Page MenuHomeFreeBSD
Files F159822642

D16396.diff
No OneTemporary
Actions

D16396.diff
View Options

Index: head/net/ntp/Makefile
===================================================================
--- head/net/ntp/Makefile
+++ head/net/ntp/Makefile
@@ -3,7 +3,7 @@
PORTNAME= ntp
PORTVERSION= 4.2.8p11
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= net ipv6
MASTER_SITES= http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ \
http://archive.ntp.org/ntp4/ntp-4.2/ \
@@ -19,9 +19,10 @@
USES= cpe pathfix shebangfix libedit libtool localbase:ldflags \
pkgconfig
+USES+= autoreconf # until trustedbsd-mac changes accepted upstream
GNU_CONFIGURE= yes
-CONFIGURE_ARGS= --enable-leap-smear
+CONFIGURE_ARGS= --enable-leap-smear --enable-trustedbsd-mac
TEST_TARGET= check
Index: head/net/ntp/files/patch-ntpd_ntpd.c
===================================================================
--- head/net/ntp/files/patch-ntpd_ntpd.c
+++ head/net/ntp/files/patch-ntpd_ntpd.c
@@ -0,0 +1,45 @@
+--- ntpd/ntpd.c.orig 2018-02-27 15:15:48 UTC
++++ ntpd/ntpd.c
+@@ -123,6 +123,9 @@
+ #if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS)
+ # include <priv.h>
+ #endif /* HAVE_PRIV_H */
++#if defined(HAVE_TRUSTEDBSD_MAC)
++# include <sys/mac.h>
++#endif /* HAVE_TRUSTEDBSD_MAC */
+ #endif /* HAVE_DROPROOT */
+
+ #if defined (LIBSECCOMP) && (KERN_SECCOMP)
+@@ -634,7 +637,12 @@ ntpdmain(
+ /* MPE lacks the concept of root */
+ # if defined(HAVE_GETUID) && !defined(MPE)
+ uid = getuid();
+- if (uid && !HAVE_OPT( SAVECONFIGQUIT )) {
++ if (uid && !HAVE_OPT( SAVECONFIGQUIT )
++# if defined(HAVE_TRUSTEDBSD_MAC)
++ /* We can run as non-root if the mac_ntpd policy is enabled. */
++ && mac_is_present("ntpd") != 1
++# endif
++ ) {
+ msyslog_term = TRUE;
+ msyslog(LOG_ERR,
+ "must be run as root, not uid %ld", (long)uid);
+@@ -1082,7 +1090,17 @@ getgroup:
+ exit (-1);
+ }
+
+-# if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS)
++# if defined(HAVE_TRUSTEDBSD_MAC)
++ /*
++ * To manipulate system time and (re-)bind to NTP_PORT as needed
++ * following interface changes, we must either run as uid 0 or
++ * the mac_ntpd policy module must be enabled.
++ */
++ if (sw_uid != 0 && mac_is_present("ntpd") != 1) {
++ msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to drop root privileges");
++ exit (-1);
++ }
++# elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS)
+ /*
+ * for now assume that the privilege to bind to privileged ports
+ * is associated with running with uid 0 - should be refined on
Index: head/net/ntp/files/patch-sntp_m4_ntp__libntp.m4
===================================================================
--- head/net/ntp/files/patch-sntp_m4_ntp__libntp.m4
+++ head/net/ntp/files/patch-sntp_m4_ntp__libntp.m4
@@ -0,0 +1,32 @@
+--- sntp/m4/ntp_libntp.m4.orig 2017-02-01 09:47:13 UTC
++++ sntp/m4/ntp_libntp.m4
+@@ -693,7 +693,28 @@ esac
+
+ AC_MSG_RESULT([$ntp_have_solarisprivs])
+
+-case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs" in
++AC_CHECK_HEADERS([sys/mac.h])
++
++AC_ARG_ENABLE(
++ [trustedbsd_mac],
++ [AS_HELP_STRING(
++ [--enable-trustedbsd-mac],
++ [- Use TrustedBSD MAC policy for non-root clock control]
++ )],
++ [ntp_use_trustedbsd_mac=$enableval]
++)
++
++AC_MSG_CHECKING([if we should use TrustedBSD MAC privileges])
++
++case "$ntp_use_trustedbsd_mac$ac_cv_header_sys_mac_h" in
++ yesyes)
++ AC_DEFINE([HAVE_TRUSTEDBSD_MAC], [1],
++ [Are TrustedBSD MAC policy privileges available?])
++esac
++
++AC_MSG_RESULT([$ntp_use_trustedbsd_mac])
++
++case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs$ntp_use_trustedbsd_mac" in
+ *yes*)
+ AC_DEFINE([HAVE_DROPROOT], [1],
+ [Can we drop root privileges?])

File Metadata

Mime Type
text/plain
Expires
Fri, Jun 19, 1:54 PM (18 h, 43 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
34078009
Default Alt Text
D16396.diff (3 KB)

Event Timeline