Date: Wed, 13 Mar 2019 14:37:01 +0100 From: "Julian H. Stacey" <jhs@berklix.com> To: Dimitry Andric <dim@FreeBSD.org> Cc: hackers@FreeBSD.org Subject: Re: /usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails Message-ID: <201903131337.x2DDb1do072976@fire.js.berklix.net> In-Reply-To: Your message "Wed, 13 Mar 2019 13:06:12 %2B0100." <19EB99F0-20E9-4FB9-98CF-118E3CDDE154@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 13 Mar 2019, at 12:50, Julian H. Stacey <jhs@berklix.com> wrote:
> > Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
> > uid=3D123 not root on 12.0, the process runs, But fails to correct
> > the time ! Next thing to diagnose it, would be a kill of ntpd &
> > restart direct as root, I'm not root there so I'll wait for that.
> >=20
> > Are others 12 systems slipping time too ?
>
> My systems are working fine, even though ntpd is running as user ntpd.
>
> There's this new part in /etc/rc.d/ntpd, which may be the reason it is
> not working for you:
>
> # Try to set up the the MAC ntpd policy so ntpd can run with =
> reduced
> # privileges. Detect whether MAC is compiled into the kernel, =
> load
> # the policy module if not already present, then check whether =
> the
> # policy has been disabled via tunable or sysctl.
> [ -n "$(sysctl -qn security.mac.version)" ] || return 1
> sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd =
> || return 1
> [ "$(sysctl -qn security.mac.ntpd.enabled)" =3D=3D "1" ] || =
> return 1
>
> So it tries to setup that MAC policy, which shows up in syslog like:
>
> kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
> ntpd[810]: ntpd 4.2.8p12-a (1): Starting
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash =
> signature
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, =
> expire=3D2019-06-28T00:00:00Z last=3D2017-01-01T00:00:00Z ofs=3D37
>
> Maybe on your system something goes wrong loading the mac_ntpd module,
> or setting the sysctl, but it still continues to attempt to run ntpd as
> non-root?
>
> I would run /etc/rc.d/ntpd with sh -x to see what is doing exactly.
>
> -Dimitry
> Loading mac_XXX modules requires options MAC in running kernel.
> GENERIC has options but custom kernel may lack it.
> -Dimitry
config -x /boot/kernel/kernel > ~/tmp/config
options CONFIG_AUTOGENERATED
ident GENERIC
sysctl -qn security.mac.version
4
kldstat
Id Refs Address Size Name
1 19 0xffffffff80200000 243cd00 kernel
5 1 0xffffffff82c47000 acf mac_ntpd.ko
grep mac /boot/loader.conf
# so probably the kernel module was loaded by ntpd
# _ntp_default_dir
ls -la /var/db/ntp
total 10
drwxr-xr-x 2 ntpd ntpd 4 Mar 11 23:39 .
drwxr-xr-x 15 root wheel 21 Feb 15 03:58 ..
-rw-r--r-- 1 ntpd ntpd 6 Mar 11 23:39 ntpd.drift
-rw-r--r-- 1 ntpd ntpd 5 Mar 13 13:53 ntpd.pid
cd /etc; ls -ls | grep ntp
drwx------ 2 root wheel 3 Dec 7 05:16 ntp
-rw-r--r-- 1 root wheel 3997 Dec 7 05:16 ntp.conf
ls -l /var/run/ntpd.leap-seconds.list
ls: /var/run/ntpd.leap-seconds.list: No such file or directory
I have bcc'd the owner & will wait for him to try as root:
sh -x /etc/rc.d/ntpd restart
sh -x /etc/rc.d/ntpd stop
If he doesnt see clues with that, maybe I will soon when my current laptop
will be travelling & also using ntpd.
Thanks Dimitry
Cheers,
Julian
--
Julian Stacey, Consultant Systems Engineer, BSD Linux Unix, Munich Aachen Kent
Brexit now minority: 2.1 M now over 18, More Remainers; 1.5 M died, less
Leavers; 700 K votes Stolen from British Remainers in EU; + 3 M globaly
dis- franchised; + drift to Remain + avoid chaos. MPs should urge Queen:
Dismiss May, appoint new PM for unity government & 2nd Referendum. Revoke
Art. 50, plan better, refile Art.50 later? http://ExitBrexit.UK/#email_an_mp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903131337.x2DDb1do072976>