Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 8 Feb 2020 16:04:13 +0000 (UTC)
From:      Mark Felder <feld@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r525559 - in head/net/ntimed: . files
Message-ID:  <202002081604.018G4DmF062767@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: feld
Date: Sat Feb  8 16:04:13 2020
New Revision: 525559
URL: https://svnweb.freebsd.org/changeset/ports/525559

Log:
  net/ntimed: Supervise process and attempt to drop privs
  
  PR:		243469

Modified:
  head/net/ntimed/Makefile
  head/net/ntimed/files/ntimed.in

Modified: head/net/ntimed/Makefile
==============================================================================
--- head/net/ntimed/Makefile	Sat Feb  8 15:03:50 2020	(r525558)
+++ head/net/ntimed/Makefile	Sat Feb  8 16:04:13 2020	(r525559)
@@ -3,7 +3,7 @@
 
 PORTNAME=	ntimed
 PORTVERSION=	0.0.2015.01.30
-PORTREVISION=	0
+PORTREVISION=	1
 CATEGORIES=	net
 
 MAINTAINER=	feld@FreeBSD.org

Modified: head/net/ntimed/files/ntimed.in
==============================================================================
--- head/net/ntimed/files/ntimed.in	Sat Feb  8 15:03:50 2020	(r525558)
+++ head/net/ntimed/files/ntimed.in	Sat Feb  8 16:04:13 2020	(r525559)
@@ -25,14 +25,32 @@ load_rc_config $name
 
 start_precmd=ntimed_prestart
 pidfile=/var/run/ntimed.pid
-procname="/usr/local/sbin/ntimed-client"
+ntimed_cmd="/usr/local/sbin/ntimed-client"
 command=/usr/sbin/daemon
-command_args=" -p ${pidfile} ${procname} ${ntimed_flags}"
 
+can_run_nonroot()
+{
+        # Try to set up the the MAC ntpd policy so ntimed can run with reduced
+        # privileges.  Detect whether MAC is compiled into the kernel, load
+        # the policy module if not already present, then check whether the
+        # policy has been disabled via tunable or sysctl.
+        [ -n "$(sysctl -qn security.mac.version)" ] || return 1
+        sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
+        [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1
+}
+
 ntimed_prestart()
 {
-	# Have to empty rc_flags so they don't get passed to daemon(8)
-	rc_flags=""
+        # Have to empty rc_flags so they don't get passed to daemon(8)
+        rc_flags=""
+
+        if can_run_nonroot; then
+            _ntimed_user="ntpd"
+        else
+            _ntimed_user="root"
+        fi
+
+        command_args=" -r -P ${pidfile} -u ${_ntimed_user} ${ntimed_cmd} ${ntimed_flags}"
 }
 
 run_rc_command "$1"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002081604.018G4DmF062767>