Index: head/net/ntp/Makefile =================================================================== --- head/net/ntp/Makefile +++ head/net/ntp/Makefile @@ -3,7 +3,7 @@ PORTNAME= ntp PORTVERSION= 4.2.8p11 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= net ipv6 MASTER_SITES= http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ \ http://archive.ntp.org/ntp4/ntp-4.2/ \ @@ -19,9 +19,10 @@ USES= cpe pathfix shebangfix libedit libtool localbase:ldflags \ pkgconfig +USES+= autoreconf # until trustedbsd-mac changes accepted upstream GNU_CONFIGURE= yes -CONFIGURE_ARGS= --enable-leap-smear +CONFIGURE_ARGS= --enable-leap-smear --enable-trustedbsd-mac TEST_TARGET= check Index: head/net/ntp/files/patch-ntpd_ntpd.c =================================================================== --- head/net/ntp/files/patch-ntpd_ntpd.c +++ head/net/ntp/files/patch-ntpd_ntpd.c @@ -0,0 +1,45 @@ +--- ntpd/ntpd.c.orig 2018-02-27 15:15:48 UTC ++++ ntpd/ntpd.c +@@ -123,6 +123,9 @@ + #if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS) + # include + #endif /* HAVE_PRIV_H */ ++#if defined(HAVE_TRUSTEDBSD_MAC) ++# include ++#endif /* HAVE_TRUSTEDBSD_MAC */ + #endif /* HAVE_DROPROOT */ + + #if defined (LIBSECCOMP) && (KERN_SECCOMP) +@@ -634,7 +637,12 @@ ntpdmain( + /* MPE lacks the concept of root */ + # if defined(HAVE_GETUID) && !defined(MPE) + uid = getuid(); +- if (uid && !HAVE_OPT( SAVECONFIGQUIT )) { ++ if (uid && !HAVE_OPT( SAVECONFIGQUIT ) ++# if defined(HAVE_TRUSTEDBSD_MAC) ++ /* We can run as non-root if the mac_ntpd policy is enabled. */ ++ && mac_is_present("ntpd") != 1 ++# endif ++ ) { + msyslog_term = TRUE; + msyslog(LOG_ERR, + "must be run as root, not uid %ld", (long)uid); +@@ -1082,7 +1090,17 @@ getgroup: + exit (-1); + } + +-# if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) ++# if defined(HAVE_TRUSTEDBSD_MAC) ++ /* ++ * To manipulate system time and (re-)bind to NTP_PORT as needed ++ * following interface changes, we must either run as uid 0 or ++ * the mac_ntpd policy module must be enabled. ++ */ ++ if (sw_uid != 0 && mac_is_present("ntpd") != 1) { ++ msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to drop root privileges"); ++ exit (-1); ++ } ++# elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) + /* + * for now assume that the privilege to bind to privileged ports + * is associated with running with uid 0 - should be refined on Index: head/net/ntp/files/patch-sntp_m4_ntp__libntp.m4 =================================================================== --- head/net/ntp/files/patch-sntp_m4_ntp__libntp.m4 +++ head/net/ntp/files/patch-sntp_m4_ntp__libntp.m4 @@ -0,0 +1,32 @@ +--- sntp/m4/ntp_libntp.m4.orig 2017-02-01 09:47:13 UTC ++++ sntp/m4/ntp_libntp.m4 +@@ -693,7 +693,28 @@ esac + + AC_MSG_RESULT([$ntp_have_solarisprivs]) + +-case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs" in ++AC_CHECK_HEADERS([sys/mac.h]) ++ ++AC_ARG_ENABLE( ++ [trustedbsd_mac], ++ [AS_HELP_STRING( ++ [--enable-trustedbsd-mac], ++ [- Use TrustedBSD MAC policy for non-root clock control] ++ )], ++ [ntp_use_trustedbsd_mac=$enableval] ++) ++ ++AC_MSG_CHECKING([if we should use TrustedBSD MAC privileges]) ++ ++case "$ntp_use_trustedbsd_mac$ac_cv_header_sys_mac_h" in ++ yesyes) ++ AC_DEFINE([HAVE_TRUSTEDBSD_MAC], [1], ++ [Are TrustedBSD MAC policy privileges available?]) ++esac ++ ++AC_MSG_RESULT([$ntp_use_trustedbsd_mac]) ++ ++case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs$ntp_use_trustedbsd_mac" in + *yes*) + AC_DEFINE([HAVE_DROPROOT], [1], + [Can we drop root privileges?])