From owner-freebsd-hackers@freebsd.org  Wed Mar 13 12:06:15 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C39C91531044
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Wed, 13 Mar 2019 12:06:15 +0000 (UTC) (envelope-from dim@FreeBSD.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 40F1A74B0B
 for <freebsd-hackers@freebsd.org>; Wed, 13 Mar 2019 12:06:15 +0000 (UTC)
 (envelope-from dim@FreeBSD.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id EEF61153103E; Wed, 13 Mar 2019 12:06:14 +0000 (UTC)
Delivered-To: hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CA8C0153103D
 for <hackers@mailman.ysv.freebsd.org>; Wed, 13 Mar 2019 12:06:14 +0000 (UTC)
 (envelope-from dim@FreeBSD.org)
Received: from tensor.andric.com (tensor.andric.com [IPv6:2001:470:7a58:1::1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "tensor.andric.com",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 8A0FB74B08
 for <hackers@freebsd.org>; Wed, 13 Mar 2019 12:06:14 +0000 (UTC)
 (envelope-from dim@FreeBSD.org)
Received: from [192.168.1.32] (92-111-45-98.static.v4.ziggozakelijk.nl
 [92.111.45.98])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by tensor.andric.com (Postfix) with ESMTPSA id E1447577B5;
 Wed, 13 Mar 2019 13:06:12 +0100 (CET)
From: Dimitry Andric <dim@FreeBSD.org>
Message-Id: <19EB99F0-20E9-4FB9-98CF-118E3CDDE154@FreeBSD.org>
Content-Type: multipart/signed;
 boundary="Apple-Mail=_E45711CD-3753-435C-A970-56A572965FE3";
 protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Subject: Re: /usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails
Date: Wed, 13 Mar 2019 13:06:12 +0100
In-Reply-To: <201903131150.x2DBo75m071495@fire.js.berklix.net>
Cc: hackers@freebsd.org
To: "Julian H. Stacey" <jhs@berklix.com>
References: <201903131150.x2DBo75m071495@fire.js.berklix.net>
X-Mailer: Apple Mail (2.3445.102.3)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 12:06:16 -0000


--Apple-Mail=_E45711CD-3753-435C-A970-56A572965FE3
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

On 13 Mar 2019, at 12:50, Julian H. Stacey <jhs@berklix.com> wrote:
> Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
> uid=3D123 not root on 12.0, the process runs, But fails to correct
> the time !  Next thing to diagnose it, would be a kill of ntpd &
> restart direct as root, I'm not root there so I'll wait for that.
>=20
> Are others 12 systems slipping time too ?

My systems are working fine, even though ntpd is running as user ntpd.

There's this new part in /etc/rc.d/ntpd, which may be the reason it is
not working for you:

        # Try to set up the the MAC ntpd policy so ntpd can run with =
reduced
        # privileges.  Detect whether MAC is compiled into the kernel, =
load
        # the policy module if not already present, then check whether =
the
        # policy has been disabled via tunable or sysctl.
        [ -n "$(sysctl -qn security.mac.version)" ] || return 1
        sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd =
|| return 1
        [ "$(sysctl -qn security.mac.ntpd.enabled)" =3D=3D "1" ] || =
return 1

So it tries to setup that MAC policy, which shows up in syslog like:

kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
ntpd[810]: ntpd 4.2.8p12-a (1): Starting
ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash =
signature
ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, =
expire=3D2019-06-28T00:00:00Z last=3D2017-01-01T00:00:00Z ofs=3D37

Maybe on your system something goes wrong loading the mac_ntpd module,
or setting the sysctl, but it still continues to attempt to run ntpd as
non-root?

I would run /etc/rc.d/ntpd with sh -x to see what is doing exactly.

-Dimitry


--Apple-Mail=_E45711CD-3753-435C-A970-56A572965FE3
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.2

iF0EARECAB0WIQR6tGLSzjX8bUI5T82wXqMKLiCWowUCXIjyNAAKCRCwXqMKLiCW
o2f7AJ9RogZWGItHgLh1LQ1qaCUuAcBTeQCcCQ4AFcIRSA3MZxUPPqMBCvBI7Gs=
=dBOj
-----END PGP SIGNATURE-----

--Apple-Mail=_E45711CD-3753-435C-A970-56A572965FE3--