Re: git: 1a241a911dc8 - stable/14 - ntpd: Use the ntpd -u option in preference to the rc su plumbing
Date: Sun, 02 Mar 2025 01:25:45 UTC
On Sat, 1 Mar 2025 05:37:19 +0900 Tomoaki AOKI <junchoon@dec.sakura.ne.jp> wrote: > On Fri, 28 Feb 2025 08:22:52 -0800 > Cy Schubert <Cy.Schubert@cschubert.com> wrote: > > > In message <202502281412.51SECsWG048020@nuc.oldach.net>, Helge Oldach > > writes: > > > Tomoaki AOKI wrote on Fri, 28 Feb 2025 10:53:24 +0100 (CET): > > > > Unfortunately, this commit caused ntpd hesitating to (re)start > > > > with error messages below on stable/14, amd64. > > > > > > > > ===== Quote ===== > > > > # service ntpd stop > > > > Stopping ntpd. > > > > Waiting for PIDS: 52508. > > > > # service ntpd start > > > > Starting ntpd. > > > > daemon control: got EOF > > > > /etc/rc.d/ntpd: WARNING: failed to start ntpd > > > > # > > > > ===== End quote ===== > > > > > > > > Note that I have > > > > ntpd_flags="-4 -g -x -f /var/db/ntpd.drift -l /var/log/ntpd.log" > > > > ntpd_config="/etc/ntp/ntp.conf" > > > > ntpd_enable="YES" > > > > ntpd_sync_on_start="YES" > > > > daily_ntpd_leapfile_enable="YES" > > > > ntp_leapfile_fetch_verbose="YES" > > > > in my /etc/rc.conf. > > > > > > I suggest ensure that the files referenced by the command line or by > > > configuration files can be created/written to by ntpd:ntpd. > > > > > > For example, you're not using the default location for ntpd.drift. > > > The default location is /var/db/ntp/ntpd.drift, where the directory > > > /var/db/ntp/ is owned by ntpd:ntpd (as per /etc/mtree/BSD.var.dist), so > > > ntpd is able to write the drift file after dropping privileges. > > > > > > Kind regards > > > Helge > > Thanks for advice! > > IIRC, my configuration was to allow keeping use of old-school place. > > Anyway, edited /etc/rc/conf to switch /var/db/ntpd.drift > to /var/db/ntp/ntpd.drift (serivce command picks configs everytime > invoked, so no reboots), without luck. Of course, /var/db/ntp has > ntpd:ntpd ownweship. > > Comparing succeeded (with reverted /etc/rc.d/ntpd) and failed > (/etc/rc.d/ntpd without reverts), I found an error only in the latter > case. > > 1 Mar 04:32:59 ntpd[12772]: Need MAC 'ntpd' policy enabled to drop > root privileges 1 Mar 04:32:59 ntpd[12771]: daemon child exited with > code 255 > > In normal case, ntpd starts soliciting pool servers, but the erroneous > case, stops there (does not start soiciting pool servers). > > > > This looks like it's related to, > > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284863, which is upstream > > https://bugs.ntp.org/show_bug.cgi?id=3967. It's a regression in 4.2.8p18. > > Thanks! > But it's not my case. All interfaces has different IP addresses. > (Some are hidden with "*".) > > % ifconfig > em0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> > metric 0 mtu 1454 > options=4e504bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG> > ether 98:*:*:*:*:* inet 192.168.*.45 netmask 0xffffff00 broadcast > 192.168.*.255 media: Ethernet autoselect (1000baseT <full-duplex>) > status: active > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu > 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 > groups: lo > nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> > wlan0: flags=8c43<UP,BROADCAST,RUNNING,DRV_OACTIVE,SIMPLEX,MULTICAST> > metric 10 mtu 1500 options=0 > ether 24:*:*:*:*:* > inet 192.168.*.108 netmask 0xffffff00 broadcast 192.168.*.255 > groups: wlan > ssid "" channel 36 (5180 MHz 11a) > regdomain JAPAN country JP authmode WPA1+WPA2/802.11i privacy ON > deftxkey UNDEF txpower 23 bmiss 7 mcastrate 6 mgmtrate 6 > scanvalid 60 wme roaming MANUAL > parent interface: iwlwifi0 > media: IEEE 802.11 Wireless Ethernet autoselect mode 11a > status: no carrier > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > > The problem seems to be "how to enable MAC 'ntpd' policy?". > > Reading Chapter 18 of the Handbook (especially 18.5) and looking > into /boot/kernel, mac_ntpd.ko seems to be the culprit, but as I still > have confusions with MAC feature, I'm not 100% sure loading it is safe > or not, thus, still cannot try loading it. > > *I've read somewhere (lost track with there) stating that "once MAC > feature is enabled in a filesystem, it cannot disabled anymore and > possibly causes fatal problems on interpoerabilities". > This does not match handbook at least with 18.5, though. > > My /etc/rc.conf is carried over from 2.1.6.1 (IIRC) with modifications > on needs. So don't have MAC (not MAC address but Mandatory Access > Control feature, I guess) related configurations in it. > > IMHO, this kinds of mandated (and considered to be safe) configurations > should be in /etc/defaults/rc.conf (including auto-loading mandatory > in-tree kmods) by default and overrided in /etc/rc.conf[.local] whenever > actually needed. Tried and turned out that mac_ntpd.ko, which is not auto-loaded, was the culprit. Loading it manually resolved the issue. Looking closer (not limited with the diff) into /etc/rc.d/ntpd, it has function can_run_nonroot() and it has code to auto-load mac_ntpd.ko, but it doesn't work because checks for options that accesses files runs before the auto-load code, thus, returns earlier if any of -f, -k, -p, -i, -l and -s options are specified. I think this order is basically reverseable, as /var/db/ntp/ is defaulted with ownership ntpd:ntpd and ntpd.drift has defaulted to ntpd:ntpd. And pid file and log file are (IIUC) opened before the priviledge is dropped and kept open. Not sure about keyfile, jaildir and statsdir, as I haven't specified them. > > > > -- > > Cheers, > > Cy Schubert <Cy.Schubert@cschubert.com> > > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org > > NTP: <cy@nwtime.org> Web: https://nwtime.org > > > > e^(i*pi)+1=0 > > Regards. > > -- > Tomoaki AOKI <junchoon@dec.sakura.ne.jp> -- Tomoaki AOKI <junchoon@dec.sakura.ne.jp>