Re: heads up: mac_ntpd has to be explicitly loaded in recent stable/14

[Cy Schubert]

In message <20250311011257.dd642ecbcd132ecb7142d...@dec.sakura.ne.jp>, 
Tomoaki
AOKI writes:
> On Mon, 10 Mar 2025 16:37:58 +0100
> "Herbert J. Skuhra" <herb...@gojira.at> wrote:
>
> > On Mon, 10 Mar 2025 13:06:25 +0100, David Wolfskill wrote:
> > > 
> > > On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> > > > Hello List Subscirbers,
> > > > 
> > > > in the past the module was loaded automatically upon NTPD server startu
> p.
> > > > It's no longer true, now it has to be loaded earlier.
> > > > Perhaps people running stable/14 might find this message useful.
> > 
> > Hmm, works for me on main and stable/14. 
> > 
> > > So... I noticed this for (precisely) one of the five machines I have
> > > that track stable/14 -- the other 4 get mac_ntpd loaded automagically as
> > > usual.
> > > 
> > > In the failing case, it seems that
> > > 
> > >   sysctl security.mac.version
> > > 
> > > yielded
> > > 
> > >   sysctl: unknown oid 'security.mac.version'
> > 
> > I only get this if I build a kernel without "options MAC". But in this
> > no mac_* kernel modules are built and ntpd fails with:
> > 
> > Starting ntpd.
> > daemon control: got EOF
> > /etc/rc.d/ntpd: WARNING: failed to start ntpd
>
> In this case, you'll find something like
>   Need MAC 'ntpd' policy enabled to drop root privileges
>   daemon child exited with code 255
> in ntpd logfile (/var/db/ntpd.log in my case, but
> possibly /var/log/messages by default).

I don't understand why some systems (those in this thread) have a problem 
not loading mac_ntpd while others, i.e. my stable/14 at $JOB, are fine. I'd 
like to try to understand the differences between those that work and those 
that don't.

First of all, the ntpd rc script bails without saying why when it 
encounters a problem. can_run_nonroot() simply returns a bad return code 
leaving us to wonder why.

The first order of business is to  produce a patch to indicate why it 
bails. Please apply the attached patch and let me know where it fails. 
Messages will be printed to stderr and to /var/log/messages (assuming 
daemon.err is sent there).

>
> -- 
> Tomoaki AOKI    <junch...@dec.sakura.ne.jp>
>




diff --git a/libexec/rc/rc.d/ntpd b/libexec/rc/rc.d/ntpd
index 8babda09455c..223b92a1ddc4 100755
--- a/libexec/rc/rc.d/ntpd
+++ b/libexec/rc/rc.d/ntpd
@@ -45,6 +45,7 @@ can_run_nonroot()
 {
        # If the admin set what uid to use, we don't change it.
        if [ -n "${ntpd_user}" ]; then
+               logger -s -t "rc.d/ntpd" -p daemon.err "user ${ntpd_user} is 
not found, exiting"
                return 1
        fi
 
@@ -54,6 +55,7 @@ can_run_nonroot()
            *-f* | *--driftfile* | *-i* | *--jaildir*   | \
            *-k* | *--keyfile*   | *-l* | *--logfile*   | \
            *-p* | *--pidfile*   | *-s* | *--statsdir* )
+               logger -s -t "rc.d/ntpd" -p daemon.err "user ${ntpd_user} 
cannot access files listed in command line, exiting"
                return 1;;
        esac
 
@@ -66,15 +68,32 @@ can_run_nonroot()
        # privileges.  Detect whether MAC is compiled into the kernel, load
        # the policy module if not already present, then check whether the
        # policy has been disabled via tunable or sysctl.
-       [ -n "$(sysctl -qn security.mac.version)" ] || return 1
-       sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || 
return 1
-       [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1
+       if [ -z "$(sysctl -qn security.mac.version)" ]; then
+               logger -s -t "rc.d/ntpd" -p daemon.err "kernel does not support 
MAC, exiting"
+               return 1
+       fi
+       if ! sysctl -qn security.mac.ntpd >/dev/null; then
+               if ! kldload -qn mac_ntpd; then
+                       logger -s -t "rc.d/ntpd" -p daemon.err "failed to load 
mac_ntpd, exiting"
+                       return 1
+               fi
+       fi
+       if [ ! "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ]; then
+               logger -s -t "rc.d/ntpd" -p daemon.err 
"security.mac.ntpd.enabled is not enabled, exiting"
+               return 1
+       fi
 
        # On older existing systems, the ntp dir may by owned by root, change
        # it to ntpd to give the daemon create/write access to the driftfile.
        if [ "$(stat -f %u ${_ntp_default_dir})" = "0" ]; then
-               chown ntpd:ntpd "${_ntp_default_dir}" || return 1
-               chmod 0755 "${_ntp_default_dir}" || return 1
+               if ! chown ntpd:ntpd "${_ntp_default_dir}"; then
+                       logger -s -t "rc.d/ntpd" -p daemon.err "chown 
${_ntp_default_dir} failed, exiting"
+                       return 1
+               fi
+               if ! chmod 0755 "${_ntp_default_dir}"; then
+                       logger -s -t "rc.d/ntpd" -p daemon.err "chmod 
${_ntp_default_dir} failed, exiting"
+                       return 1
+               fi
                logger -s -t "rc.d/ntpd" -p daemon.notice \
                    "${_ntp_default_dir} updated to owner ntpd:ntpd, mode 0755"
        fi

Cheers,
Cy Schubert <cy.schub...@cschubert.com>
FreeBSD UNIX:  <c...@freebsd.org>   Web:  https://FreeBSD.org
NTP:           <c...@nwtime.org>    Web:  https://nwtime.org

                        e^(i*pi)+1=0