc script bails without saying why when it
> > > > > > > encounters a problem. can_run_nonroot() simply returns a bad return
> > cod
> > > > e
> > > > > > > leaving us to wonder why.
> > > > > > >
> > > > > > > The first order of business is to produce a patch to indicate why
> > it
> > > > > > > bails. Please apply the attached patch and let me know where it fai
> > ls.
> > > > > > > Messages will be printed to stderr and to /var/log/messages (assumi
> > ng
> > > > > > > daemon.err is sent there).
> > > > > >
> > > > > > The output after patch (without loading mac_ntpd.ko manually):
> > > > > >
> > > > > > Mar 12 03:27:35 ***** rc.d/ntpd[2581]: user cannot access files
> > > > > > listed in command line, exiting
> > > > > > Mar 12 03:27:35 ***** root[2589]: /etc/rc: WARNING: failed to start n
> > tpd
> > > > > >
> > > > > > See
> > > > > > https://lists.freebsd.org/archives/dev-commits-src-branches/2025-Fe
> > brua
> > > > ry/0
> > > > > > 21308.html
> > > > > > for my options related with ntpd.
> > > > >
> > > > > Is this before ntpd -u commit was reverted or after?
> > > >
> > > > Before revert. As I don't pull updates after I read your post which
> > > > included the patch.
> > > >
> > > >
> > > > > Please grep ntpd /etc/rc.conf.
> > > >
> > > > Result stripping comments.
> > > >
> > > > % grep ntpd /etc/rc.conf
> > > > ntpd_flags="-4 -g -x -f /var/db/ntp/ntpd.drift -l /var/log/ntpd.log"
> > >
> > > This is your problem. Remove the -f and -l arguments and put the logfile
> > > and driftfile ntp.conf statements instead.
> >
> > Wait, another way that works?!
> > So I should consider it as a bug in ntpd.
> > If the statements in ntpd.conf works, command line options should work
> > just the same way (usually, if configuration files and command line
> > option has the same functionalities, command line option is preferred
> > to override, like /etc/make.conf and `make` command line).\
>
> No, this is not a bug in ntpd.
>
> rc(8) issues,
> su ntpd /usr/sbin/ntpd ... ntpd args
>
> If files are owned by root ntpd may not have access to them and it will
> fail to start.
>
> If we do,
> /usr/sbin/ntpd -u ntpd:ntpd ... other ntpd args
>
> ntpd will start as root, open its files, then setuid(ntpd) to change the
> account it's running under. This is how we, FreeBSD, have implemented it.
> This is an artifact of rc(8). And this is why we need mac_ntpd.ko. Because
> ntpd -u will initiate its use of the clock, then switch to the ntpd UID.
> The su ntpd /usr/sbin/ntpd approach starts ntpd under the ntpd account from
> the very start. We need the kernel module in this case.
>
> I will rework the ntpd rc script to a) not use the rc(8) plumbing and b)
> chroot itself. Both of these are better security than we currently have.
>
> The patch was the first step in deprecating mac_ntpd and the first step to
> putting ntpd into its own chroot.
>
> What you have described is not a bug but an artifact how we invoke ntpd
> under FreeBSD, specifically the su.
Tried (still before reverting, patched /etc/rc.d/ntpd) switching
command line option to corresponding statements in ntp.conf, and
encountered strange behavior.
In /etc/rc.conf (this time, not stripped commented out lines),
===== Quote =====
% grep ntpd /etc/rc.conf
# ntpd_program="/usr/local/sbin/ntpd"
# ntpd_flags="-4 -g -x -f /var/db/ntpd.drift -p /var/run/ntpd.pid -l /var/log/ntpd.log"
# ntpd_flags="-4 -g -x -f /var/db/ntpd.drift -l /var/log/ntpd.log"
# ntpd_flags="-4 -g -x -f /var/db/ntp/ntpd.drift -l /var/log/ntpd.log"
ntpd_flags="-4 -g -x"
# ntpd_config="/usr/local/etc/ntp.conf"
ntpd_config="/etc/ntp/ntp.conf"
ntpd_enable="YES"
ntpd_sync_on_start="YES" # Sync time on ntpd startup, even if
offset is high daily_ntpd_leapfile_enable="YES" # Automatically
fetch leapfile daily.
ntp_db_leapfile="/var/db/ntp/ntpd.leap-seconds.list"
%
===== End quote =====
Note that ports ntpd is no longer installed now (remnant when I tried
ports version before).
/etc/ntp/ntp.conf, which is specified in /etc/rc.conf, now contains:
===== Quote =====
driftfile "/var/db/ntp/ntpd.drift"
logfile "/var/log/ntpd.log"
leapfile "/var/db/ntp/ntpd.leap-seconds.list"
===== End quote =====
And commented out 'mac_ntpd_load="YES"' line in /boot/loader.conf,
cased (in /var/log/messages, essential part only):
===== Quote =====
ntpd 4.2.8p18-a (150): Starting
Command line: /usr/sbin/ntpd -4 -g -x -p /var/db/ntp/ntpd.pid
-c /etc/ntp/ntp.conf -f /var/db/ntp/ntpd.drift -u ntpd:ntpd -g
(snip)
switching logging to file /var/log/ntpd.log
daemon child exited with code 255
/etc/rc: WARNING: failed to start ntpd
(snip)
ntpd 4.2.8p18-a (150): Starting
Command line: /usr/sbin/ntpd -4 -g -x -p /var/db/ntp/ntpd.pid
-c /etc/ntp/ntp.conf -f /var/db/ntp/ntpd.drift -g
switching logging to file /var/log/ntpd.log
===== End quote =====
Strangely, ntpd is invoked twice, and command line shown
in /var/log/messages still contains deleted options.
The second run successfully invoked ntpd, even though mac_ntpd.ko is
not auto-loaded.
# service ntpd stop
works, but following
# service ntpd start
fails without `kldload mac_ntpd`.
For other configurations in /etc/rc.conf, comments (after "#") are
sanely treated as comments (as behaviors indicates), but this result
seems to indicate that comments are NOT treated as comments.
Quite strange.
> > Anyway, I'll try it once the ongoing heavy rebuilds finished.
> >
> >
> > >
> > > > ntpd_config="/etc/ntp/ntp.conf"
> > > > ntpd_enable="YES"
> > > > ntpd_sync_on_start="YES"
> > > > daily_ntpd_leapfile_enable="YES"
> > > > %
> > > >
> > >
> > >
> > > --
> > > Cheers,
> > > Cy Schubert <Cy.Schubert@cschubert.com>
> > > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> > > NTP: <cy@nwtime.org> Web: https://nwtime.org
> > >
> > > e^(i*pi)+1=0
> >
> >
> > --
> > Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
>
>
> --
> Cheers,
> Cy Schubert <Cy.Schubert@cschubert.com>
> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> NTP: <cy@nwtime.org> Web: https://nwtime.org
>
> e^(i*pi)+1=0
--
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
From nobody Wed Mar 12 13:16:36 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZCWQ64KwLz5qwLC
for <stable@mlmmj.nyi.freebsd.org>; Wed, 12 Mar 2025 13:17:34 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZCWQ22GzGz3Q2G
for <stable@freebsd.org>; Wed, 12 Mar 2025 13:17:29 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
dkim=pass header.d=dec.sakura.ne.jp header.s=s2405 header.b=hdJrrUxi;
dmarc=pass (policy=none) header.from=dec.sakura.ne.jp;
spf=pass (mx1.freebsd.org: domain of junchoon@dec.sakura.ne.jp designates 153.125.133.21 as permitted sender) smtp.mailfrom=junchoon@dec.sakura.ne.jp
Received: from kalamity.joker.local (124-18-40-20.area1c.commufa.jp [124.18.40.20])
(authenticated bits=0)
by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 52CDGbL7074984;
Wed, 12 Mar 2025 22:16:37 +0900 (JST)
(envelope-from junchoon@dec.sakura.ne.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp;
s=s2405; t=1741785398;
bh=fZ6Mw8ngvFxmO49j+nUwQeFm+ilYwDVW1ERmJYSL/L4=;
h=Date:From:To:Cc:Subject:In-Reply-To:References;
b=hdJrrUxilKpYx+ji0uvmw0w25vqMMZ19QQ4t0JT9qdZkBZ8IZaNjEBis6FKkI28DK
QQy9FifJy0HL9TLkqD5MU5D0K7f4HaBfefvHkxhxXZT5EuEVnVPWTyWHscNqNbNa5U
PEaDyP0pmcXq5uEwuIbZ6TM2nnGVCgxDqXVeA7fs=
Date: Wed, 12 Mar 2025 22:16:36 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: David Wolfskill <david@catwhisker.org>
Cc: stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
Message-Id: <20250312221636.6dba50c5cb8a86efc3baabc7@dec.sakura.ne.jp>
In-Reply-To: <Z9F93aqHDl025iY3@albert.catwhisker.org>
References: <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com>
<20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>
<20250311190810.CA65A203@slippy.cwsent.com>
<20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>
<20250311192103.3C51A300@slippy.cwsent.com>
<20250312074100.17f51ecf414b2084def5820e@dec.sakura.ne.jp>
<20250312000846.2D2C2292@slippy.cwsent.com>
<20250312211806.012942ff753b3dd61bb3e68b@dec.sakura.ne.jp>
<Z9F93aqHDl025iY3@albert.catwhisker.org>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spamd-Result: default: False [0.22 / 15.00];
SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE(1.00)[];
NEURAL_HAM_LONG(-1.00)[-1.000];
NEURAL_HAM_MEDIUM(-0.99)[-0.987];
URIBL_RED(0.50)[dec.sakura.ne.jp:dkim,dec.sakura.ne.jp:mid,dec.sakura.ne.jp:email];
MV_CASE(0.50)[];
ONCE_RECEIVED(0.20)[];
HAS_ANON_DOMAIN(0.10)[];
MIME_GOOD(-0.10)[text/plain];
BAD_REP_POLICIES(0.10)[];
NEURAL_HAM_SHORT(-0.09)[-0.093];
DMARC_POLICY_ALLOW(0.00)[dec.sakura.ne.jp,none];
DKIM_TRACE(0.00)[dec.sakura.ne.jp:+];
R_DKIM_ALLOW(0.00)[dec.sakura.ne.jp:s=s2405];
RCPT_COUNT_TWO(0.00)[2];
RCVD_TLS_LAST(0.00)[];
HAS_ORG_HEADER(0.00)[];
ARC_NA(0.00)[];
FROM_HAS_DN(0.00)[];
ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP];
MIME_TRACE(0.00)[0:+];
TO_MATCH_ENVRCPT_SOME(0.00)[];
FROM_EQ_ENVFROM(0.00)[];
RCVD_COUNT_ONE(0.00)[1];
MLMMJ_DEST(0.00)[stable@freebsd.org];
R_SPF_ALLOW(0.00)[+ip4:153.125.133.16/28];
MID_RHS_MATCH_FROM(0.00)[];
RCVD_VIA_SMTP_AUTH(0.00)[];
TO_DN_SOME(0.00)[]
X-Rspamd-Queue-Id: 4ZCWQ22GzGz3Q2G
X-Spamd-Bar: /
On Wed, 12 Mar 2025 05:28:13 -0700
David Wolfskill <david@catwhisker.org> wrote:
> On Wed, Mar 12, 2025 at 09:18:06PM +0900, Tomoaki AOKI wrote:
> > ...
> > Tried (still before reverting, patched /etc/rc.d/ntpd) switching
> > command line option to corresponding statements in ntp.conf, and
> > encountered strange behavior.
> > ...
> > Note that ports ntpd is no longer installed now (remnant when I tried
> > ports version before).
> > ...
> > ntpd 4.2.8p18-a (150): Starting
> > Command line: /usr/sbin/ntpd -4 -g -x -p /var/db/ntp/ntpd.pid
> > -c /etc/ntp/ntp.conf -f /var/db/ntp/ntpd.drift -u ntpd:ntpd -g
> >
> > (snip)
> >
> > switching logging to file /var/log/ntpd.log
> > daemon child exited with code 255
> > /etc/rc: WARNING: failed to start ntpd
> >
> > (snip)
> >
> > ntpd 4.2.8p18-a (150): Starting
> > Command line: /usr/sbin/ntpd -4 -g -x -p /var/db/ntp/ntpd.pid
> > -c /etc/ntp/ntp.conf -f /var/db/ntp/ntpd.drift -g
> > switching logging to file /var/log/ntpd.log
> >
> > ===== End quote =====
> >
> > Strangely, ntpd is invoked twice, and command line shown
> > in /var/log/messages still contains deleted options.
> > The second run successfully invoked ntpd, even though mac_ntpd.ko is
> > not auto-loaded.
> > ....
>
> Have you verified that the machine no longer has a /usr/local/etc/rc.d/ntpd
> (from ports)?
Yes. I don't have /usr/local/etc/rc.d/ntpd.
The remnant of ports ntpd is from my previous computer (already dead)
that I carried over its configurations in /etc. Never installed ports
ntpd in this computer.
% ls -l /usr/local/etc/rc.d/ntpd
ls: /usr/local/etc/rc.d/ntpd: ãã®ã‚ˆã†ãªãƒ•ã‚¡ã‚¤ãƒ«ã¾ãŸã¯ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã¯ã‚ã‚Š
ã¾ã›ã‚“
The Japanese message means "no such file or directory".
>
> Peace,
> david
> --
> David H. Wolfskill david@catwhisker.org
> Thank you, Claude Malhuret.
> https://wickedemerald.wordpress.com/2025/03/08/speech-from-claude-malhuret/
>
> See https://www.catwhisker.org/~david/publickey.gpg for my public key.
--
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
From nobody Wed Mar 12 15:52:43 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZCZsB3trHz5r6SM
for <stable@mlmmj.nyi.freebsd.org>; Wed, 12 Mar 2025 15:52:46 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Received: from omta004.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "Client", Issuer "CA" (not verified))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZCZsB39vTz3C41
for <stable@freebsd.org>; Wed, 12 Mar 2025 15:52:46 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Authentication-Results: mx1.freebsd.org;
none
Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142])
by cmsmtp with ESMTPS
id sJNstIIcS5MqysONxtwkq3; Wed, 12 Mar 2025 15:52:45 +0000
Received: from spqr.komquats.com ([70.66.136.217])
by cmsmtp with ESMTPSA
id sONvthyPPQwcXsONwtBGam; Wed, 12 Mar 2025 15:52:45 +0000
X-Auth-User: cschuber
X-Authority-Analysis: v=2.4 cv=DaW0qetW c=1 sm=1 tr=0 ts=67d1adcd
a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17
a=kj9zAlcOel0A:10 a=Vs1iUdzkB0EA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8
a=YxBL1-UpAAAA:8 a=X3ZKMms1C0uxpby4epcA:9 a=vpFRv2byBTPIzCEP:21
a=CjuIK1q_8ugA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
by spqr.komquats.com (Postfix) with ESMTP id 5F341AF;
Wed, 12 Mar 2025 08:52:43 -0700 (PDT)
Received: by slippy.cwsent.com (Postfix, from userid 1000)
id 29F821B0; Wed, 12 Mar 2025 08:52:43 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
cc: Cy Schubert <Cy.Schubert@cschubert.com>,
"Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
In-reply-to: <20250312211806.012942ff753b3dd61bb3e68b@dec.sakura.ne.jp>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org> <87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com> <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp> <20250311190810.CA65A203@slippy.cwsent.com> <20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp> <20250311192103.3C51A300@slippy.cwsent.com> <20250312074100.17f51ecf414b2084def5820e@dec.sakura.ne.jp> <20250312000846.2D2C2292@slippy.cwsent.com> <20250312211806.012942ff753b3dd61bb3e68b@dec.sakura.ne.jp>
Comments: In-reply-to Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
message dated "Wed, 12 Mar 2025 21:18:06 +0900."
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 12 Mar 2025 08:52:43 -0700
Message-Id: <20250312155243.29F821B0@slippy.cwsent.com>
X-CMAE-Envelope: MS4xfE6zxZhnLi+gYhibXoLwiZlGlWDYeB0Tke7yIGg3PXJJzRhInuV0pbvNvyc8Pffv7qIHunstu8liq/Oj/RkzfP6kpLuMGPCAmJrY8Sp/tFIb4C57CRru
4FML1uBtIywy/aHQHZb3SXiZM5t/oRj0tZNdcjhvFJnkfNAqoOeJjjct1OpBbwHAOeagZD414sUqPGW6TBvhiW8BHusurWgjB7d/NwlPMlDZlKkEALoGtTDY
+O2cq1WvKHgT0mt494p9ycReGDUG/BL82gQ/DPTy7Ac=
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]
X-Rspamd-Queue-Id: 4ZCZsB39vTz3C41
X-Spamd-Bar: ----
In message <20250312211806.012942ff753b3dd61bb3e68b@dec.sakura.ne.jp>,
Tomoaki
AOKI writes:
> On Tue, 11 Mar 2025 17:08:46 -0700
> Cy Schubert <Cy.Schubert@cschubert.com> wrote:
>
> > In message <20250312074100.17f51ecf414b2084def5820e@dec.sakura.ne.jp>,
> > Tomoaki
> > AOKI writes:
> > > On Tue, 11 Mar 2025 12:21:03 -0700
> > > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> > >
> > > > In message <20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>,
> > > > Tomoaki
> > > > AOKI writes:
> > > > > On Tue, 11 Mar 2025 12:08:10 -0700
> > > > > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> > > > >
> > > > > > In message <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.j
> p>,
> > > > > > Tomoaki
> > > > > > AOKI writes:
> > > > > > > On Tue, 11 Mar 2025 08:13:51 -0700
> > > > > > > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> > > > > > >
> > > > > > > > In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.
> ne.j
> > > p>,
> > > > > > > > Tomoaki
> > > > > > > > AOKI writes:
> > > > > > > > > On Mon, 10 Mar 2025 16:37:58 +0100
> > > > > > > > > "Herbert J. Skuhra" <herbert@gojira.at> wrote:
> > > > > > > > >
> > > > > > > > > > On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> > > > > > > > > > >
> > > > > > > > > > > On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta
> wrot
> > > e:
> > > > > > > > > > > > Hello List Subscirbers,
> > > > > > > > > > > >
> > > > > > > > > > > > in the past the module was loaded automatically upon NT
> PD s
> > > erve
> > > > > r st
> > > > > > > artu
> > > > > > > > > p.
> > > > > > > > > > > > It's no longer true, now it has to be loaded earlier.
> > > > > > > > > > > > Perhaps people running stable/14 might find this messag
> e us
> > > eful
> > > > > .
> > > > > > > > > >
> > > > > > > > > > Hmm, works for me on main and stable/14.
> > > > > > > > > >
> > > > > > > > > > > So... I noticed this for (precisely) one of the five mach
> ines
> > > I h
> > > > > ave
> > > > > > > > > > > that track stable/14 -- the other 4 get mac_ntpd loaded a
> utom
> > > agic
> > > > > ally
> > > > > > > as
> > > > > > > > > > > usual.
> > > > > > > > > > >
> > > > > > > > > > > In the failing case, it seems that
> > > > > > > > > > >
> > > > > > > > > > > sysctl security.mac.version
> > > > > > > > > > >
> > > > > > > > > > > yielded
> > > > > > > > > > >
> > > > > > > > > > > sysctl: unknown oid 'security.mac.version'
> > > > > > > > > >
> > > > > > > > > > I only get this if I build a kernel without "options MAC".
> But
> > > in t
> > > > > his
> > > > > > > > > > no mac_* kernel modules are built and ntpd fails with:
> > > > > > > > > >
> > > > > > > > > > Starting ntpd.
> > > > > > > > > > daemon control: got EOF
> > > > > > > > > > /etc/rc.d/ntpd: WARNING: failed to start ntpd
> > > > > > > > >
> > > > > > > > > In this case, you'll find something like
> > > > > > > > > Need MAC 'ntpd' policy enabled to drop root privileges
> > > > > > > > > daemon child exited with code 255
> > > > > > > > > in ntpd logfile (/var/db/ntpd.log in my case, but
> > > > > > > > > possibly /var/log/messages by default).
> > > > > > > >
> > > > > > > > I don't understand why some systems (those in this thread) have
> a p
> > > robl
> > > > > em
> > > > > > > > not loading mac_ntpd while others, i.e. my stable/14 at $JOB, a
> re f
> > > ine.
> > > > > I'd
> > > > > > >
> > > > > > > > like to try to understand the differences between those that wo
> rk a
> > > nd t
> > > > > hose
> > > > > > >
> > > > > > > > that don't.
> > > > > > > >
> > > > > > > > First of all, the ntpd rc script bails without saying why when
> it
> > > > > > > > encounters a problem. can_run_nonroot() simply returns a bad re
> turn
> > > cod
> > > > > e
> > > > > > > > leaving us to wonder why.
> > > > > > > >
> > > > > > > > The first order of business is to produce a patch to indicate
> why
> > > it
> > > > > > > > bails. Please apply the attached patch and let me know where it
> fai
> > > ls.
> > > > > > > > Messages will be printed to stderr and to /var/log/messages (as
> sumi
> > > ng
> > > > > > > > daemon.err is sent there).
> > > > > > >
> > > > > > > The output after patch (without loading mac_ntpd.ko manually):
> > > > > > >
> > > > > > > Mar 12 03:27:35 ***** rc.d/ntpd[2581]: user cannot access files
> > > > > > > listed in command line, exiting
> > > > > > > Mar 12 03:27:35 ***** root[2589]: /etc/rc: WARNING: failed to sta
> rt n
> > > tpd
> > > > > > >
> > > > > > > See
> > > > > > > https://lists.freebsd.org/archives/dev-commits-src-branches/202
> 5-Fe
> > > brua
> > > > > ry/0
> > > > > > > 21308.html
> > > > > > > for my options related with ntpd.
> > > > > >
> > > > > > Is this before ntpd -u commit was reverted or after?
> > > > >
> > > > > Before revert. As I don't pull updates after I read your post which
> > > > > included the patch.
> > > > >
> > > > >
> > > > > > Please grep ntpd /etc/rc.conf.
> > > > >
> > > > > Result stripping comments.
> > > > >
> > > > > % grep ntpd /etc/rc.conf
> > > > > ntpd_flags="-4 -g -x -f /var/db/ntp/ntpd.drift -l /var/log/ntpd.log"
> > > >
> > > > This is your problem. Remove the -f and -l arguments and put the logfil
> e
> > > > and driftfile ntp.conf statements instead.
> > >
> > > Wait, another way that works?!
> > > So I should consider it as a bug in ntpd.
> > > If the statements in ntpd.conf works, command line options should work
> > > just the same way (usually, if configuration files and command line
> > > option has the same functionalities, command line option is preferred
> > > to override, like /etc/make.conf and `make` command line).\
> >
> > No, this is not a bug in ntpd.
> >
> > rc(8) issues,
> > su ntpd /usr/sbin/ntpd ... ntpd args
> >
> > If files are owned by root ntpd may not have access to them and it will
> > fail to start.
> >
> > If we do,
> > /usr/sbin/ntpd -u ntpd:ntpd ... other ntpd args
> >
> > ntpd will start as root, open its files, then setuid(ntpd) to change the
> > account it's running under. This is how we, FreeBSD, have implemented it.
> > This is an artifact of rc(8). And this is why we need mac_ntpd.ko. Because
> > ntpd -u will initiate its use of the clock, then switch to the ntpd UID.
> > The su ntpd /usr/sbin/ntpd approach starts ntpd under the ntpd account from
>
> > the very start. We need the kernel module in this case.
> >
> > I will rework the ntpd rc script to a) not use the rc(8) plumbing and b)
> > chroot itself. Both of these are better security than we currently have.
> >
> > The patch was the first step in deprecating mac_ntpd and the first step to
> > putting ntpd into its own chroot.
> >
> > What you have described is not a bug but an artifact how we invoke ntpd
> > under FreeBSD, specifically the su.
>
> Tried (still before reverting, patched /etc/rc.d/ntpd) switching
> command line option to corresponding statements in ntp.conf, and
> encountered strange behavior.
>
> In /etc/rc.conf (this time, not stripped commented out lines),
>
> ===== Quote =====
>
> % grep ntpd /etc/rc.conf
> # ntpd_program="/usr/local/sbin/ntpd"
> # ntpd_flags="-4 -g -x -f /var/db/ntpd.drift -p /var/run/ntpd.pid -l /var/log
> /ntpd.log"
> # ntpd_flags="-4 -g -x -f /var/db/ntpd.drift -l /var/log/ntpd.log"
> # ntpd_flags="-4 -g -x -f /var/db/ntp/ntpd.drift -l /var/log/ntpd.log"
> ntpd_flags="-4 -g -x"
> # ntpd_config="/usr/local/etc/ntp.conf"
> ntpd_config="/etc/ntp/ntp.conf"
> ntpd_enable="YES"
> ntpd_sync_on_start="YES" # Sync time on ntpd startup, even if
> offset is high daily_ntpd_leapfile_enable="YES" # Automatically
> fetch leapfile daily.
> ntp_db_leapfile="/var/db/ntp/ntpd.leap-seconds.list"
> %
>
> ===== End quote =====
>
> Note that ports ntpd is no longer installed now (remnant when I tried
> ports version before).
>
> /etc/ntp/ntp.conf, which is specified in /etc/rc.conf, now contains:
>
> ===== Quote =====
>
> driftfile "/var/db/ntp/ntpd.drift"
> logfile "/var/log/ntpd.log"
> leapfile "/var/db/ntp/ntpd.leap-seconds.list"
>
> ===== End quote =====
>
> And commented out 'mac_ntpd_load="YES"' line in /boot/loader.conf,
> cased (in /var/log/messages, essential part only):
>
> ===== Quote =====
>
> ntpd 4.2.8p18-a (150): Starting
> Command line: /usr/sbin/ntpd -4 -g -x -p /var/db/ntp/ntpd.pid
> -c /etc/ntp/ntp.conf -f /var/db/ntp/ntpd.drift -u ntpd:ntpd -g
>
> (snip)
>
> switching logging to file /var/log/ntpd.log
> daemon child exited with code 255
> /etc/rc: WARNING: failed to start ntpd
>
> (snip)
>
> ntpd 4.2.8p18-a (150): Starting
> Command line: /usr/sbin/ntpd -4 -g -x -p /var/db/ntp/ntpd.pid
> -c /etc/ntp/ntp.conf -f /var/db/ntp/ntpd.drift -g
> switching logging to file /var/log/ntpd.log
>
> ===== End quote =====
>
> Strangely, ntpd is invoked twice, and command line shown
> in /var/log/messages still contains deleted options.
> The second run successfully invoked ntpd, even though mac_ntpd.ko is
> not auto-loaded.
>
> # service ntpd stop
>
> works, but following
>
> # service ntpd start
>
> fails without `kldload mac_ntpd`.
The script does need a rewrite. We need mac_ntpd because we su ntpd before
we invoke ntpd. ntpd -u will open its files, initiate opening the clock,
then drop privileges. We won't need mac_ntpd anymore.
As the commit has been reverted and the plan is to rewrite the script,
everything else is moot now.
>
>
> For other configurations in /etc/rc.conf, comments (after "#") are
> sanely treated as comments (as behaviors indicates), but this result
> seems to indicate that comments are NOT treated as comments.
> Quite strange.
>
>
> > > Anyway, I'll try it once the ongoing heavy rebuilds finished.
> > >
> > >
> > > >
> > > > > ntpd_config="/etc/ntp/ntp.conf"
> > > > > ntpd_enable="YES"
> > > > > ntpd_sync_on_start="YES"
> > > > > daily_ntpd_leapfile_enable="YES"
> > > > > %
> > > > >
> > > >
> > > >
> > > > --
> > > > Cheers,
> > > > Cy Schubert <Cy.Schubert@cschubert.com>
> > > > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> > > > NTP: <cy@nwtime.org> Web: https://nwtime.org
> > > >
> > > > e^(i*pi)+1=0
> > >
> > >
> > > --
> > > Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
> >
> >
> > --
> > Cheers,
> > Cy Schubert <Cy.Schubert@cschubert.com>
> > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> > NTP: <cy@nwtime.org> Web: https://nwtime.org
> >
> > e^(i*pi)+1=0
>
>
> --
> Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e^(i*pi)+1=0
From nobody Wed Mar 12 21:32:36 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZCkPd14phz5qWvH
for <stable@mlmmj.nyi.freebsd.org>; Wed, 12 Mar 2025 21:32:53 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZCkPb6M3kz3FqS
for <stable@freebsd.org>; Wed, 12 Mar 2025 21:32:51 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
none
Received: from kalamity.joker.local (124-18-40-20.area1c.commufa.jp [124.18.40.20])
(authenticated bits=0)
by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 52CLWb4k050366;
Thu, 13 Mar 2025 06:32:37 +0900 (JST)
(envelope-from junchoon@dec.sakura.ne.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp;
s=s2405; t=1741815158;
bh=QMdmn/SLJSi7urF5pteci8azswjDO6AyyJqS6oGh0Iw=;
h=Date:From:To:Cc:Subject:In-Reply-To:References;
b=Bc17HFfkjR0G7eEBQCaHCORyK6ig81Qez4tpNKRCT8BpEqJTuxLWA9j3dRNuM0+fQ
UjIeQ0X3gU3Zx5m+13xZqQpPBBs2ZiTZm4UlA2l56KlQv4I7j21UOmr2hp6ygik0n5
kAPdLEYzrCbStqXUpZDBWb3+74s3pU/04O7wZV6M=
Date: Thu, 13 Mar 2025 06:32:36 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: Cy Schubert <Cy.Schubert@cschubert.com>
Cc: "Herbert J. Skuhra" <herbert@gojira.at>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
Message-Id: <20250313063236.1b6ff31766b0076b26cf9709@dec.sakura.ne.jp>
In-Reply-To: <20250312155243.29F821B0@slippy.cwsent.com>
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
<Z87VwY27sY8X0ySB@albert.catwhisker.org>
<87wmcw6gmh.wl-herbert@gojira.at>
<20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp>
<20250311151351.1D9B4B0@slippy.cwsent.com>
<20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>
<20250311190810.CA65A203@slippy.cwsent.com>
<20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>
<20250311192103.3C51A300@slippy.cwsent.com>
<20250312074100.17f51ecf414b2084def5820e@dec.sakura.ne.jp>
<20250312000846.2D2C2292@slippy.cwsent.com>
<20250312211806.012942ff753b3dd61bb3e68b@dec.sakura.ne.jp>
<20250312155243.29F821B0@slippy.cwsent.com>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP]
X-Rspamd-Queue-Id: 4ZCkPb6M3kz3FqS
X-Spamd-Bar: ----
On Wed, 12 Mar 2025 08:52:43 -0700
Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> In message <20250312211806.012942ff753b3dd61bb3e68b@dec.sakura.ne.jp>,
> Tomoaki
> AOKI writes:
> > On Tue, 11 Mar 2025 17:08:46 -0700
> > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> >
> > > In message <20250312074100.17f51ecf414b2084def5820e@dec.sakura.ne.jp>,
> > > Tomoaki
> > > AOKI writes:
> > > > On Tue, 11 Mar 2025 12:21:03 -0700
> > > > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> > > >
> > > > > In message <20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>,
> > > > > Tomoaki
> > > > > AOKI writes:
> > > > > > On Tue, 11 Mar 2025 12:08:10 -0700
> > > > > > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> > > > > >
> > > > > > > In message <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.j
> > p>,
> > > > > > > Tomoaki
> > > > > > > AOKI writes:
> > > > > > > > On Tue, 11 Mar 2025 08:13:51 -0700
> > > > > > > > Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> > > > > > > >
> > > > > > > > > In message <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.
> > ne.j
> > > > p>,
> > > > > > > > > Tomoaki
> > > > > > > > > AOKI writes:
> > > > > > > > > > On Mon, 10 Mar 2025 16:37:58 +0100
> > > > > > > > > > "Herbert J. Skuhra" <herbert@gojira.at> wrote:
> > > > > > > > > >
> > > > > > > > > > > On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta
> > wrot
> > > > e:
> > > > > > > > > > > > > Hello List Subscirbers,
> > > > > > > > > > > > >
> > > > > > > > > > > > > in the past the module was loaded automatically upon NT
> > PD s
> > > > erve
> > > > > > r st
> > > > > > > > artu
> > > > > > > > > > p.
> > > > > > > > > > > > > It's no longer true, now it has to be loaded earlier.
> > > > > > > > > > > > > Perhaps people running stable/14 might find this messag
> > e us
> > > > eful
> > > > > > .
> > > > > > > > > > >
> > > > > > > > > > > Hmm, works for me on main and stable/14.
> > > > > > > > > > >
> > > > > > > > > > > > So... I noticed this for (precisely) one of the five mach
> > ines
> > > > I h
> > > > > > ave
> > > > > > > > > > > > that track stable/14 -- the other 4 get mac_ntpd loaded a
> > utom
> > > > agic
> > > > > > ally
> > > > > > > > as
> > > > > > > > > > > > usual.
> > > > > > > > > > > >
> > > > > > > > > > > > In the failing case, it seems that
> > > > > > > > > > > >
> > > > > > > > > > > > sysctl security.mac.version
> > > > > > > > > > > >
> > > > > > > > > > > > yielded
> > > > > > > > > > > >
> > > > > > > > > > > > sysctl: unknown oid 'security.mac.version'
> > > > > > > > > > >
> > > > > > > > > > > I only get this if I build a kernel without "options MAC".
> > But
> > > > in t
> > > > > > his
> > > > > > > > > > > no mac_* kernel modules are built and ntpd fails with:
> > > > > > > > > > >
> > > > > > > > > > > Starting ntpd.
> > > > > > > > > > > daemon control: got EOF
> > > > > > > > > > > /etc/rc.d/ntpd: WARNING: failed to start ntpd
> > > > > > > > > >
> > > > > > > > > > In this case, you'll find something like
> > > > > > > > > > Need MAC 'ntpd' policy enabled to drop root privileges
> > > > > > > > > > daemon child exited with code 255
> > > > > > > > > > in ntpd logfile (/var/db/ntpd.log in my case, but
> > > > > > > > > > possibly /var/log/messages by default).
> > > > > > > > >
> > > > > > > > > I don't understand why some systems (those in this thread) have
> > a p
> > > > robl
> > > > > > em
> > > > > > > > > not loading mac_ntpd while others, i.e. my stable/14 at $JOB, a
> > re f
> > > > ine.
> > > > > > I'd
> > > > > > > >
> > > > > > > > > like to try to understand the differences between those that wo
> > rk a
> > > > nd t
> > > > > > hose
> > > > > > > >
> > > > > > > > > that don't.
> > > > > > > > >
> > > > > > > > > First of all, the ntpd rc script bails without saying why when
> > it
> > > > > > > > > encounters a problem. can_run_nonroot() simply returns a bad re
> > turn
> > > > cod
> > > > > > e
> > > > > > > > > leaving us to wonder why.
> > > > > > > > >
> > > > > > > > > The first order of business is to produce a patch to indicate
> > why
> > > > it
> > > > > > > > > bails. Please apply the attached patch and let me know where it
> > fai
> > > > ls.
> > > > > > > > > Messages will be printed to stderr and to /var/log/messages (as
> > sumi
> > > > ng
> > > > > > > > > daemon.err is sent there).
> > > > > > > >
> > > > > > > > The output after patch (without loading mac_ntpd.ko manually):
> > > > > > > >
> > > > > > > > Mar 12 03:27:35 ***** rc.d/ntpd[2581]: user cannot access files
> > > > > > > > listed in command line, exiting
> > > > > > > > Mar 12 03:27:35 ***** root[2589]: /etc/rc: WARNING: failed to sta
> > rt n
> > > > tpd
> > > > > > > >
> > > > > > > > See
> > > > > > > > https://lists.freebsd.org/archives/dev-commits-src-branches/202
> > 5-Fe
> > > > brua
> > > > > > ry/0
> > > > > > > > 21308.html
> > > > > > > > for my options related with ntpd.
> > > > > > >
> > > > > > > Is this before ntpd -u commit was reverted or after?
> > > > > >
> > > > > > Before revert. As I don't pull updates after I read your post which
> > > > > > included the patch.
> > > > > >
> > > > > >
> > > > > > > Please grep ntpd /etc/rc.conf.
> > > > > >
> > > > > > Result stripping comments.
> > > > > >
> > > > > > % grep ntpd /etc/rc.conf
> > > > > > ntpd_flags="-4 -g -x -f /var/db/ntp/ntpd.drift -l /var/log/ntpd.log"
> > > > >
> > > > > This is your problem. Remove the -f and -l arguments and put the logfil
> > e
> > > > > and driftfile ntp.conf statements instead.
> > > >
> > > > Wait, another way that works?!
> > > > So I should consider it as a bug in ntpd.
> > > > If the statements in ntpd.conf works, command line options should work
> > > > just the same way (usually, if configuration files and command line
> > > > option has the same functionalities, command line option is preferred
> > > > to override, like /etc/make.conf and `make` command line).\
> > >
> > > No, this is not a bug in ntpd.
> > >
> > > rc(8) issues,
> > > su ntpd /usr/sbin/ntpd ... ntpd args
> > >
> > > If files are owned by root ntpd may not have access to them and it will
> > > fail to start.
> > >
> > > If we do,
> > > /usr/sbin/ntpd -u ntpd:ntpd ... other ntpd args
> > >
> > > ntpd will start as root, open its files, then setuid(ntpd) to change the
> > > account it's running under. This is how we, FreeBSD, have implemented it.
> > > This is an artifact of rc(8). And this is why we need mac_ntpd.ko. Because
> > > ntpd -u will initiate its use of the clock, then switch to the ntpd UID.
> > > The su ntpd /usr/sbin/ntpd approach starts ntpd under the ntpd account from
> >
> > > the very start. We need the kernel module in this case.
> > >
> > > I will rework the ntpd rc script to a) not use the rc(8) plumbing and b)
> > > chroot itself. Both of these are better security than we currently have.
> > >
> > > The patch was the first step in deprecating mac_ntpd and the first step to
> > > putting ntpd into its own chroot.
> > >
> > > What you have described is not a bug but an artifact how we invoke ntpd
> > > under FreeBSD, specifically the su.
> >
> > Tried (still before reverting, patched /etc/rc.d/ntpd) switching
> > command line option to corresponding statements in ntp.conf, and
> > encountered strange behavior.
> >
> > In /etc/rc.conf (this time, not stripped commented out lines),
> >
> > ===== Quote =====
> >
> > % grep ntpd /etc/rc.conf
> > # ntpd_program="/usr/local/sbin/ntpd"
> > # ntpd_flags="-4 -g -x -f /var/db/ntpd.drift -p /var/run/ntpd.pid -l /var/log
> > /ntpd.log"
> > # ntpd_flags="-4 -g -x -f /var/db/ntpd.drift -l /var/log/ntpd.log"
> > # ntpd_flags="-4 -g -x -f /var/db/ntp/ntpd.drift -l /var/log/ntpd.log"
> > ntpd_flags="-4 -g -x"
> > # ntpd_config="/usr/local/etc/ntp.conf"
> > ntpd_config="/etc/ntp/ntp.conf"
> > ntpd_enable="YES"
> > ntpd_sync_on_start="YES" # Sync time on ntpd startup, even if
> > offset is high daily_ntpd_leapfile_enable="YES" # Automatically
> > fetch leapfile daily.
> > ntp_db_leapfile="/var/db/ntp/ntpd.leap-seconds.list"
> > %
> >
> > ===== End quote =====
> >
> > Note that ports ntpd is no longer installed now (remnant when I tried
> > ports version before).
> >
> > /etc/ntp/ntp.conf, which is specified in /etc/rc.conf, now contains:
> >
> > ===== Quote =====
> >
> > driftfile "/var/db/ntp/ntpd.drift"
> > logfile "/var/log/ntpd.log"
> > leapfile "/var/db/ntp/ntpd.leap-seconds.list"
> >
> > ===== End quote =====
> >
> > And commented out 'mac_ntpd_load="YES"' line in /boot/loader.conf,
> > cased (in /var/log/messages, essential part only):
> >
> > ===== Quote =====
> >
> > ntpd 4.2.8p18-a (150): Starting
> > Command line: /usr/sbin/ntpd -4 -g -x -p /var/db/ntp/ntpd.pid
> > -c /etc/ntp/ntp.conf -f /var/db/ntp/ntpd.drift -u ntpd:ntpd -g
> >
> > (snip)
> >
> > switching logging to file /var/log/ntpd.log
> > daemon child exited with code 255
> > /etc/rc: WARNING: failed to start ntpd
> >
> > (snip)
> >
> > ntpd 4.2.8p18-a (150): Starting
> > Command line: /usr/sbin/ntpd -4 -g -x -p /var/db/ntp/ntpd.pid
> > -c /etc/ntp/ntp.conf -f /var/db/ntp/ntpd.drift -g
> > switching logging to file /var/log/ntpd.log
> >
> > ===== End quote =====
> >
> > Strangely, ntpd is invoked twice, and command line shown
> > in /var/log/messages still contains deleted options.
> > The second run successfully invoked ntpd, even though mac_ntpd.ko is
> > not auto-loaded.
> >
> > # service ntpd stop
> >
> > works, but following
> >
> > # service ntpd start
> >
> > fails without `kldload mac_ntpd`.
>
> The script does need a rewrite. We need mac_ntpd because we su ntpd before
> we invoke ntpd. ntpd -u will open its files, initiate opening the clock,
> then drop privileges. We won't need mac_ntpd anymore.
>
> As the commit has been reverted and the plan is to rewrite the script,
> everything else is moot now.
Looking forward for the update!
Thanks in advance.
>
> >
> >
> > For other configurations in /etc/rc.conf, comments (after "#") are
> > sanely treated as comments (as behaviors indicates), but this result
> > seems to indicate that comments are NOT treated as comments.
> > Quite strange.
> >
> >
> > > > Anyway, I'll try it once the ongoing heavy rebuilds finished.
> > > >
> > > >
> > > > >
> > > > > > ntpd_config="/etc/ntp/ntp.conf"
> > > > > > ntpd_enable="YES"
> > > > > > ntpd_sync_on_start="YES"
> > > > > > daily_ntpd_leapfile_enable="YES"
> > > > > > %
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Cheers,
> > > > > Cy Schubert <Cy.Schubert@cschubert.com>
> > > > > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> > > > > NTP: <cy@nwtime.org> Web: https://nwtime.org
> > > > >
> > > > > e^(i*pi)+1=0
> > > >
> > > >
> > > > --
> > > > Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
> > >
> > >
> > > --
> > > Cheers,
> > > Cy Schubert <Cy.Schubert@cschubert.com>
> > > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> > > NTP: <cy@nwtime.org> Web: https://nwtime.org
> > >
> > > e^(i*pi)+1=0
> >
> >
> > --
> > Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
>
>
> --
> Cheers,
> Cy Schubert <Cy.Schubert@cschubert.com>
> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> NTP: <cy@nwtime.org> Web: https://nwtime.org
>
> e^(i*pi)+1=0
>
>
>
--
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
From nobody Wed Mar 12 21:36:18 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZCkWq4p2lz5qX6G
for <stable@mlmmj.nyi.freebsd.org>; Wed, 12 Mar 2025 21:38:15 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZCkWn5bT6z3Kf4
for <stable@freebsd.org>; Wed, 12 Mar 2025 21:38:13 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
dkim=pass header.d=dec.sakura.ne.jp header.s=s2405 header.b="pgImcLK/";
dmarc=pass (policy=none) header.from=dec.sakura.ne.jp;
spf=pass (mx1.freebsd.org: domain of junchoon@dec.sakura.ne.jp designates 153.125.133.21 as permitted sender) smtp.mailfrom=junchoon@dec.sakura.ne.jp
Received: from kalamity.joker.local (124-18-40-20.area1c.commufa.jp [124.18.40.20])
(authenticated bits=0)
by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 52CLaI0R050923;
Thu, 13 Mar 2025 06:36:20 +0900 (JST)
(envelope-from junchoon@dec.sakura.ne.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp;
s=s2405; t=1741815380;
bh=8hN37U9JAumnUP46NID0qiIjSR7hVwkDB8te42yN2ec=;
h=Date:From:To:Cc:Subject:In-Reply-To:References;
b=pgImcLK/++ooUoibtUFgqUOfNqsVpLpoxC7ElwKU9Ye/Qb8aWbJ6yC8CMZKUE+5kK
2G1SSyVQqhoeuBl/VNm0HuMVo+au+XDzg1X0qBHjYRBFRBEZ49yypuj4HZsZKEU8bY
dXX4lajCkbUl7HWLfoxEdGk6d/rDr+ln9uplMY0w=
Date: Thu, 13 Mar 2025 06:36:18 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: David Wolfskill <david@catwhisker.org>
Cc: stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
Message-Id: <20250313063618.93ce4a3e9e3769437faf1e73@dec.sakura.ne.jp>
In-Reply-To: <Z9GLXsDWeedJpOKs@albert.catwhisker.org>
References: <20250311151351.1D9B4B0@slippy.cwsent.com>
<20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp>
<20250311190810.CA65A203@slippy.cwsent.com>
<20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp>
<20250311192103.3C51A300@slippy.cwsent.com>
<20250312074100.17f51ecf414b2084def5820e@dec.sakura.ne.jp>
<20250312000846.2D2C2292@slippy.cwsent.com>
<20250312211806.012942ff753b3dd61bb3e68b@dec.sakura.ne.jp>
<Z9F93aqHDl025iY3@albert.catwhisker.org>
<20250312221636.6dba50c5cb8a86efc3baabc7@dec.sakura.ne.jp>
<Z9GLXsDWeedJpOKs@albert.catwhisker.org>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spamd-Result: default: False [2.43 / 15.00];
SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE(1.00)[];
NEURAL_HAM_LONG(-1.00)[-1.000];
NEURAL_SPAM_MEDIUM(0.88)[0.881];
URIBL_RED(0.50)[dec.sakura.ne.jp:dkim,dec.sakura.ne.jp:mid,dec.sakura.ne.jp:email];
MV_CASE(0.50)[];
NEURAL_SPAM_SHORT(0.24)[0.245];
ONCE_RECEIVED(0.20)[];
HAS_ANON_DOMAIN(0.10)[];
BAD_REP_POLICIES(0.10)[];
MIME_GOOD(-0.10)[text/plain];
RCVD_TLS_LAST(0.00)[];
RCPT_COUNT_TWO(0.00)[2];
ARC_NA(0.00)[];
R_DKIM_ALLOW(0.00)[dec.sakura.ne.jp:s=s2405];
MIME_TRACE(0.00)[0:+];
HAS_ORG_HEADER(0.00)[];
DMARC_POLICY_ALLOW(0.00)[dec.sakura.ne.jp,none];
RCVD_COUNT_ONE(0.00)[1];
TO_DN_SOME(0.00)[];
MLMMJ_DEST(0.00)[stable@freebsd.org];
TO_MATCH_ENVRCPT_SOME(0.00)[];
FROM_EQ_ENVFROM(0.00)[];
DKIM_TRACE(0.00)[dec.sakura.ne.jp:+];
MID_RHS_MATCH_FROM(0.00)[];
RCVD_VIA_SMTP_AUTH(0.00)[];
R_SPF_ALLOW(0.00)[+ip4:153.125.133.16/28];
ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP];
FROM_HAS_DN(0.00)[]
X-Rspamd-Queue-Id: 4ZCkWn5bT6z3Kf4
X-Spamd-Bar: ++
On Wed, 12 Mar 2025 06:25:50 -0700
David Wolfskill <david@catwhisker.org> wrote:
> On Wed, Mar 12, 2025 at 10:16:36PM +0900, Tomoaki AOKI wrote:
> > ...
> > Yes. I don't have /usr/local/etc/rc.d/ntpd.
> > The remnant of ports ntpd is from my previous computer (already dead)
> > that I carried over its configurations in /etc. Never installed ports
> > ntpd in this computer.
> >
> > % ls -l /usr/local/etc/rc.d/ntpd
> > ls: /usr/local/etc/rc.d/ntpd: ãã®ã‚ˆã†ãªãƒ•ã‚¡ã‚¤ãƒ«ã¾ãŸã¯ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã¯ã‚ã‚Š
> > ã¾ã›ã‚“
> >
> > The Japanese message means "no such file or directory".
> > ....
>
> OK; thought it might be worth double-checking -- I know I've done a few
> "interesting" things, myself.... :-}
Exactly. Double-checking (and cross-checking if possible) is always
important. ;-)
>
> Peace,
> david
> --
> David H. Wolfskill david@catwhisker.org
> Thank you, Claude Malhuret.
> https://wickedemerald.wordpress.com/2025/03/08/speech-from-claude-malhuret/
>
> See https://www.catwhisker.org/~david/publickey.gpg for my public key.
--
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
From nobody Thu Mar 13 20:16:13 2025
X-Original-To: stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZDJfp3j7Wz5r8b3
for <stable@mlmmj.nyi.freebsd.org>; Thu, 13 Mar 2025 20:16:18 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Received: from omta003.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "Client", Issuer "CA" (not verified))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZDJfn0t5Fz428B
for <stable@freebsd.org>; Thu, 13 Mar 2025 20:16:17 +0000 (UTC)
(envelope-from cy.schubert@cschubert.com)
Authentication-Results: mx1.freebsd.org;
dkim=none;
dmarc=permerror reason="p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com" header.from=cschubert.com (policy=permerror);
spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.32 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com
Received: from shw-obgw-4004a.ext.cloudfilter.net ([10.228.9.227])
by cmsmtp with ESMTPS
id slqBtkYQy9JM2soyWtoEiI; Thu, 13 Mar 2025 20:16:16 +0000
Received: from spqr.komquats.com ([70.66.136.217])
by cmsmtp with ESMTPSA
id soyUtm0HTJhBPsoyVt86rd; Thu, 13 Mar 2025 20:16:16 +0000
X-Auth-User: cschuber
X-Authority-Analysis: v=2.4 cv=QY3Fvdbv c=1 sm=1 tr=0 ts=67d33d10
a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17
a=IkcTkHD0fZMA:10 a=Vs1iUdzkB0EA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8
a=JAf30KXuAAAA:8 a=YxBL1-UpAAAA:8 a=4mUCIj7Dg_H0rp6CFBQA:9 a=3ZKOabzyN94A:10
a=QEXdDO2ut3YA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=GEL62FyrTCmHtEug2d3R:22
a=Ia-lj3WSrqcvXOmTRaiG:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
by spqr.komquats.com (Postfix) with ESMTP id F2706122;
Thu, 13 Mar 2025 13:16:13 -0700 (PDT)
Received: by slippy.cwsent.com (Postfix, from userid 1000)
id EC1C4380; Thu, 13 Mar 2025 13:16:13 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
cc: David Wolfskill <david@catwhisker.org>, stable@freebsd.org
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
stable/14
In-reply-to: <20250312221636.6dba50c5cb8a86efc3baabc7@dec.sakura.ne.jp>
References: <87wmcw6gmh.wl-herbert@gojira.at> <20250311011257.dd642ecbcd132ecb7142dc35@dec.sakura.ne.jp> <20250311151351.1D9B4B0@slippy.cwsent.com> <20250312040101.154420f993ed27966dfc1b40@dec.sakura.ne.jp> <20250311190810.CA65A203@slippy.cwsent.com> <20250312041554.48013af3d18e4a5672de3ffd@dec.sakura.ne.jp> <20250311192103.3C51A300@slippy.cwsent.com> <20250312074100.17f51ecf414b2084def5820e@dec.sakura.ne.jp> <20250312000846.2D2C2292@slippy.cwsent.com> <20250312211806.012942ff753b3dd61bb3e68b@dec.sakura.ne.jp> <Z9F93aqHDl025iY3@albert.catwhisker.org> <20250312221636.6dba50c5cb8a86efc3baabc7@dec.sakura.ne.jp>
Comments: In-reply-to Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
message dated "Wed, 12 Mar 2025 22:16:36 +0900."
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Date: Thu, 13 Mar 2025 13:16:13 -0700
Message-Id: <20250313201613.EC1C4380@slippy.cwsent.com>
X-CMAE-Envelope: MS4xfKDju/njUapVenDwfjtK4ulfbKoAD0EpgfHVEF1CG8KOt7aHSuYTNrRaf9cyTYXAgpoePVsSlhOMqZDshFvEtcaM7M1Z7dl11TSVy9lrq2BXb5YWOKX5
wOtdaSWenk+dONxWp/v+UgaibVXETQGo8NpCAhxWjtReUUTVVn7ghZ9hpDOQHd8YOZpUT+eRZ5K0IB813ZmWR0VVLAkb0sbopqR+YshEv4Jd7zjoQ90LWEMl
HPLTPYlc6NPx0Ee4APaSs34pEFR1u3W5pl+630Xq4d8=
X-Spamd-Result: default: False [-0.28 / 15.00];
SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE(1.00)[];
RBL_SENDERSCORE_REPUT_9(-1.00)[3.97.99.32:from];
NEURAL_HAM_SHORT(-1.00)[-0.996];
NEURAL_HAM_LONG(-0.99)[-0.994];
NEURAL_SPAM_MEDIUM(0.71)[0.709];
MV_CASE(0.50)[];
URIBL_RED(0.50)[dec.sakura.ne.jp:email];
HAS_ANON_DOMAIN(0.10)[];
RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.32:from];
MIME_GOOD(-0.10)[text/plain];
BAD_REP_POLICIES(0.10)[];
DMARC_BAD_POLICY(0.00)[cschubert.com : p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com];
RCVD_COUNT_THREE(0.00)[4];
TO_DN_SOME(0.00)[];
RCVD_TLS_LAST(0.00)[];
MIME_TRACE(0.00)[0:+];
ARC_NA(0.00)[];
RCPT_COUNT_THREE(0.00)[3];
ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US];
RCVD_VIA_SMTP_AUTH(0.00)[];
FROM_EQ_ENVFROM(0.00)[];
FROM_HAS_DN(0.00)[];
HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com];
TO_MATCH_ENVRCPT_SOME(0.00)[];
R_DKIM_NA(0.00)[];
MLMMJ_DEST(0.00)[stable@freebsd.org];
R_SPF_ALLOW(0.00)[+ip4:3.97.99.32/31];
REPLYTO_EQ_FROM(0.00)[]
X-Rspamd-Queue-Id: 4ZDJfn0t5Fz428B
X-Spamd-Bar: /
In message <20250312221636.6dba50c5cb8a86efc3baabc7@dec.sakura.ne.jp>,
Tomoaki
AOKI writes:
> On Wed, 12 Mar 2025 05:28:13 -0700
> David Wolfskill <david@catwhisker.org> wrote:
>
> > On Wed, Mar 12, 2025 at 09:18:06PM +0900, Tomoaki AOKI wrote:
> > > ...
> > > Tried (still before reverting, patched /etc/rc.d/ntpd) switching
> > > command line option to corresponding statements in ntp.conf, and
> > > encountered strange behavior.
> > > ...
> > > Note that ports ntpd is no longer installed now (remnant when I tried
> > > ports version before).
> > > ...
> > > ntpd 4.2.8p18-a (150): Starting
> > > Command line: /usr/sbin/ntpd -4 -g -x -p /var/db/ntp/ntpd.pid
> > > -c /etc/ntp/ntp.conf -f /var/db/ntp/ntpd.drift -u ntpd:ntpd -g
> > >
> > > (snip)
> > >
> > > switching logging to file /var/log/ntpd.log
> > > daemon child exited with code 255
> > > /etc/rc: WARNING: failed to start ntpd
> > >
> > > (snip)
> > >
> > > ntpd 4.2.8p18-a (150): Starting
> > > Command line: /usr/sbin/ntpd -4 -g -x -p /var/db/ntp/ntpd.pid
> > > -c /etc/ntp/ntp.conf -f /var/db/ntp/ntpd.drift -g
> > > switching logging to file /var/log/ntpd.log
> > >
> > > ===== End quote =====
> > >
> > > Strangely, ntpd is invoked twice, and command line shown
> > > in /var/log/messages still contains deleted options.
> > > The second run successfully invoked ntpd, even though mac_ntpd.ko is
> > > not auto-loaded.
> > > ....
> >
> > Have you verified that the machine no longer has a /usr/local/etc/rc.d/ntpd
> > (from ports)?
>
> Yes. I don't have /usr/local/etc/rc.d/ntpd.
> The remnant of ports ntpd is from my previous computer (already dead)
> that I carried over its configurations in /etc. Never installed ports
> ntpd in this computer.
>
> % ls -l /usr/local/etc/rc.d/ntpd
> ls: /usr/local/etc/rc.d/ntpd: ãã®ã‚ˆã†ãªãƒ•ã‚¡ã‚¤ãƒ«ã¾ãŸã¯ãƒ‡ã‚£ãƒ¬ã‚
> ¯ãƒˆãƒªã¯ã‚ã‚Š
> ã¾ã›ã‚“
>
> The Japanese message means "no such file or directory".
The port does not install /usr/local/etc/rc.d/ntpd.
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e^(i*pi)+1=0
From ml@ft-c.de Fri Mar 14 12:31:41 2025
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZDkJR68Yzz5r5tc
for <freebsd-stable@mlmmj.nyi.freebsd.org>; Fri, 14 Mar 2025 12:31:51 +0000 (UTC)
(envelope-from ml@ft-c.de)
Received: from einhorn-mail-out.in-berlin.de (einhorn.in-berlin.de [192.109.42.8])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mail.in-berlin.de", Issuer "R10" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZDkJQ4KWkz49yj
for <freebsd-stable@freebsd.org>; Fri, 14 Mar 2025 12:31:50 +0000 (UTC)
(envelope-from ml@ft-c.de)
Authentication-Results: mx1.freebsd.org;
dkim=none;
dmarc=none;
spf=pass (mx1.freebsd.org: domain of ml@ft-c.de designates 192.109.42.8 as permitted sender) smtp.mailfrom=ml@ft-c.de
X-Envelope-From: ml@ft-c.de
X-Envelope-To: <freebsd-stable@freebsd.org>
Received: from authenticated.user (localhost [127.0.0.1]) by einhorn.in-berlin.de with ESMTPSA id 52ECVgYi919029
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
for <freebsd-stable@freebsd.org>; Fri, 14 Mar 2025 13:31:43 +0100
Message-ID: <1bb9fdf44c81020a23cf6f1475c15dbecdc2ea83.camel@ft-c.de>
Subject: tex zugferd
From: ft <ml@ft-c.de>
Reply-To: ml@ft-c.de
To: freebsd-stable@freebsd.org
Date: Fri, 14 Mar 2025 13:31:41 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.44.4 FreeBSD GNOME Team
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
X-Spamd-Result: default: False [2.29 / 15.00];
NEURAL_SPAM_MEDIUM(1.00)[1.000];
NEURAL_SPAM_LONG(1.00)[1.000];
RBL_SENDERSCORE_REPUT_7(0.50)[192.109.42.8:from];
NEURAL_HAM_SHORT(-0.31)[-0.307];
ONCE_RECEIVED(0.20)[];
BAD_REP_POLICIES(0.10)[];
RWL_MAILSPIKE_GOOD(-0.10)[192.109.42.8:from];
MIME_GOOD(-0.10)[text/plain];
FROM_EQ_ENVFROM(0.00)[];
ARC_NA(0.00)[];
REPLYTO_ADDR_EQ_FROM(0.00)[];
TO_MATCH_ENVRCPT_ALL(0.00)[];
DMARC_NA(0.00)[ft-c.de];
RCVD_TLS_ALL(0.00)[];
MIME_TRACE(0.00)[0:+];
RCPT_COUNT_ONE(0.00)[1];
REPLYTO_DOM_NEQ_TO_DOM(0.00)[];
PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org];
R_SPF_ALLOW(0.00)[+ip4:192.109.42.0/24];
MID_RHS_MATCH_FROM(0.00)[];
R_DKIM_NA(0.00)[];
MLMMJ_DEST(0.00)[freebsd-stable@freebsd.org];
TO_DN_NONE(0.00)[];
RCVD_VIA_SMTP_AUTH(0.00)[];
RCVD_COUNT_ONE(0.00)[1];
ASN(0.00)[asn:29670, ipnet:192.109.42.0/24, country:DE];
HAS_REPLYTO(0.00)[ml@ft-c.de];
FROM_HAS_DN(0.00)[]
X-Rspamd-Queue-Id: 4ZDkJQ4KWkz49yj
X-Spamd-Bar: ++
Hello,=20
I install zugferd manally from github.=20
I get an error when I start
__> lualatex DEMO-rechnung-zugferd.tex
This is LuaHBTeX, Version 1.18.0 (Web2C 2024)=20
restricted system commands enabled.
(./DEMO-rechnung-zugferd.tex
LaTeX2e <2024-06-01> pre-release-1 (develop 2024-8-20 branch)
...
! Package zugferd Error: Your version of \LaTeX 's PDF management is too
(zugferd) old.You need to update your LaTeX distribution to
(zugferd) be able to use the zugferd package correctly.
__> pdflatex DEMO-rechnung-zugferd.tex=20
This is pdfTeX, Version 3.141592653-2.6-1.40.26 (Web2C 2024) (preloaded
format=3Dpdflatex)
restricted \write18 enabled.
entering extended mode
...
! Package zugferd Error: Your version of \LaTeX 's PDF management is too
(zugferd) old.You need to update your LaTeX distribution to
(zugferd) be able to use the zugferd package correctly.
Franz
-----=20
more information=20
uname -a
FreeBSD ftc 14.1-RELEASE-p3 FreeBSD 14.1-RELEASE-p3 GENERIC amd64
about zugferd
https://ctan.org/pkg/zugferd?lang=3Dde
https://github.com/TeXhackse/LaTeX-ZUGFeRD
From nobody Fri Mar 14 15:03:10 2025
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZDng63LhTz5qK9k
for <freebsd-stable@mlmmj.nyi.freebsd.org>; Fri, 14 Mar 2025 15:03:14 +0000 (UTC)
(envelope-from pi@freebsd.org)
Received: from fc.opsec.eu (fc.opsec.eu [IPv6:2001:14f8:200:4::4])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZDng60Zsrz4H4G
for <freebsd-stable@freebsd.org>; Fri, 14 Mar 2025 15:03:14 +0000 (UTC)
(envelope-from pi@freebsd.org)
Authentication-Results: mx1.freebsd.org;
none
Received: from pi by fc.opsec.eu with local (Exim 4.98 (FreeBSD))
(envelope-from <pi@freebsd.org>)
id 1tt6Z4-000000005q7-2b0q;
Fri, 14 Mar 2025 16:03:10 +0100
Date: Fri, 14 Mar 2025 16:03:10 +0100
From: Kurt Jaeger <pi@freebsd.org>
To: ft <ml@ft-c.de>
Cc: freebsd-stable@freebsd.org
Subject: Re: tex zugferd
Message-ID: <Z9RFLgSyberafoZm@fc.opsec.eu>
References: <1bb9fdf44c81020a23cf6f1475c15dbecdc2ea83.camel@ft-c.de>
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1bb9fdf44c81020a23cf6f1475c15dbecdc2ea83.camel@ft-c.de>
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:12502, ipnet:2001:14f8::/32, country:DE]
X-Rspamd-Queue-Id: 4ZDng60Zsrz4H4G
X-Spamd-Bar: ----
Hi!
> I install zugferd manally from github.
>
> I get an error when I start
>
> __> lualatex DEMO-rechnung-zugferd.tex
> This is LuaHBTeX, Version 1.18.0 (Web2C 2024)
> restricted system commands enabled.
> (./DEMO-rechnung-zugferd.tex
> LaTeX2e <2024-06-01> pre-release-1 (develop 2024-8-20 branch)
The texlive port is from 2024, texlive 2025 was only released
recently and zugferd only works 'out-of-the-box' with texlive 2025,
so it will take a bit more time to update the ports.
There are some manual steps to get it running, but if you're
not in a hurry, waiting for 2025 might be the sensible option.
--
pi@FreeBSD.org +49 171 3101372 Now what ?
From nobody Sun Mar 16 17:37:07 2025
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZG4zs348fz5qp9h
for <freebsd-stable@mlmmj.nyi.freebsd.org>; Sun, 16 Mar 2025 17:37:13 +0000 (UTC)
(envelope-from tembun@bk.ru)
Received: from send80.i.mail.ru (send80.i.mail.ru [89.221.237.175])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZG4zr4kmlz3cwW;
Sun, 16 Mar 2025 17:37:12 +0000 (UTC)
(envelope-from tembun@bk.ru)
Authentication-Results: mx1.freebsd.org;
dkim=pass header.d=bk.ru header.s=mail4 header.b=Aug70QhD;
dmarc=pass (policy=reject) header.from=bk.ru;
spf=pass (mx1.freebsd.org: domain of tembun@bk.ru designates 89.221.237.175 as permitted sender) smtp.mailfrom=tembun@bk.ru
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bk.ru;
s=mail4; h=Content-Transfer-Encoding:Content-Type:Mime-Version:References:
In-Reply-To:Message-Id:Subject:Cc:To:From:Date:From:Sender:Reply-To:To:Cc:
Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:
List-Archive:X-Cloud-Ids:Disposition-Notification-To;
bh=QLVWg7go42nL/bt58ai2OoEZhQAA2R3jCXoIUpaReac=; t=1742146632; x=1742236632;
b=Aug70QhDXGpX7LOmWeL022A229ZPC8wrhh0lKpv5iDR3sMwP+tR7pWHFfKzcr/FRlezfzohwddN
PM871+7zta1o6I6+2BZama2B2PkNvc2OqZKBo4nP/S6j4gMbJFCwUzKZkSvwTvmfNagFR/GRDltQg
AjnjWVuQll1dLG4+zevN0ZWSvmbhGCXEOk7BIvuD8wiKVaD8Yf+Zr6Lzft50nKEqFGySIjY+pkHfn
I3bse1+ai0up7Cmn3Jgk8a++saTcuKQ8PeNfeCGEd7c0gQ0mmI5c3abCn52tP0Icdo6VGRQoxMxWZ
z94GkgrFUzskwAdeDYUJxKZKwPR+GI4eIMTQ==;
Received: by exim-smtp-69cc44787d-75dmx with esmtpa (envelope-from <tembun@bk.ru>)
id 1ttrvA-00000000QyV-3TVu; Sun, 16 Mar 2025 20:37:09 +0300
Date: Sun, 16 Mar 2025 20:37:07 +0300
From: Artem Bunichev <tembun@bk.ru>
To: Emmanuel Vadot <manu@bidouilliste.com>
Cc: Andre Albsmeier <Andre.Albsmeier@siemens.com>, Ed Maste
<emaste@freebsd.org>, Mark Johnston <markj@freebsd.org>,
freebsd-stable@freebsd.org
Subject: Re: removing the agp(4) driver
Message-Id: <20250316203707.3adfe4a7255dd79d493398e5@bk.ru>
In-Reply-To: <20240906083545.bedaf9ce050b7eae1baa8c63@bidouilliste.com>
References: <Ztm1i2B7zZMacX0-@nuc>
<CAPyFy2DuvA2cPZxcfPMoo2XpJ9cErDa5H1uHYVzw+void0P5jQ@mail.gmail.com>
<ZtqVuaGedxmtfQDE@bali.c4ef04bb578971607fc6a73f3188a722>
<20240906083545.bedaf9ce050b7eae1baa8c63@bidouilliste.com>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Mailru-Src: smtp
X-7564579A: B8F34718100C35BD
X-77F55803: 4F1203BC0FB41BD9CB00722163A93FBB5341C3CFB27ABD834B32BF74B4D1CA59CD62213F67905E7AFE9A60CDF51DD4435C456ACCD518BAE3516F7C0E291115C50531953846382B0A24DAF05A372A3159
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE70993CE289E4873FDEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637AC83A81C8FD4AD23D82A6BABE6F325AC2E85FA5F3EDFCBAA7353EFBB553375665A3E9B1844DE9459D1743D8A4DAB8B2CF2665835ACAFB46C88EA624AC69528CA8EEF46B7454FC60B9742502CCDD46D0DC8A976F1B976E0ABF6B57BC7E64490618DEB871D839B73339E8FC8737B5C22495FF0BFC5AEE34BE6CC7F00164DA146DAFE8445B8C89999729449624AB7ADAF37F6B57BC7E64490611E7FA7ABCAF51C92176DF2183F8FC7C078FCF50C7EAF9C588941B15DA834481F9449624AB7ADAF37BA3038C0950A5D3613377AFFFEAFD269176DF2183F8FC7C0FDB844B0B1727B107B076A6E789B0E97A8DF7F3B2552694AD5FFEEA1DED7F25D49FD398EE364050F140C956E756FBB7A28F6BDBBAB179F4EB3661434B16C20ACC84D3B47A649675FE827F84554CEF5019E625A9149C048EE9ECD01F8117BC8BEE2021AF6380DFAD18AA50765F790063735872C767BF85DA227C277FBC8AE2E8BB4DF54FF0E695C8E75ECD9A6C639B01B4E70A05D1297E1BBCB5012B2E24CD356
X-C1DE0DAB: 0D63561A33F958A576A666DF78D70A375002B1117B3ED6961A8FFB7633E99050C81EEE05487B0209823CB91A9FED034534781492E4B8EEAD003C2D46C52F18F2BDAD6C7F3747799A
X-C8649E89: 1C3962B70DF3F0ADBF74143AD284FC7177DD89D51EBB7742DC8270968E61249B1004E42C50DC4CA955A7F0CF078B5EC49A30900B95165D34F05B761BB9C2AA445C8D8C393ABDFDA6EADE109E4B427EB8DB6D89BF56C77387DCF82D9C44C3218C1D7E09C32AA3244C3B322542854B09C077DD89D51EBB7742F2BC846760DE9385EA455F16B58544A2D06CB91D864A7BD28F2EB4EFC5515AAD2F60AD443A3420F5CC2E138FFB4ACBED
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVRxnlmV4XzQl083wHHkGL8Y=
X-Mailru-Sender: 412FB63E61E707850942CB31C39A04B12CE1AE0A964299E64BD03525DDD6C8964832F066A1C079360449AC9E9A52E98D22FBAC171A828B66B859CE5FF3DB253DB6B5BA016EA0A433C7974500E8E547F519480F73BEF34F5D3DDE9B364B0DF289AE208404248635DF
X-Mras: Ok
X-Spamd-Result: default: False [-1.21 / 15.00];
NEURAL_HAM_LONG(-0.98)[-0.982];
NEURAL_SPAM_SHORT(0.78)[0.782];
NEURAL_HAM_MEDIUM(-0.51)[-0.513];
MV_CASE(0.50)[];
DMARC_POLICY_ALLOW(-0.50)[bk.ru,reject];
R_DKIM_ALLOW(-0.20)[bk.ru:s=mail4];
R_SPF_ALLOW(-0.20)[+ip4:89.221.237.128/25];
MIME_GOOD(-0.10)[text/plain];
TO_MATCH_ENVRCPT_SOME(0.00)[];
MIME_TRACE(0.00)[0:+];
TO_DN_SOME(0.00)[];
FREEMAIL_FROM(0.00)[bk.ru];
FREEMAIL_ENVFROM(0.00)[bk.ru];
RCVD_COUNT_ONE(0.00)[1];
FROM_HAS_DN(0.00)[];
ASN(0.00)[asn:47764, ipnet:89.221.236.0/22, country:RU];
RCVD_VIA_SMTP_AUTH(0.00)[];
RBL_SENDERSCORE_REPUT_8(0.00)[89.221.237.175:from];
FROM_EQ_ENVFROM(0.00)[];
RCVD_TLS_LAST(0.00)[];
ARC_NA(0.00)[];
MLMMJ_DEST(0.00)[freebsd-stable@freebsd.org];
RCPT_COUNT_FIVE(0.00)[5];
MID_RHS_MATCH_FROM(0.00)[];
DKIM_TRACE(0.00)[bk.ru:+]
X-Rspamd-Queue-Id: 4ZG4zr4kmlz3cwW
X-Spamd-Bar: -
> This is due to
> https://github.com/freebsd/drm-kmod/blob/master/drivers/gpu/drm/i915/i915_module.c#L156
> This should be under an #ifdef _i386_ as we only set CONFIG_AGP for
> this arch, I'll commit something later today in all supported branches.
It's been a while, but as I can see, this piece of code is still _not_ under
that #ifdef. I want to ask, is it planned to be updated or not, because I
basically have the same problem: my machine does _not_ have an AGP port, but
i915kms refuses to work without agp(4) driver, so I have to compile it into
the kernel to make it work.
Thank you,
Artem.
From nobody Sun Mar 16 17:59:09 2025
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZG5Th0krZz5qr7w
for <freebsd-stable@mlmmj.nyi.freebsd.org>; Sun, 16 Mar 2025 17:59:36 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZG5Tg3pS7z3qRT;
Sun, 16 Mar 2025 17:59:35 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
none
Received: from kalamity.joker.local (124-18-40-20.area1c.commufa.jp [124.18.40.20])
(authenticated bits=0)
by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 52GHx947039296;
Mon, 17 Mar 2025 02:59:11 +0900 (JST)
(envelope-from junchoon@dec.sakura.ne.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp;
s=s2405; t=1742147953;
bh=k5q7nOFkHLz3UHypCjlfevMgD1LeSeAy9xpkKsOONn0=;
h=Date:From:To:Cc:Subject:In-Reply-To:References;
b=sjUofTSL2u0Js1bniDSmW+JgL1s/RmDOyj6NbLaTrfzkuHvbTETmjXP4eQSwkw818
YoidWHcTqIM4ri0ISuWyl9ygbB5f3fbgoBc5hfWg/Wd516WCdrqFLJ7jW3tSbxarWs
E4qBGc42g7QUK685ZKj8nVAJw0Fzu0lDHSI/qGV0=
Date: Mon, 17 Mar 2025 02:59:09 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: Artem Bunichev <tembun@bk.ru>
Cc: Emmanuel Vadot <manu@bidouilliste.com>,
Andre Albsmeier
<Andre.Albsmeier@siemens.com>,
Ed Maste <emaste@freebsd.org>, Mark Johnston
<markj@freebsd.org>,
freebsd-stable@freebsd.org
Subject: Re: removing the agp(4) driver
Message-Id: <20250317025909.a60d56df60b953c6a25ff9bf@dec.sakura.ne.jp>
In-Reply-To: <20250316203707.3adfe4a7255dd79d493398e5@bk.ru>
References: <Ztm1i2B7zZMacX0-@nuc>
<CAPyFy2DuvA2cPZxcfPMoo2XpJ9cErDa5H1uHYVzw+void0P5jQ@mail.gmail.com>
<ZtqVuaGedxmtfQDE@bali.c4ef04bb578971607fc6a73f3188a722>
<20240906083545.bedaf9ce050b7eae1baa8c63@bidouilliste.com>
<20250316203707.3adfe4a7255dd79d493398e5@bk.ru>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP]
X-Rspamd-Queue-Id: 4ZG5Tg3pS7z3qRT
X-Spamd-Bar: ----
On Sun, 16 Mar 2025 20:37:07 +0300
Artem Bunichev <tembun@bk.ru> wrote:
> > This is due to
> > https://github.com/freebsd/drm-kmod/blob/master/drivers/gpu/drm/i915/i915_module.c#L156
> > This should be under an #ifdef _i386_ as we only set CONFIG_AGP for
> > this arch, I'll commit something later today in all supported branches.
>
> It's been a while, but as I can see, this piece of code is still _not_ under
> that #ifdef. I want to ask, is it planned to be updated or not, because I
> basically have the same problem: my machine does _not_ have an AGP port, but
> i915kms refuses to work without agp(4) driver, so I have to compile it into
> the kernel to make it work.
>
> Thank you,
> Artem.
Just a FYI:
It could be because even MINIMAL kernel configuration has
device agp # support several AGP chipsets
line.
--
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
From nobody Sun Mar 16 18:20:19 2025
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZG5xh4wTpz5qsf1
for <freebsd-stable@mlmmj.nyi.freebsd.org>; Sun, 16 Mar 2025 18:20:24 +0000 (UTC)
(envelope-from tembun@bk.ru)
Received: from send266.i.mail.ru (send266.i.mail.ru [95.163.59.105])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZG5xh2gMgz41YC;
Sun, 16 Mar 2025 18:20:23 +0000 (UTC)
(envelope-from tembun@bk.ru)
Authentication-Results: mx1.freebsd.org;
none
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bk.ru;
s=mail4; h=Content-Transfer-Encoding:Content-Type:Mime-Version:References:
In-Reply-To:Message-Id:Subject:Cc:To:From:Date:From:Sender:Reply-To:To:Cc:
Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:
List-Archive:X-Cloud-Ids:Disposition-Notification-To;
bh=Mp5Ebc2EkVd0VPn+rq6id4Hhp93OK4ysbjWG/xkBrhk=; t=1742149223; x=1742239223;
b=mtbi2bBlU+ZsBx6FJ5izc0VmQ9QwRVpzWRkmuCUs54RaePBU4i5iQ9E2cYL2EaNXXPlxOzRxwvk
ktJwH1PbSImgZ3mTZvxXBcedguMoppTgP25sTX3FDJxc76OXNKamB7Z+kyVhSi9/zUV92dFo5148p
ccqVLPJHG+wpk1GTj4ZhhlGyo6HdUe6HLUsNYYlHrsraeKpg8vz/Jeq6tbqSgbUGOB8niWe6dkROe
Qd1NT3Ms6xnZqEWSwSFiOf8fIic7pQG6hsADcCaYchE1VsIST8cDKWG5oSMNEOf9GIbU6zTKNDcR8
52K/+u9XsFKMNiHJQoE0wlDFHtjUT+s0b6Ew==;
Received: by exim-smtp-69cc44787d-n64pl with esmtpa (envelope-from <tembun@bk.ru>)
id 1ttsay-00000000G6k-075P; Sun, 16 Mar 2025 21:20:20 +0300
Date: Sun, 16 Mar 2025 21:20:19 +0300
From: Artem Bunichev <tembun@bk.ru>
To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
Cc: Emmanuel Vadot <manu@bidouilliste.com>, Andre Albsmeier
<Andre.Albsmeier@siemens.com>, Ed Maste <emaste@freebsd.org>, Mark Johnston
<markj@freebsd.org>, freebsd-stable@freebsd.org
Subject: Re: removing the agp(4) driver
Message-Id: <20250316212019.df960a0ce218872c0fef72bd@bk.ru>
In-Reply-To: <20250317025909.a60d56df60b953c6a25ff9bf@dec.sakura.ne.jp>
References: <Ztm1i2B7zZMacX0-@nuc>
<CAPyFy2DuvA2cPZxcfPMoo2XpJ9cErDa5H1uHYVzw+void0P5jQ@mail.gmail.com>
<ZtqVuaGedxmtfQDE@bali.c4ef04bb578971607fc6a73f3188a722>
<20240906083545.bedaf9ce050b7eae1baa8c63@bidouilliste.com>
<20250316203707.3adfe4a7255dd79d493398e5@bk.ru>
<20250317025909.a60d56df60b953c6a25ff9bf@dec.sakura.ne.jp>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Mailru-Src: smtp
X-7564579A: 646B95376F6C166E
X-77F55803: 4F1203BC0FB41BD9CB00722163A93FBB9ED8DF5C8C729E91AD9FD86BF7557607CD62213F67905E7A8F85419E4F79A92A86927729795C98D34B01E7011529A99E0255A0008097B89DDDDE7B70B5F5C79F
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7DB6A86BDF2D5A895EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637AC83A81C8FD4AD23D82A6BABE6F325AC2E85FA5F3EDFCBAA7353EFBB553375665A3E9B1844DE94599F131C174CBDC7DE5EA8B10075385EAE92B8B81E70704D4D8EEF46B7454FC60B9742502CCDD46D0DA7DFDF579AB090EFF6B57BC7E64490618DEB871D839B73339E8FC8737B5C2249957A4DEDD2346B42CC7F00164DA146DAFE8445B8C89999729449624AB7ADAF37F6B57BC7E64490611E7FA7ABCAF51C92176DF2183F8FC7C0A29E2F051442AF778941B15DA834481F9449624AB7ADAF37BA3038C0950A5D3613377AFFFEAFD269176DF2183F8FC7C0D9178EDDD91B20347B076A6E789B0E97A8DF7F3B2552694AD5FFEEA1DED7F25D49FD398EE364050F140C956E756FBB7A1C9461EB66F04EBFB3661434B16C20ACC84D3B47A649675FE827F84554CEF5019E625A9149C048EE9ECD01F8117BC8BEE2021AF6380DFAD18AA50765F790063735872C767BF85DA227C277FBC8AE2E8BD8DF3B3A848AC9A575ECD9A6C639B01B4E70A05D1297E1BBCB5012B2E24CD356
X-C1DE0DAB: 0D63561A33F958A53CC21D610DF3D11D5002B1117B3ED696E8AF4601554694A022DFD5397F446790823CB91A9FED034534781492E4B8EEADA91A6E18C88C5E2F
X-C8649E89: 1C3962B70DF3F0ADBF74143AD284FC7177DD89D51EBB7742DC8270968E61249B1004E42C50DC4CA955A7F0CF078B5EC49A30900B95165D349FF8F8245A2FAA7BD7BA6E2F50C13F1F99809AF019DE8CA0DF38C799D7E71109F4256476806A1E6D1D7E09C32AA3244C1DC5235E21B056B077DD89D51EBB774210CF0F1E76F7BE13EA455F16B58544A2339EE7E191543B948F2EB4EFC5515AAD2F60AD443A3420F5CC2E138FFB4ACBED
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVRxnlmV4XzQl9jaB9KKRPEo=
X-Mailru-Sender: 412FB63E61E707850942CB31C39A04B1CDFA848DF179B54F479CDAE959BF64247E2647DDAFEE53F90449AC9E9A52E98D22FBAC171A828B66B859CE5FF3DB253DB6B5BA016EA0A433C7974500E8E547F519480F73BEF34F5D3DDE9B364B0DF289AE208404248635DF
X-Mras: Ok
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:47764, ipnet:95.163.32.0/19, country:RU]
X-Rspamd-Queue-Id: 4ZG5xh2gMgz41YC
X-Spamd-Bar: ----
> Just a FYI:
> It could be because even MINIMAL kernel configuration has
>
> device agp # support several AGP chipsets
>
> line.
Yes, I noticed that both GENERIC and MINIMAL kernels do have the agp(4) driver
included. But as I can see, it doesn't make sense to compile this driver if
your machine doesn't need it (I mean, no actual hardware for the driver;
`dmesg |grep agp' outputs nothing on my ThinkPad X220). As I understand from
Emmanuel Vadot's message, the problem can be solved with conditional
compilation, but I just want to sort of bump it, because I found that it
hasn't been solved yet. I think that it's better to do this before the driver
will actually be removed.
Artem.
From nobody Sun Mar 16 22:02:41 2025
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZGBtZ6LrHz5r8fv
for <freebsd-stable@mlmmj.nyi.freebsd.org>; Sun, 16 Mar 2025 22:03:02 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4ZGBtY6blcz3lYc;
Sun, 16 Mar 2025 22:03:01 +0000 (UTC)
(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
none
Received: from kalamity.joker.local (124-18-43-114.area1c.commufa.jp [124.18.43.114])
(authenticated bits=0)
by www121.sakura.ne.jp (8.17.1/8.17.1/[SAKURA-WEB]/20201212) with ESMTPA id 52GM2fGP080419;
Mon, 17 Mar 2025 07:02:42 +0900 (JST)
(envelope-from junchoon@dec.sakura.ne.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dec.sakura.ne.jp;
s=s2405; t=1742162564;
bh=rQri02vZjiFJrKXZWFyEC/GOWHFG/UeOVfzVzCrIpxk=;
h=Date:From:To:Cc:Subject:In-Reply-To:References;
b=cp0qR32tQErSDpIplPh2NwpNb64FkvzL40jcvckEDMLALbgTPlEhBj0RIHPtV9an6
NF2OnijHjrbdImYD+QienOOPa6L6rvnHokAXBis5NCIU1dusn/aCwGUUdcOd4le/6J
8Vq1DKLDlAlc1JXdVqzR3g+lYwGx2OEsWuVuLwC0=
Date: Mon, 17 Mar 2025 07:02:41 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: Artem Bunichev <tembun@bk.ru>
Cc: Emmanuel Vadot <manu@bidouilliste.com>,
Andre Albsmeier
<Andre.Albsmeier@siemens.com>,
Ed Maste <emaste@freebsd.org>, Mark Johnston
<markj@freebsd.org>,
freebsd-stable@freebsd.org
Subject: Re: removing the agp(4) driver
Message-Id: <20250317070241.36571d8c632f2caa6a733dc1@dec.sakura.ne.jp>
In-Reply-To: <20250316212019.df960a0ce218872c0fef72bd@bk.ru>
References: <Ztm1i2B7zZMacX0-@nuc>
<CAPyFy2DuvA2cPZxcfPMoo2XpJ9cErDa5H1uHYVzw+void0P5jQ@mail.gmail.com>
<ZtqVuaGedxmtfQDE@bali.c4ef04bb578971607fc6a73f3188a722>
<20240906083545.bedaf9ce050b7eae1baa8c63@bidouilliste.com>
<20250316203707.3adfe4a7255dd79d493398e5@bk.ru>
<20250317025909.a60d56df60b953c6a25ff9bf@dec.sakura.ne.jp>
<20250316212019.df960a0ce218872c0fef72bd@bk.ru>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP]
X-Rspamd-Queue-Id: 4ZGBtY6blcz3lYc
X-Spamd-Bar: ----
On Sun, 16 Mar 2025 21:20:19 +0300
Artem Bunichev <tembun@bk.ru> wrote:
> > Just a FYI:
> > It could be because even MINIMAL kernel configuration has
> >
> > device agp # support several AGP chipsets
> >
> > line.
>
> Yes, I noticed that both GENERIC and MINIMAL kernels do have the agp(4) driver
> included. But as I can see, it doesn't make sense to compile this driver if
> your machine doesn't need it (I mean, no actual hardware for the driver;
> `dmesg |grep agp' outputs nothing on my ThinkPad X220). As I understand from
> Emmanuel Vadot's message, the problem can be solved with conditional
> compilation, but I just want to sort of bump it, because I found that it
> hasn't been solved yet. I think that it's better to do this before the driver
> will actually be removed.
>
> Artem.
100% agree with you.
But as graphics/drm-*-kmod are ported from Linux, I suspect if Linux
still support agp even on amd64 (would be nonsense, though) and ask agp
driver whether there's any GPU or not, agp driver would be needed just
to reply "there's none!".
Not read the codes, so I would be wrong. But just a possible reason to
keep it.
--
Tomoaki AOKI <junchoon@dec.sakura.ne.jp>