1.\" Copyright (c) 2018 Ian Lepore <ian@FreeBSD.org> 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions 5.\" are met: 6.\" 1. Redistributions of source code must retain the above copyright 7.\" notice, this list of conditions and the following disclaimer. 8.\" 2. Redistributions in binary form must reproduce the above copyright 9.\" notice, this list of conditions and the following disclaimer in the 10.\" documentation and/or other materials provided with the distribution. 11.\" 12.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 13.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 16.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22.\" SUCH DAMAGE. 23.\" 24.Dd July 20, 2018 25.Dt MAC_NTPD 4 26.Os 27.Sh NAME 28.Nm mac_ntpd 29.Nd "policy allowing ntpd to run as non-root user" 30.Sh SYNOPSIS 31To compile the ntpd policy into your kernel, place the following lines 32in your kernel configuration file: 33.Bd -ragged -offset indent 34.Cd "options MAC" 35.Cd "options MAC_NTPD" 36.Ed 37.Pp 38Alternately, to load the ntpd policy module at boot time, 39place the following line in your kernel configuration file: 40.Bd -ragged -offset indent 41.Cd "options MAC" 42.Ed 43.Pp 44and in 45.Xr loader.conf 5 : 46.Bd -literal -offset indent 47mac_ntpd_load="YES" 48.Ed 49.Sh DESCRIPTION 50The 51.Nm 52policy grants any process running as user 53.Sq ntpd 54(uid 123) the privileges needed to manipulate 55system time, and to (re-)bind to the privileged NTP port. 56.Pp 57When 58.Xr ntpd 8 59is started with 60.Sq Fl u Ar <user>[:group] 61on the command line, it performs all initializations requiring root 62privileges, then drops root privileges by switching to the given user id. 63From that point on, the only privileges it requires are the ability 64to manipulate system time, and the ability to re-bind a UDP socket 65to the NTP port (port 123) after a network interface change. 66.Pp 67With the 68.Nm 69policy active, it may also be possible to start ntpd as a non-root user, 70because the default ntpd options don't require any additional root 71privileges beyond those granted by the policy. 72.Ss Privileges Granted 73The exact set of kernel privileges granted to any process running 74with the configured uid is: 75.Bl -inset -compact -offset indent 76.It Dv PRIV_ADJTIME 77.It Dv PRIV_CLOCK_SETTIME 78.It Dv PRIV_NTP_ADJTIME 79.It Dv PRIV_NETINET_RESERVEDPORT 80.It Dv PRIV_NETINET_REUSEPORT 81.El 82.Ss Runtime Configuration 83The following 84.Xr sysctl 8 85MIBs are available for fine-tuning this MAC policy. 86All 87.Xr sysctl 8 88variables can also be set as 89.Xr loader 8 90tunables in 91.Xr loader.conf 5 . 92.Bl -tag -width indent 93.It Va security.mac.ntpd.enabled 94Enable the 95.Nm 96policy. 97(Default: 1). 98.It Va security.mac.ntpd.uid 99The numeric uid of the ntpd user. 100(Default: 123). 101.El 102.Sh SEE ALSO 103.Xr mac 4 , 104.Xr ntpd 8 105.Sh HISTORY 106MAC first appeared in 107.Fx 5.0 108and 109.Nm 110first appeared in 111.Fx 12.0 . 112