Date: Sat, 8 Feb 2020 16:04:13 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r525559 - in head/net/ntimed: . files Message-ID: <202002081604.018G4DmF062767@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Sat Feb 8 16:04:13 2020 New Revision: 525559 URL: https://svnweb.freebsd.org/changeset/ports/525559 Log: net/ntimed: Supervise process and attempt to drop privs PR: 243469 Modified: head/net/ntimed/Makefile head/net/ntimed/files/ntimed.in Modified: head/net/ntimed/Makefile ============================================================================== --- head/net/ntimed/Makefile Sat Feb 8 15:03:50 2020 (r525558) +++ head/net/ntimed/Makefile Sat Feb 8 16:04:13 2020 (r525559) @@ -3,7 +3,7 @@ PORTNAME= ntimed PORTVERSION= 0.0.2015.01.30 -PORTREVISION= 0 +PORTREVISION= 1 CATEGORIES= net MAINTAINER= feld@FreeBSD.org Modified: head/net/ntimed/files/ntimed.in ============================================================================== --- head/net/ntimed/files/ntimed.in Sat Feb 8 15:03:50 2020 (r525558) +++ head/net/ntimed/files/ntimed.in Sat Feb 8 16:04:13 2020 (r525559) @@ -25,14 +25,32 @@ load_rc_config $name start_precmd=ntimed_prestart pidfile=/var/run/ntimed.pid -procname="/usr/local/sbin/ntimed-client" +ntimed_cmd="/usr/local/sbin/ntimed-client" command=/usr/sbin/daemon -command_args=" -p ${pidfile} ${procname} ${ntimed_flags}" +can_run_nonroot() +{ + # Try to set up the the MAC ntpd policy so ntimed can run with reduced + # privileges. Detect whether MAC is compiled into the kernel, load + # the policy module if not already present, then check whether the + # policy has been disabled via tunable or sysctl. + [ -n "$(sysctl -qn security.mac.version)" ] || return 1 + sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1 + [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1 +} + ntimed_prestart() { - # Have to empty rc_flags so they don't get passed to daemon(8) - rc_flags="" + # Have to empty rc_flags so they don't get passed to daemon(8) + rc_flags="" + + if can_run_nonroot; then + _ntimed_user="ntpd" + else + _ntimed_user="root" + fi + + command_args=" -r -P ${pidfile} -u ${_ntimed_user} ${ntimed_cmd} ${ntimed_flags}" } run_rc_command "$1"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002081604.018G4DmF062767>