From owner-freebsd-hackers@freebsd.org  Wed Mar 13 13:37:37 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A83D01533AAB
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Wed, 13 Mar 2019 13:37:37 +0000 (UTC) (envelope-from jhs@berklix.com)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 2542277C58
 for <freebsd-hackers@freebsd.org>; Wed, 13 Mar 2019 13:37:37 +0000 (UTC)
 (envelope-from jhs@berklix.com)
Received: by mailman.ysv.freebsd.org (Postfix)
 id D35A91533AAA; Wed, 13 Mar 2019 13:37:36 +0000 (UTC)
Delivered-To: hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id ABC2F1533AA9
 for <hackers@mailman.ysv.freebsd.org>; Wed, 13 Mar 2019 13:37:36 +0000 (UTC)
 (envelope-from jhs@berklix.com)
Received: from slim.berklix.org (slim.berklix.org [94.185.90.68])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "slim.berklix.org", Issuer "slim.berklix.org" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 24E0077C56;
 Wed, 13 Mar 2019 13:37:31 +0000 (UTC) (envelope-from jhs@berklix.com)
Received: from mart.js.berklix.net (p2E52C2D5.dip0.t-ipconnect.de
 [46.82.194.213]) (authenticated bits=128)
 by slim.berklix.org (8.15.2/8.15.2) with ESMTPSA id x2DDbKmT058752
 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Wed, 13 Mar 2019 14:37:28 +0100 (CET) (envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41])
 by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id x2DDbJDQ034449;
 Wed, 13 Mar 2019 14:37:20 +0100 (CET) (envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (localhost [127.0.0.1])
 by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id x2DDb1do072976;
 Wed, 13 Mar 2019 14:37:19 +0100 (CET) (envelope-from jhs@berklix.com)
Message-Id: <201903131337.x2DDb1do072976@fire.js.berklix.net>
To: Dimitry Andric <dim@FreeBSD.org>
cc: hackers@FreeBSD.org
Subject: Re: /usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails
From: "Julian H. Stacey" <jhs@berklix.com>
Organization: http://berklix.eu BSD Unix Linux Consultants, Munich Aachen Kent
User-agent: EXMH on FreeBSD http://berklix.eu/free/
X-From: http://www.berklix.eu/~jhs/
In-reply-to: Your message "Wed, 13 Mar 2019 13:06:12 +0100."
 <19EB99F0-20E9-4FB9-98CF-118E3CDDE154@FreeBSD.org>
Date: Wed, 13 Mar 2019 14:37:01 +0100
X-Rspamd-Queue-Id: 24E0077C56
X-Spamd-Bar: +
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [1.11 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_SOME(0.00)[]; HAS_ORG_HEADER(0.00)[];
 RCVD_COUNT_THREE(0.00)[4];
 MX_GOOD(-0.01)[cached: slim.berklix.com];
 RCPT_COUNT_TWO(0.00)[2];
 RECEIVED_SPAMHAUS_PBL(0.00)[213.194.82.46.zen.spamhaus.org : 127.0.0.10];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:33824, ipnet:94.185.88.0/22, country:DE];
 RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[];
 FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 NEURAL_HAM_LONG(-0.35)[-0.348,0]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[berklix.com]; AUTH_NA(1.00)[];
 NEURAL_SPAM_MEDIUM(0.11)[0.114,0];
 NEURAL_SPAM_SHORT(0.59)[0.586,0];
 IP_SCORE(-0.13)[asn: 33824(-0.67), country: DE(-0.01)];
 RCVD_IN_DNSWL_NONE(0.00)[68.90.185.94.list.dnswl.org : 127.0.10.0];
 R_SPF_NA(0.00)[]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 13:37:38 -0000

> On 13 Mar 2019, at 12:50, Julian H. Stacey <jhs@berklix.com> wrote:
> > Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
> > uid=3D123 not root on 12.0, the process runs, But fails to correct
> > the time !  Next thing to diagnose it, would be a kill of ntpd &
> > restart direct as root, I'm not root there so I'll wait for that.
> >=20
> > Are others 12 systems slipping time too ?
> 
> My systems are working fine, even though ntpd is running as user ntpd.
> 
> There's this new part in /etc/rc.d/ntpd, which may be the reason it is
> not working for you:
> 
>         # Try to set up the the MAC ntpd policy so ntpd can run with =
> reduced
>         # privileges.  Detect whether MAC is compiled into the kernel, =
> load
>         # the policy module if not already present, then check whether =
> the
>         # policy has been disabled via tunable or sysctl.
>         [ -n "$(sysctl -qn security.mac.version)" ] || return 1
>         sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd =
> || return 1
>         [ "$(sysctl -qn security.mac.ntpd.enabled)" =3D=3D "1" ] || =
> return 1
> 
> So it tries to setup that MAC policy, which shows up in syslog like:
> 
> kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
> ntpd[810]: ntpd 4.2.8p12-a (1): Starting
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash =
> signature
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, =
> expire=3D2019-06-28T00:00:00Z last=3D2017-01-01T00:00:00Z ofs=3D37
> 
> Maybe on your system something goes wrong loading the mac_ntpd module,
> or setting the sysctl, but it still continues to attempt to run ntpd as
> non-root?
> 
> I would run /etc/rc.d/ntpd with sh -x to see what is doing exactly.
> 
> -Dimitry

> Loading mac_XXX modules requires options MAC in running kernel.
> GENERIC has options but custom kernel may lack it.

> -Dimitry

config -x /boot/kernel/kernel > ~/tmp/config
  options CONFIG_AUTOGENERATED
  ident   GENERIC

sysctl -qn security.mac.version
  4

kldstat
  Id Refs Address                Size Name
   1   19 0xffffffff80200000  243cd00 kernel
   5    1 0xffffffff82c47000      acf mac_ntpd.ko

grep mac /boot/loader.conf
  # so probably the kernel module was loaded by ntpd

# _ntp_default_dir
ls -la /var/db/ntp
total 10
drwxr-xr-x   2 ntpd  ntpd    4 Mar 11 23:39 .
drwxr-xr-x  15 root  wheel  21 Feb 15 03:58 ..
-rw-r--r--   1 ntpd  ntpd    6 Mar 11 23:39 ntpd.drift
-rw-r--r--   1 ntpd  ntpd    5 Mar 13 13:53 ntpd.pid

cd /etc; ls -ls | grep ntp
  drwx------  2 root  wheel         3 Dec  7 05:16 ntp
  -rw-r--r--  1 root  wheel      3997 Dec  7 05:16 ntp.conf

ls -l /var/run/ntpd.leap-seconds.list
  ls: /var/run/ntpd.leap-seconds.list: No such file or directory

I have bcc'd the owner & will wait for him to try as root:
  sh -x /etc/rc.d/ntpd restart
  sh -x /etc/rc.d/ntpd stop

If he doesnt see clues with that, maybe I will soon when my current laptop
will be travelling & also using ntpd.

Thanks Dimitry

Cheers,
Julian
-- 
Julian Stacey, Consultant Systems Engineer, BSD Linux Unix, Munich Aachen Kent
 Brexit now minority:  2.1 M now over 18, More Remainers;  1.5 M died, less
 Leavers; 700 K votes Stolen from British Remainers in EU; + 3 M globaly
 dis- franchised; + drift to Remain + avoid chaos.  MPs should urge Queen: 
 Dismiss May, appoint new PM for unity government & 2nd Referendum.  Revoke
 Art. 50, plan better, refile Art.50 later?  http://ExitBrexit.UK/#email_an_mp