From nobody Mon Mar 10 15:34:15 2025
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZBLYx1tSVz5r16h
	for <freebsd-stable@mlmmj.nyi.freebsd.org>; Mon, 10 Mar 2025 15:35:17 +0000 (UTC)
	(envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZBLYw5Mwlz3q8V
	for <freebsd-stable@freebsd.org>; Mon, 10 Mar 2025 15:35:16 +0000 (UTC)
	(envelope-from zarychtam@plan-b.pwste.edu.pl)
Authentication-Results: mx1.freebsd.org;
	none
Received: from [192.168.7.70] (dom.potoki.eu [62.133.140.50])
	(authenticated bits=0)
	by plan-b.pwste.edu.pl (8.18.1/8.17.2) with ESMTPSA id 52AFYGGu055270
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO);
	Mon, 10 Mar 2025 16:34:17 +0100 (CET)
	(envelope-from zarychtam@plan-b.pwste.edu.pl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl;
	s=plan-b-mailer; t=1741620858;
	bh=9ygfbBPmI1H2E/Nx+DbMqRqXGi/8bwBb7HDWjU8xpIs=;
	h=Date:Subject:To:Cc:References:From:In-Reply-To;
	b=PdICuwgNQXD+VQl7nvrGEX5JkXkhxG3GQqdK2bjbr0Z10o6tfHX/1TzrRbnfBpJeb
	 dioeMHGrBKaqRG7v3wCjbqhOLGl+7nxTU24Ik4zNm7Ov71M2BdyME4YLFa4Xkf4NGW
	 UpgzhLGrESbuIS2N0IPIIjM15R93IZy3SqRuJKabe7nCrJVP+9KS2MWtka6DuAkH9S
	 K5WzbORXTa9Wj+SB0MczNoXaJXRKJ8MvZ1eL90vMudwvF0Th705S0N+bNvZkkuBFGb
	 H+wJQXj0k9jLZtnltxxvaWy/TO5C9nG9mR3uZrHC+/DsRrdjqEU+D2C+bpl7N0BH75
	 I9r2MMr4hmpQA==
X-Authentication-Warning: plan-b.pwste.edu.pl: Host dom.potoki.eu [62.133.140.50] claimed to be [192.168.7.70]
Message-ID: <4c70544d-b2d9-44b0-84a0-d4366478c2c6@plan-b.pwste.edu.pl>
Date: Mon, 10 Mar 2025 16:34:15 +0100
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: heads up: mac_ntpd has to be explicitly loaded in recent
 stable/14
To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
Cc: David Wolfskill <david@catwhisker.org>, freebsd-stable@freebsd.org
References: <77f675a7-4e85-4c97-8559-eed0b6a9bee2@plan-b.pwste.edu.pl>
 <Z87VwY27sY8X0ySB@albert.catwhisker.org>
 <20250310211710.a7c3405c50b360138e2eb269@dec.sakura.ne.jp>
 <0d4bb787-ca68-4396-ab19-6b9cbeb27b34@plan-b.pwste.edu.pl>
 <20250310220443.03f66b8c506b608d0ecddeae@dec.sakura.ne.jp>
Content-Language: en-US
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Autocrypt: addr=zarychtam@plan-b.pwste.edu.pl; keydata=
 xsBNBFfi3cMBCADLecMTFXad4uDXqv3eRuB4qJJ8G9tzzFezeRnnwxOsPdytW5ES2z1ibSrR
 IsiImx6+PTqrAmXpTInxAi7yiZGdSiONRI4CCxKY9d1YFiNYT/2WyNXCekm9x29YeIU7x0JB
 Llbz0f/9HC+styBIu2H+PY/X98Clzm110CS+n/b9l1AtiGxTiVFj7/uavYAKxH6LNWnbkuc5
 v8EVNc7NkEcl5h7Z9X5NEtzDxTOiBIFQ/kOT7LAtkYUPo1lqLeOM2DtWSXTXQgXl0zJI4iP1
 OAu4qQYm2nXwq4b2AH9peknelvnt1mpfgDCGSKnhc26q6ibTfMwydp+tvUtQIQYpA6b9ABEB
 AAHNN01hcmVrIFphcnljaHRhIChQbGFuLWIpIDx6YXJ5Y2h0YW1AcGxhbi1iLnB3c3RlLmVk
 dS5wbD7CwHcEEwEIACEFAlfi4LkCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQHZW8
 vIFppoJXdgf8D9X3VRFSNaR9lthSx/+uqas17J3FJKBo1xMQsC2a+44vzNvYJSuPGLLJ+LW2
 HPVazjP/BWZJbxOYpliY4zxNRU0YCp0BLIVLibc//yax+mE42FND/+NiIZhqJscl6MLPrSwo
 sIwXec4XYkldkyqW/xBbBYXoIkBqdKB9j5j42Npy1IV/RizOSdmvTWY27ir8e/yGMR1RLr4F
 8P5K3OWTdlGy2H2F/3J8bIPBLG6FpaIyLQw4dHSx8V02PYqDxK1cNo2kAOnU8PnZL/AGuMOH
 iv3MN1VYL8ehcmpBBsrZGebQJxrjY2/5IaTSgp9xHYT70kshuU6Qb97vk1mOjNZxgc7ATQRX
 4t3DAQgA10h6RCXuBLMHxq5B8X/ZIlj9sgLoeyfRdDZEc9rT2KUeUJVHDsbvOFf4/7F1ovWY
 hJbA6GK/LUZeHHTjnbZcH1uDYQeHly4UOLxeEvhGoz4JhS2C7JzN/uRnwbdOAUbJr8rUj/IY
 a7gk906rktsc/Ldrxrxh7O6WO0JCh2XO/p4pDfEwwB37g4xHprSab28ECYJ9JMbtA8Sy4M55
 g3+GQ28FvSlGnx48OoGXU2BZdc1vZKSQmNOlikB+9/hDX8zdYWVfDaX1TLQ8Ib4+xTUmapza
 mV/bxIsaZRBw+jFjLQHhTbIMfPEU+4mxFDvTdbKPruKPqVf1ydgMnPZWngowdwARAQABwsBf
 BBgBCAAJBQJX4t3DAhsMAAoJEB2VvLyBaaaC6qkIAJs9sDPqrqW0bYoRfzY6XjDWQ59p9tJi
 v8aogxacQNCfAu+WkJ8PNVUtC1dlVcG5NnZ80gXzd1rc8ueIvXlvdanUt/jZd8jbb3gaDbK3
 wh1yMCGBl/1fOJTyEGYv1CRojv97KK89KP5+r8x1P1iHcSrunlDNqGxTMydNCwBH23QcOM+m
 u4spKnJ/s0VRBkw3xoKBZfZza6fTQ4gTpAipjyk7ldOGBV+PvkKATdhK2yLwuWXhKbg/GRlD
 1r5P0gxzSqfV4My+KJuc2EDcrqp1y0wOpE1m9iZqCcd0fup5f7HDsYlLWshr7NQl28f6+fQb
 sylq/j672BHXsdeqf/Ip9V4=
In-Reply-To: <20250310220443.03f66b8c506b608d0ecddeae@dec.sakura.ne.jp>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]
X-Rspamd-Queue-Id: 4ZBLYw5Mwlz3q8V
X-Spamd-Bar: ----

W dniu 10.03.2025 o 14:04, Tomoaki AOKI pisze:
> On Mon, 10 Mar 2025 14:21:32 +0200
> Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
>
>> W dniu 10.03.2025 o〓14:17, Tomoaki AOKI pisze:
>>> On Mon, 10 Mar 2025 05:06:25 -0700
>>> David Wolfskill <david@catwhisker.org> wrote:
>>>
>>>> On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
>>>>> Hello List Subscirbers,
>>>>>
>>>>> in the past the module was loaded automatically upon NTPD server startup.
>>>>> It's no longer true, now it has to be loaded earlier.
>>>>> Perhaps people running stable/14 might find this message useful.
>>>>>
>>>>> Cheers
>>>>> ....
>>>> So... I noticed this for (precisely) one of the five machines I have
>>>> that track stable/14 -- the other 4 get mac_ntpd loaded automagically as
>>>> usual.
>>>>
>>>> In the failing case, it seems that
>>>>
>>>> 	sysctl security.mac.version
>>>>
>>>> yielded
>>>>
>>>> 	sysctl: unknown oid 'security.mac.version'
>>>>
>>>> which thus caused the code in /etc/rc.d/ntpd:
>>>>
>>>>           # Try to set up the MAC ntpd policy so ntpd can run with reduced
>>>>           # privileges.  Detect whether MAC is compiled into the kernel, load
>>>>           # the policy module if not already present, then check whether the
>>>>           # policy has been disabled via tunable or sysctl.
>>>>           [ -n "$(sysctl -qn security.mac.version)" ] || return 1
>>>>           sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
>>>>           [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1
>>>>
>>>> (in can_run_nonroot()) to return before the kldload can run.
>>>>
>>>> As the (only) machine that exhibits the failure is the one that
>>>> acts as my Internet gateway, I am fairly reluctant to have it down
>>>> longer than necessary. :-}
>>>>
>>>> (I admit that I was beginning to wonder if what I seemed to be
>>>> seeing was actually real.)
>>>>
>>>> Peace,
>>>> david
>>>> -- 
>>>> David H. Wolfskill                              david@catwhisker.org
>>>> Thank you, Claude Malhuret.
>>>> https://wickedemerald.wordpress.com/2025/03/08/speech-from-claude-malhuret/
>>>>
>>>> See https://www.catwhisker.org/~david/publickey.gpg for my public key.
>>> FYI:
>>>     https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021308.html
>>>     https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021313.html
>>>     https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021312.html
>>>     https://lists.freebsd.org/archives/dev-commits-src-branches/2025-February/021315.html
>>>     https://lists.freebsd.org/archives/dev-commits-src-branches/2025-March/021327.html
>>>
>>> Maybe order of some evaluations in /etc/rc.d/ntpd needs to be moved.
>>>
>> It looks like the problem is here:
>>
>> + eval ' limits -C daemon〓〓 /usr/sbin/ntpd〓 -p /var/db/ntp/ntpd.pid -c
>> /etc/ntp.conf〓 -u ntpd:ntpd'
>> + limits -C daemon /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c
>> /etc/ntp.conf -u ntpd:ntpd
>> daemon control: got EOF
>> + _return=255
>> + umask 0022
>> + [ 255 -ne 0 ]
>> + [ -z '' ]
>> + return 1
>> + warn 'failed to start ntpd'
>>
>> -- 
>> Marek Zarychta
> Yes. Newly added "-u" option mandates mac_ntpd.ko to drop root
> priviledge.
>
> Maybe line 48 through 55
>
>    https://cgit.freebsd.org/src/tree/libexec/rc/rc.d/ntpd?h=stable/14#n48
>
> of the /etc/rc.d/ntpd would better relocated to after line 68 or
> removed. Not tried, though, but this conditional causes the function
> to be return to caller before auto-loading mac_ntpd.ko at line 62
> through 68.
>
> Another option would be relocating line 62 through 68 to the top of
> the function can_run_nonroot().
>
Yes, the offending commit is 1a241a911dc8635c3803f1a6620e1ab4692f6ecf 
(cherry picked from commit 521f66715afb312b356afafc68cbc044a436a753).
Starting and stopping services in 14/stable and main are done in a 
different manner, I have not investigated it much though.

Anyway, it seems like unintentional change, aka regression in stable/14 ...

Cheers

-- 
Marek Zarychta