/usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

/usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails

Julian H. Stacey-3
Hi [hidden email],
Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
uid=123 not root on 12.0, the process runs, But fails to correct
the time !  Next thing to diagnose it, would be a kill of ntpd &
restart direct as root, I'm not root there so I'll wait for that.

Are others 12 systems slipping time too ?

-------------------------------------------------------------------------------

The bad host: 12.0-p3
  grep ntp /etc/rc.conf
    ntpd_enable="YES"
  Identical: /etc/ntp.conf /usr/src/usr.sbin/ntp/ntpd/ntp.conf
  ps -laxww | grep ntp| grep -v grep
   UID   PID  PPID CPU PRI NI    VSZ   RSS MWCHAN   STAT TT          TIME COMMAND
   123 17872     1   0  20  0  19424 19520 select   Ss    -       0:01.59 /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -f /var/db/ntp/ntpd.drift
  ntpd is running not as root, but as 123
  ntpd:*:123:123:NTP Daemon:/var/db/ntp:/usr/sbin/nologin
  -r-xr-xr-x  1 root  wheel  842896 Dec  7 05:16 /usr/sbin/ntpd
  ntpd has no s or g bits, so can not set time I presume,
  /var/log/messages has nothing since admin started it :
    Mar 11 20:51:53 hostname [16744]: ntpd 4.2.8p12-a (1): Starting
    Mar 11 20:51:54 hostname [16745]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash signature
    Mar 11 20:51:54 hostname [16745]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, expire=2019-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
    Mar 11 21:37:46 hostname [16745]: ntpd exiting on signal 15 (Terminated)
    Mar 11 22:39:10 hostname [17871]: ntpd 4.2.8p12-a (1): Starting
    Mar 11 22:39:10 hostname [17872]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash signature
    Mar 11 22:39:10 hostname [17872]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, expire=2019-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
  ls -l /var/db/ntpd*
    -rw-r--r--  1 root  wheel  10663 Dec 31 02:30 /var/db/ntpd.leap-seconds.list

-------------------------------------------------------------------------------

A good host for comparison : 10.3-STABLE on time with radio wall clock:

  UID   PID  PPID CPU PRI NI    VSZ   RSS MWCHAN   STAT TT         TIME COMMAND
    0   580     1   0  20  0  21900 13812 select   Ss    -      0:45.10 /usr/sbin/ntpd -g -c /etc/ntp.conf -p /var/run/ntpd.pid -f /var/db/ntpd.drift
  -r-xr-xr-x  1 root  wheel  763888 Aug 17  2016 /usr/sbin/ntpd*
  Non root manual invocation of ntpd command above:
  must be run as root, not uid 200
 grep ntp /etc/rc*
        /etc/rc.conf:ntpd_enable="YES"      
        /etc/rc.conf:ntpd_sync_on_start="YES"           # Sync time on ntpd startup, even if offset is high
        /etc/rc.conf:ntpdate_enable="YES"               # Sync time on boot # as ntpd later refuses to compensate > 1 hour
 ls -l /var/db/ntpd*
    -rw-r--r--  1 root  wheel      8 Mar 13 10:14 /var/db/ntpd.drift
    -rw-r--r--  1 root  wheel  10663 Oct 27 14:10 /var/db/ntpd.leap-seconds.list

Cheers,
Julian
--
Julian Stacey, Consultant Systems Engineer, BSD Linux Unix, Munich Aachen Kent
 Brexit now minority:  2.1 M now over 18, More Remainers;  1.5 M died, less
 Leavers; 700 K votes Stolen from British Remainers in EU; + 3 M globaly
 dis- franchised; + drift to Remain + avoid chaos.  MPs should urge Queen:
 Dismiss May, appoint new PM for unity government & 2nd Referendum.  Revoke
 Art. 50, plan better, refile Art.50 later?  http://ExitBrexit.UK/#email_an_mp
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: /usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails

Dimitry Andric-4
On 13 Mar 2019, at 12:50, Julian H. Stacey <[hidden email]> wrote:
> Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
> uid=123 not root on 12.0, the process runs, But fails to correct
> the time !  Next thing to diagnose it, would be a kill of ntpd &
> restart direct as root, I'm not root there so I'll wait for that.
>
> Are others 12 systems slipping time too ?

My systems are working fine, even though ntpd is running as user ntpd.

There's this new part in /etc/rc.d/ntpd, which may be the reason it is
not working for you:

        # Try to set up the the MAC ntpd policy so ntpd can run with reduced
        # privileges.  Detect whether MAC is compiled into the kernel, load
        # the policy module if not already present, then check whether the
        # policy has been disabled via tunable or sysctl.
        [ -n "$(sysctl -qn security.mac.version)" ] || return 1
        sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
        [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1

So it tries to setup that MAC policy, which shows up in syslog like:

kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
ntpd[810]: ntpd 4.2.8p12-a (1): Starting
ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash signature
ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, expire=2019-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37

Maybe on your system something goes wrong loading the mac_ntpd module,
or setting the sysctl, but it still continues to attempt to run ntpd as
non-root?

I would run /etc/rc.d/ntpd with sh -x to see what is doing exactly.

-Dimitry


signature.asc (230 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: /usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails

Julian H. Stacey-3
In reply to this post by Julian H. Stacey-3
Hi, Reference:
> From: "Julian H. Stacey" <[hidden email]>
> Date: Wed, 13 Mar 2019 12:50:07 +0100

"Julian H. Stacey" wrote:

> Hi [hidden email],
> Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
> uid=123 not root on 12.0, the process runs, But fails to correct
> the time !  Next thing to diagnose it, would be a kill of ntpd &
> restart direct as root, I'm not root there so I'll wait for that.
>
> Are others 12 systems slipping time too ?
>
> -------------------------------------------------------------------------------
>
> The bad host: 12.0-p3
>   grep ntp /etc/rc.conf
>     ntpd_enable="YES"
>   Identical: /etc/ntp.conf /usr/src/usr.sbin/ntp/ntpd/ntp.conf
>   ps -laxww | grep ntp| grep -v grep
>    UID   PID  PPID CPU PRI NI    VSZ   RSS MWCHAN   STAT TT          TIME COMMAND
>    123 17872     1   0  20  0  19424 19520 select   Ss    -       0:01.59 /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -f /var/db/ntp/ntpd.drift
>   ntpd is running not as root, but as 123
>   ntpd:*:123:123:NTP Daemon:/var/db/ntp:/usr/sbin/nologin
>   -r-xr-xr-x  1 root  wheel  842896 Dec  7 05:16 /usr/sbin/ntpd
>   ntpd has no s or g bits, so can not set time I presume,
>   /var/log/messages has nothing since admin started it :
>     Mar 11 20:51:53 hostname [16744]: ntpd 4.2.8p12-a (1): Starting
>     Mar 11 20:51:54 hostname [16745]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash signature
>     Mar 11 20:51:54 hostname [16745]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, expire=2019-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
>     Mar 11 21:37:46 hostname [16745]: ntpd exiting on signal 15 (Terminated)
>     Mar 11 22:39:10 hostname [17871]: ntpd 4.2.8p12-a (1): Starting
>     Mar 11 22:39:10 hostname [17872]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash signature
>     Mar 11 22:39:10 hostname [17872]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, expire=2019-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
>   ls -l /var/db/ntpd*
>     -rw-r--r--  1 root  wheel  10663 Dec 31 02:30 /var/db/ntpd.leap-seconds.list
>
> -------------------------------------------------------------------------------
>
> A good host for comparison : 10.3-STABLE on time with radio wall clock:
>
>   UID   PID  PPID CPU PRI NI    VSZ   RSS MWCHAN   STAT TT         TIME COMMAND
>     0   580     1   0  20  0  21900 13812 select   Ss    -      0:45.10 /usr/sbin/ntpd -g -c /etc/ntp.conf -p /var/run/ntpd.pid -f /var/db/ntpd.drift
>   -r-xr-xr-x  1 root  wheel  763888 Aug 17  2016 /usr/sbin/ntpd*
>   Non root manual invocation of ntpd command above:
>   must be run as root, not uid 200
>  grep ntp /etc/rc*
> /etc/rc.conf:ntpd_enable="YES"      
> /etc/rc.conf:ntpd_sync_on_start="YES"           # Sync time on ntpd startup, even if offset is high
> /etc/rc.conf:ntpdate_enable="YES"               # Sync time on boot # as ntpd later refuses to compensate > 1 hour
>  ls -l /var/db/ntpd*
>     -rw-r--r--  1 root  wheel      8 Mar 13 10:14 /var/db/ntpd.drift
>     -rw-r--r--  1 root  wheel  10663 Oct 27 14:10 /var/db/ntpd.leap-seconds.list

PS A CURRENT host built Sunday 13.0-CURRENT #13944 also runs as 123, not root

 UID   PID  PPID CPU PRI NI    VSZ    RSS MWCHAN   STAT TT         TIME COMMAND
 123 89944     1   0  23  0  18656  18752 select   Ss    -      0:00.12 /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -f /var/db/ntp/ntpd.drift
(that box is currently inside a firewall though

but that host is currently on time (with timed), on line inside a
firewall, though if necessary to test ntpd, I could move it outside firewall &
disrupt the time to see if ntpd corrects it.

Cheers,
Julian
--
Julian Stacey, Consultant Systems Engineer, BSD Linux Unix, Munich Aachen Kent
 Brexit now minority:  2.1 M now over 18, More Remainers;  1.5 M died, less
 Leavers; 700 K votes Stolen from British Remainers in EU; + 3 M globaly
 dis- franchised; + drift to Remain + avoid chaos.  MPs should urge Queen:
 Dismiss May, appoint new PM for unity government & 2nd Referendum.  Revoke
 Art. 50, plan better, refile Art.50 later?  http://ExitBrexit.UK/#email_an_mp
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: /usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails

Eugene Grosbein-10
In reply to this post by Dimitry Andric-4
13.03.2019 19:06, Dimitry Andric wrote:

> On 13 Mar 2019, at 12:50, Julian H. Stacey <[hidden email]> wrote:
>> Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
>> uid=123 not root on 12.0, the process runs, But fails to correct
>> the time !  Next thing to diagnose it, would be a kill of ntpd &
>> restart direct as root, I'm not root there so I'll wait for that.
>>
>> Are others 12 systems slipping time too ?
>
> My systems are working fine, even though ntpd is running as user ntpd.
>
> There's this new part in /etc/rc.d/ntpd, which may be the reason it is
> not working for you:
>
>         # Try to set up the the MAC ntpd policy so ntpd can run with reduced
>         # privileges.  Detect whether MAC is compiled into the kernel, load
>         # the policy module if not already present, then check whether the
>         # policy has been disabled via tunable or sysctl.
>         [ -n "$(sysctl -qn security.mac.version)" ] || return 1
>         sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
>         [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1
>
> So it tries to setup that MAC policy, which shows up in syslog like:
>
> kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
> ntpd[810]: ntpd 4.2.8p12-a (1): Starting
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash signature
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, expire=2019-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
>
> Maybe on your system something goes wrong loading the mac_ntpd module,

Loading mac_XXX modules requires options MAC in running kernel.
GENERIC has options but custom kernel may lack it.

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: /usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails

Julian H. Stacey-3
In reply to this post by Dimitry Andric-4
> On 13 Mar 2019, at 12:50, Julian H. Stacey <[hidden email]> wrote:
> > Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
> > uid=3D123 not root on 12.0, the process runs, But fails to correct
> > the time !  Next thing to diagnose it, would be a kill of ntpd &
> > restart direct as root, I'm not root there so I'll wait for that.
> >=20
> > Are others 12 systems slipping time too ?
>
> My systems are working fine, even though ntpd is running as user ntpd.
>
> There's this new part in /etc/rc.d/ntpd, which may be the reason it is
> not working for you:
>
>         # Try to set up the the MAC ntpd policy so ntpd can run with =
> reduced
>         # privileges.  Detect whether MAC is compiled into the kernel, =
> load
>         # the policy module if not already present, then check whether =
> the
>         # policy has been disabled via tunable or sysctl.
>         [ -n "$(sysctl -qn security.mac.version)" ] || return 1
>         sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd =
> || return 1
>         [ "$(sysctl -qn security.mac.ntpd.enabled)" =3D=3D "1" ] || =
> return 1
>
> So it tries to setup that MAC policy, which shows up in syslog like:
>
> kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
> ntpd[810]: ntpd 4.2.8p12-a (1): Starting
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash =
> signature
> ntpd[811]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, =
> expire=3D2019-06-28T00:00:00Z last=3D2017-01-01T00:00:00Z ofs=3D37
>
> Maybe on your system something goes wrong loading the mac_ntpd module,
> or setting the sysctl, but it still continues to attempt to run ntpd as
> non-root?
>
> I would run /etc/rc.d/ntpd with sh -x to see what is doing exactly.
>
> -Dimitry

> Loading mac_XXX modules requires options MAC in running kernel.
> GENERIC has options but custom kernel may lack it.

> -Dimitry

config -x /boot/kernel/kernel > ~/tmp/config
  options CONFIG_AUTOGENERATED
  ident   GENERIC

sysctl -qn security.mac.version
  4

kldstat
  Id Refs Address                Size Name
   1   19 0xffffffff80200000  243cd00 kernel
   5    1 0xffffffff82c47000      acf mac_ntpd.ko

grep mac /boot/loader.conf
  # so probably the kernel module was loaded by ntpd

# _ntp_default_dir
ls -la /var/db/ntp
total 10
drwxr-xr-x   2 ntpd  ntpd    4 Mar 11 23:39 .
drwxr-xr-x  15 root  wheel  21 Feb 15 03:58 ..
-rw-r--r--   1 ntpd  ntpd    6 Mar 11 23:39 ntpd.drift
-rw-r--r--   1 ntpd  ntpd    5 Mar 13 13:53 ntpd.pid

cd /etc; ls -ls | grep ntp
  drwx------  2 root  wheel         3 Dec  7 05:16 ntp
  -rw-r--r--  1 root  wheel      3997 Dec  7 05:16 ntp.conf

ls -l /var/run/ntpd.leap-seconds.list
  ls: /var/run/ntpd.leap-seconds.list: No such file or directory

I have bcc'd the owner & will wait for him to try as root:
  sh -x /etc/rc.d/ntpd restart
  sh -x /etc/rc.d/ntpd stop

If he doesnt see clues with that, maybe I will soon when my current laptop
will be travelling & also using ntpd.

Thanks Dimitry

Cheers,
Julian
--
Julian Stacey, Consultant Systems Engineer, BSD Linux Unix, Munich Aachen Kent
 Brexit now minority:  2.1 M now over 18, More Remainers;  1.5 M died, less
 Leavers; 700 K votes Stolen from British Remainers in EU; + 3 M globaly
 dis- franchised; + drift to Remain + avoid chaos.  MPs should urge Queen:
 Dismiss May, appoint new PM for unity government & 2nd Referendum.  Revoke
 Art. 50, plan better, refile Art.50 later?  http://ExitBrexit.UK/#email_an_mp
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: /usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails

Ruben
In reply to this post by Julian H. Stacey-3
Hi Julian,



On 3/13/19 12:50 PM, Julian H. Stacey wrote:
> Hi [hidden email],
> Has anyone else noticed release 12.0-p3 /usr/sbin/ntpd runs as
> uid=123 not root on 12.0, the process runs, But fails to correct
> the time !  Next thing to diagnose it, would be a kill of ntpd &
> restart direct as root, I'm not root there so I'll wait for that.
>
> Are others 12 systems slipping time too ?
>
Stuf snipped.


I noticed some UID changes as well.

Had to chown some ntpd directories to reflect that change as well (they
were not writable for the ntpd daemon after upgrading from 11.2 to 12.0 .


Regards,


Ruben
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: /usr/sbin/ntpd runs as uid=123 not root on 12.0 & fails

Julian H. Stacey-3
Thanks Dimitry, Eugene, Ruben for all ideas, it helped to track
down to what else ...  root@ for the host found an old host specific ipfw
firewall rule that needed to be deleted. Working now.  Thanks again all.

Cheers,
Julian
--
Julian Stacey, Consultant Systems Engineer, BSD Linux Unix, Munich Aachen Kent
 Brexit now minority:  2.1 M now over 18, More Remainers;  1.5 M died, less
 Leavers; 700 K votes Stolen from British Remainers in EU; + 3 M globaly
 dis- franchised; + drift to Remain + avoid chaos.  MPs should urge Queen:
 Dismiss May, appoint new PM for unity government & 2nd Referendum.  Revoke
 Art. 50, plan better, refile Art.50 later?  http://ExitBrexit.UK/#email_an_mp
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"