From owner-freebsd-hackers@freebsd.org  Wed Mar 13 11:50:40 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8CAAE152FB08
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Wed, 13 Mar 2019 11:50:40 +0000 (UTC) (envelope-from jhs@berklix.com)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 0C12273912
 for <freebsd-hackers@freebsd.org>; Wed, 13 Mar 2019 11:50:40 +0000 (UTC)
 (envelope-from jhs@berklix.com)
Received: by mailman.ysv.freebsd.org (Postfix)
 id C10C6152FB07; Wed, 13 Mar 2019 11:50:39 +0000 (UTC)
Delivered-To: hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9E9C5152FB06
 for <hackers@mailman.ysv.freebsd.org>; Wed, 13 Mar 2019 11:50:39 +0000 (UTC)
 (envelope-from jhs@berklix.com)
Received: from slim.berklix.org (slim.berklix.org [94.185.90.68])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "slim.berklix.org", Issuer "slim.berklix.org" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 39A5F7390A
 for <hackers@freebsd.org>; Wed, 13 Mar 2019 11:50:36 +0000 (UTC)
 (envelope-from jhs@berklix.com)
Received: from mart.js.berklix.net (p2E52C2D5.dip0.t-ipconnect.de
 [46.82.194.213]) (authenticated bits=128)
 by slim.berklix.org (8.15.2/8.15.2) with ESMTPSA id x2DBoPCJ057077
 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Wed, 13 Mar 2019 12:50:34 +0100 (CET) (envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41])
 by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id x2DBoPjV033714;
 Wed, 13 Mar 2019 12:50:25 +0100 (CET) (envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (localhost [127.0.0.1])
 by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id x2DBo75m071495;
 Wed, 13 Mar 2019 12:50:25 +0100 (CET) (envelope-from jhs@berklix.com)
Message-Id: <201903131150.x2DBo75m071495@fire.js.berklix.net>
To: hackers@freebsd.org
cc: "Julian H. Stacey" <jhs@berklix.com>
Subject: /usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails
From: "Julian H. Stacey" <jhs@berklix.com>
Organization: http://berklix.eu BSD Unix Linux Consultants, Munich Aachen Kent
User-agent: EXMH on FreeBSD http://www.berklix.com/free/
X-From: http://www.berklix.eu/~jhs/
Date: Wed, 13 Mar 2019 12:50:07 +0100
X-Rspamd-Queue-Id: 39A5F7390A
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-0.48 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.60)[-0.603,0];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 NEURAL_SPAM_SHORT(0.09)[0.088,0];
 NEURAL_HAM_LONG(-0.71)[-0.705,0]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[berklix.com]; AUTH_NA(1.00)[];
 HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_THREE(0.00)[4];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 MX_GOOD(-0.01)[cached: slim.berklix.com];
 RCPT_COUNT_TWO(0.00)[2];
 RCVD_IN_DNSWL_NONE(0.00)[68.90.185.94.list.dnswl.org : 127.0.10.0];
 R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:33824, ipnet:94.185.88.0/22, country:DE];
 RCVD_TLS_LAST(0.00)[];
 IP_SCORE(-0.15)[asn: 33824(-0.76), country: DE(-0.01)];
 RECEIVED_SPAMHAUS_PBL(0.00)[213.194.82.46.zen.spamhaus.org : 127.0.0.10]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 11:50:40 -0000

Hi hackers@freebsd.org,
Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
uid=123 not root on 12.0, the process runs, But fails to correct
the time !  Next thing to diagnose it, would be a kill of ntpd &
restart direct as root, I'm not root there so I'll wait for that.

Are others 12 systems slipping time too ?

-------------------------------------------------------------------------------

The bad host: 12.0-p3
  grep ntp /etc/rc.conf
    ntpd_enable="YES"
  Identical: /etc/ntp.conf /usr/src/usr.sbin/ntp/ntpd/ntp.conf
  ps -laxww | grep ntp| grep -v grep
   UID   PID  PPID CPU PRI NI    VSZ   RSS MWCHAN   STAT TT          TIME COMMAND
   123 17872     1   0  20  0  19424 19520 select   Ss    -       0:01.59 /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -f /var/db/ntp/ntpd.drift
  ntpd is running not as root, but as 123 
  ntpd:*:123:123:NTP Daemon:/var/db/ntp:/usr/sbin/nologin
  -r-xr-xr-x  1 root  wheel  842896 Dec  7 05:16 /usr/sbin/ntpd
  ntpd has no s or g bits, so can not set time I presume,
  /var/log/messages has nothing since admin started it :
    Mar 11 20:51:53 hostname [16744]: ntpd 4.2.8p12-a (1): Starting
    Mar 11 20:51:54 hostname [16745]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash signature
    Mar 11 20:51:54 hostname [16745]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, expire=2019-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
    Mar 11 21:37:46 hostname [16745]: ntpd exiting on signal 15 (Terminated)
    Mar 11 22:39:10 hostname [17871]: ntpd 4.2.8p12-a (1): Starting
    Mar 11 22:39:10 hostname [17872]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash signature
    Mar 11 22:39:10 hostname [17872]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, expire=2019-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
  ls -l /var/db/ntpd*
    -rw-r--r--  1 root  wheel  10663 Dec 31 02:30 /var/db/ntpd.leap-seconds.list

-------------------------------------------------------------------------------

A good host for comparison : 10.3-STABLE on time with radio wall clock:

  UID   PID  PPID CPU PRI NI    VSZ   RSS MWCHAN   STAT TT         TIME COMMAND
    0   580     1   0  20  0  21900 13812 select   Ss    -      0:45.10 /usr/sbin/ntpd -g -c /etc/ntp.conf -p /var/run/ntpd.pid -f /var/db/ntpd.drift
  -r-xr-xr-x  1 root  wheel  763888 Aug 17  2016 /usr/sbin/ntpd*
  Non root manual invocation of ntpd command above:
  	must be run as root, not uid 200
 grep ntp /etc/rc*
	/etc/rc.conf:ntpd_enable="YES"      
	/etc/rc.conf:ntpd_sync_on_start="YES"           # Sync time on ntpd startup, even if offset is high
	/etc/rc.conf:ntpdate_enable="YES"               # Sync time on boot # as ntpd later refuses to compensate > 1 hour
 ls -l /var/db/ntpd*
    -rw-r--r--  1 root  wheel      8 Mar 13 10:14 /var/db/ntpd.drift
    -rw-r--r--  1 root  wheel  10663 Oct 27 14:10 /var/db/ntpd.leap-seconds.list

Cheers,
Julian
-- 
Julian Stacey, Consultant Systems Engineer, BSD Linux Unix, Munich Aachen Kent
 Brexit now minority:  2.1 M now over 18, More Remainers;  1.5 M died, less
 Leavers; 700 K votes Stolen from British Remainers in EU; + 3 M globaly
 dis- franchised; + drift to Remain + avoid chaos.  MPs should urge Queen: 
 Dismiss May, appoint new PM for unity government & 2nd Referendum.  Revoke
 Art. 50, plan better, refile Art.50 later?  http://ExitBrexit.UK/#email_an_mp