Revert "ntpd: Use the ntpd -u option in preference to the rc su plumbing"

Using the ntpd -u option to set the credentials ntpd is to run under
while still using rc(8) to invoke causes some FreeBSD i

Revert "ntpd: Use the ntpd -u option in preference to the rc su plumbing"

Using the ntpd -u option to set the credentials ntpd is to run under
while still using rc(8) to invoke causes some FreeBSD installs to fail
to load mac_ntp. The fact that that can_run_nonroot() does not
indicate why failures occur leaves people on the mailing lists
guessing as to why there are failures. Let's revert back to using
the rc(8) provided su. The ntpd rc script will be rewritten when
the ntpd chroot will be implemented.

Reported on: freebsd-stable@
MFC after: immediately

This reverts commit 521f66715afb312b356afafc68cbc044a436a753.

show more ...

ntpd: Use the ntpd -u option in preference to the rc su plumbing

Using the rc plumbing to setuid(2) is preferred as it allows the user
to use the -i option in ntpd_flags to chroot ntpd.

Chrooting n

ntpd: Use the ntpd -u option in preference to the rc su plumbing

Using the rc plumbing to setuid(2) is preferred as it allows the user
to use the -i option in ntpd_flags to chroot ntpd.

Chrooting ntpd by default will be a 2025 project.

MFC after: 1 week
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D48191

show more ...

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
servic

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
service jail.

The sshd patch is important for the sshd-related functionality as
described in the man-page in the service jails part.

The location of the added env vars is supposed to allow overriding them
in rc.conf, and to hard-disable the use of svcj for some parts where it
doesn't make sense or will not work.

Only a subset of all of the services are fully tested (I'm running this
since more than a year with various services started as service jails).
The untested parts should be most of the time ok, in some edge-cases
more permissions are needed inside the service jail.
Differential Revision: https://reviews.freebsd.org/D40371

show more ...

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

ntpd(8): Correct a typo in comment of the rc script

- s/the the/the/

MFC after: 3 days

rc.d/ntpd: Restart ntpd when resuming from sleep.

ntpd does not always gracefully handle clock steps during resume.
This is probably most useful in conjunction with
ntpd_sync_on_start=YES which will

rc.d/ntpd: Restart ntpd when resuming from sleep.

ntpd does not always gracefully handle clock steps during resume.
This is probably most useful in conjunction with
ntpd_sync_on_start=YES which will work around any clock skew while
suspended.

Reviewed by: manu
Differential Revision: https://reviews.freebsd.org/D35479

show more ...

rc.d/ntp: Ensure ntpd.leap-seconds.list is readable by ntpd

When a use sets umask in login.conf(5) to 027 or 077 a subsequently
fetched /var/db/ntpd.leap-seconds.list will inherit the permissions
al

rc.d/ntp: Ensure ntpd.leap-seconds.list is readable by ntpd

When a use sets umask in login.conf(5) to 027 or 077 a subsequently
fetched /var/db/ntpd.leap-seconds.list will inherit the permissions
allowed by the umask, resulting in a file that may not be readable
ntpd running under the ntp account. This patch adds a umask command
to preempt the umask in login.conf(5) prior to fetching a new copy
of the leap-seconds file.

PR: 261298
Reported by: Martin Waschbusch <martin@waschbuesch.de>
MFC after: 3 days

show more ...

Allow opt-out of automatic ntpd leapfile checking/fetching.

When a system has no internet connection, or when it is configured to obtain
ntpd leapfiles from some source other than the internet, or e

Allow opt-out of automatic ntpd leapfile checking/fetching.

When a system has no internet connection, or when it is configured to obtain
ntpd leapfiles from some source other than the internet, or even when the
sysadmin has decided for some reason to customize ntp.conf to eliminate use
of the leapfile, the rc.d/ntpd script emits various error messages related
to the file.

This change allows setting the rc var ntp_db_leapfile to NONE to disable all
automatic processing related to that file in rc.d/ntpd.

Differential Revision: https://reviews.freebsd.org/D22461

show more ...

Remove accidentally-added blank line; the style throughout this file
is to use no whitespace between a comment block and the code it describes.

Handle the driftfile option correctly when ntpd_flags is empty.

The logic I originally wrote to detect whether a driftfile option was in the
set of flags was based on the result of removing the patt

Handle the driftfile option correctly when ntpd_flags is empty.

The logic I originally wrote to detect whether a driftfile option was in the
set of flags was based on the result of removing the pattern *flag* being an
empty string. That didn't handle the case where the string was empty to
begin with. Doh! So now it also specifically checks for an empty string.

The result of the bad check was that ntpd would run without a driftfile, but
it would do so only if it was running as root instead of the non-priveleged
ntpd user, which isn't a typical case. Ntpd runs fine without a driftfile,
although it does take it longer to stabilize the clock frequency at startup.

Reported by: avg@
Pointy hat: ian@
MFC after: some testing

show more ...

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update bec

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update because an rc script was touched.
(a follow-up commit will make init its own package)
* having rc in its own place will allow more easy replacement
of the rc framework with alternatives, such as openrc.

Discussed with: brd (during BSDCam), kmoore
Requested by: cem, bz
PR: 231522
Approved by: re (gjb)

show more ...

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision:

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision: https://reviews.freebsd.org/D16466

show more ...

Automatically run ntpd as non-root when possible.

Ntpd needs only a subset of full root privileges to do its job. Specifically
it needs the ability to manipulate system time, and to re-bind to a
pri

Automatically run ntpd as non-root when possible.

Ntpd needs only a subset of full root privileges to do its job. Specifically
it needs the ability to manipulate system time, and to re-bind to a
privileged UDP port after interface changes. The mac_ntpd(4) policy module
(see r336525) can grant these privs.

These changes detect the availability of mac_ntpd(4). If enabled, and if the
ntpd configuration is fairly vanilla, it automatically runs ntpd as the
non-root user 'ntpd' (uid 123). "Vanilla" means the config doesn't include
command line or ntp.conf options changing the location of files or using any
files/dirs likely to be inaccessible to user ntpd. Ntpd can still run as
non-root when using such options, but the admin must ensure all required
files and dirs are accessible, and then set ntpd_user=ntpd in rc.conf.

Note that these changes also address PR 199127 by using the command_args
technique suggested in the patch. They also tangentially address PR 113552,
which is primarily about inconsistent filenames in documentation, but some
of the inconsistancy was caused by old code in rc.d/ntpd which is leftover
from the intial import from netbsd. There was code to do chroot setup which
required the use of the netbsd clockctl(4) device; that code never had any
effect on freebsd, because we lack that device and don't build ntpd with the
options that would allow using it.

PR: 113552 199127
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D16050

show more ...

When being verbose about various leapfile versions, also mention expiration.

The expiration date is actually more of a version number than the version
date, because expiration changes twice a year,

When being verbose about various leapfile versions, also mention expiration.

The expiration date is actually more of a version number than the version
date, because expiration changes twice a year, whereas the version only
changes when actual leap second events occur (except in USNO leapfiles,
which inappropriately bump the version with every expiration date change).

show more ...

Rename variable ntp_tmp_leapfile to have a leading underbar, to distinguish
it from variables with similar names which are set in rc.conf. This will
make more sense as the script grows more similar-

Rename variable ntp_tmp_leapfile to have a leading underbar, to distinguish
it from variables with similar names which are set in rc.conf. This will
make more sense as the script grows more similar-name local variables in
some upcoming changes.

show more ...

Use 'mv -f' in rc.d/ntpd to avoid spuriously halting the boot.

The final 'mv' to install a fetched leap-list file can fail (due to a
readonly fs, or schg flags, for example), and that leads to mv(1)

Use 'mv -f' in rc.d/ntpd to avoid spuriously halting the boot.

The final 'mv' to install a fetched leap-list file can fail (due to a
readonly fs, or schg flags, for example), and that leads to mv(1)
prompting the user, stopping the boot process. Instead, use mv -f
to supress the prompting, and if verbose mode is on, emit a warning
that the existing file cannot be replaced.

PR: 219255

show more ...

USNO and possibly others have misinterpreted the maining of the
leapseconds last-update field and incorrectly increment it when changing
the file even though the leapsecond data has not changed. For

USNO and possibly others have misinterpreted the maining of the
leapseconds last-update field and incorrectly increment it when changing
the file even though the leapsecond data has not changed. For instance,
if a leapsecond file is obtained from USNO, when it expires it will not
be replaced by a newer file from other sources because it has an
incorrect later last-update (version).

This corrects r304780.

PR: 225029
Submitted by: ian
MFC after: 3 days

show more ...

Fix fetching ntp leapfile after 325256

Submitted by: Ronald Klop <ronald-lists@klop.ws>
Reviewed by: asomers
MFC after: 3 days
X-MFC-With: 325256

Anticongestion refinements for ntpd rc script. This reverts r324681
and checks if ntp leapfile needs fetching before entering into the
anticongestion sleep.

Unfortunately some ports still use their

Anticongestion refinements for ntpd rc script. This reverts r324681
and checks if ntp leapfile needs fetching before entering into the
anticongestion sleep.

Unfortunately some ports still use their own sleeps so, this commit
doesn't address the complete problem which is compounded by every
port that uses its own anticongestion mechanism.

Discussed with: asomers

show more ...

Remove the gratuitous check for $FreeBSD$ and rename the function
to ntpd_init_leapfile, to ensure a copy exists in /var/db if a copy
isn't already there.

Reported by: ache@
MFC after: 1 day

Make validation of the leap-seconds file unconditional.

MFC after: 1 day

Add logic to replace the working ntp leap-seconds file in /var/db
if it contains a $FreeBSD$ header. The header will cause the file
to fail checksum of the hash causing ntpd to ignore the file.

MFC

Add logic to replace the working ntp leap-seconds file in /var/db
if it contains a $FreeBSD$ header. The header will cause the file
to fail checksum of the hash causing ntpd to ignore the file.

MFC after: 1 day

show more ...

Change the algorithm by which /var/db/leap-seconds is updated.

1. Use the leap-seconds version number (update time) to determine
whether to update the file or not.

2. If the version numbers of t

Change the algorithm by which /var/db/leap-seconds is updated.

1. Use the leap-seconds version number (update time) to determine
whether to update the file or not.

2. If the version numbers of the files is the same, use the later
expiry date to determine which file to use.

Suggested by: ian@
MFC after: 1 day

show more ...

Use the expiry date to determine whether to replace the DB copy of
leapfile instead of using the leapfile serial number (create
timestamp).

PR: 209577
MFC after: 3 days

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueff

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueffer
Differential Revision: D452

show more ...