Changeset View
Standalone View
etc/rc.d/ntpd
Show All 14 Lines | |||||
rcvar="ntpd_enable" | rcvar="ntpd_enable" | ||||
command="/usr/sbin/${name}" | command="/usr/sbin/${name}" | ||||
pidfile="/var/run/${name}.pid" | pidfile="/var/run/${name}.pid" | ||||
extra_commands="fetch needfetch" | extra_commands="fetch needfetch" | ||||
fetch_cmd="ntpd_fetch_leapfile" | fetch_cmd="ntpd_fetch_leapfile" | ||||
needfetch_cmd="ntpd_needfetch_leapfile" | needfetch_cmd="ntpd_needfetch_leapfile" | ||||
start_precmd="ntpd_precmd" | start_precmd="ntpd_precmd" | ||||
ntp_tmp_leapfile="/var/run/ntpd.leap-seconds.list" | _ntp_tmp_leapfile="/var/run/ntpd.leap-seconds.list" | ||||
_ntp_chroot_cookiefile=".chroot_autosetup_done" | |||||
_ntp_default_driftfile="/var/db/ntpd.drift" | |||||
_ntp_default_chrootdir="/var/db/ntp" | |||||
_ntp_default_user="ntpd:ntpd" | |||||
load_rc_config $name | load_rc_config $name | ||||
ntpd_mac_setup() | |||||
{ | |||||
# Attempt to automatically set up the the MAC ntpd policy so that | |||||
# ntpd can run with reduced privileges. MAC has to be compiled | |||||
# into the kernel, which we detect using security.mac.version. | |||||
# If it's available, check whether the ntpd policy is already | |||||
# loaded, and attempt to load the module if not. Then check | |||||
# whether the policy has been specifically disabled via tunable | |||||
# or sysctl. If loaded and not disabled we can run as non-root, | |||||
# so return success, otherwise indicate we must run as root by | |||||
# returning an error. | |||||
if [ -n "$(sysctl -qn security.mac.version)" ]; then | |||||
sysctl -qn security.mac.ntpd >/dev/null || kldload mac_ntpd || return | |||||
if [ "$(sysctl -qn security.mac.ntpd.enabled)" = "1" ]; then | |||||
return 0 | |||||
fi | |||||
fi | |||||
return 1 | |||||
} | |||||
ntpd_default_chroot_setup() | |||||
{ | |||||
# When $ntpd_chrootdir points to our default location, this function | |||||
# prepares it for use. If the admin overrides ntpd_chrootdir, setup | |||||
# is not our responsibility. If we get any errors doing the setup, | |||||
# we just return the error code, making us run without the chroot. | |||||
# The chroot requires nullfs, so make sure that's available first. | |||||
kldload -qn tmpfs || return | |||||
ian: Oops, typo here, already fixed locally; it'll be nullfs on the next rev. | |||||
# If there is no setup-done cookie file in the chroot, we need to do | |||||
# one-time setup, which consists of... | |||||
# - Create an /etc dir. | |||||
# - Create the dir(s) that hold the driftfile and leapfile. | |||||
# - Move existing drift and leap files (if any) into the chroot. | |||||
# - Make symlinks outside the chroot that point to the drift | |||||
# and leap files inside the chroot. This is required because | |||||
# ntpd reads these files both before and after calling chroot(). | |||||
if [ ! -e "${ntpd_chrootdir}/${_ntp_chroot_cookiefile}" ]; then | |||||
mkdir -p "${ntpd_chrootdir}/etc" || return | |||||
mkdir -p "${ntpd_chrootdir}/$(dirname ${_ntp_default_driftfile})" || return | |||||
mkdir -p "${ntpd_chrootdir}/$(dirname ${ntp_db_leapfile})" || return | |||||
if [ -f "${_ntp_default_driftfile}" ]; then | |||||
mv "${_ntp_default_driftfile}" "${ntpd_chrootdir}/${_ntp_default_driftfile}" || return | |||||
fi | |||||
if [ -f "${ntp_db_leapfile}" ]; then | |||||
mv "${ntp_db_leapfile}" "${ntpd_chrootdir}/${ntp_db_leapfile}" || return | |||||
fi | |||||
ln -fhs "${ntpd_chrootdir}/${_ntp_default_driftfile}" "${_ntp_default_driftfile}" || return | |||||
ln -fhs "${ntpd_chrootdir}/${ntp_db_leapfile}" "${ntp_db_leapfile}" || return | |||||
touch "${ntpd_chrootdir}/${_ntp_chroot_cookiefile}" | |||||
chown -R ${ntpd_usergroup} "${ntpd_chrootdir}" | |||||
fi | |||||
# Ntpd needs to read several files from /etc, including resolv.conf | |||||
# which can change on the fly, so we can't just copy it in. Instead | |||||
# we nullfs-mount /etc into the chroot if it isn't already mounted. | |||||
# It's mounted readonly because ntpd only reads files from etc. | |||||
if ! df -t nullfs "${ntpd_chrootdir}/etc" >/dev/null 2>&1; then | |||||
mount -r -t nullfs /etc "${ntpd_chrootdir}/etc" || return | |||||
fi | |||||
} | |||||
ntpd_precmd() | ntpd_precmd() | ||||
{ | { | ||||
rc_flags="-c ${ntpd_config} ${ntpd_flags}" | command_args="-c ${ntpd_config} -p ${pidfile} -f ${_ntp_default_driftfile}" | ||||
if checkyesno ntpd_sync_on_start; then | if checkyesno ntpd_sync_on_start; then | ||||
rc_flags="-g $rc_flags" | command_args="${command_args} -g" | ||||
fi | fi | ||||
ntpd_init_leapfile | # If $ntpd_usergroup is set, pass it to ntpd using -u. If it has the | ||||
Done Inline ActionsI think a message to syslog to inform the sysadmin that directory permissions have changed should address any POLA concerns. What do you think of daemon.notice? Also to stderr, logger -s. cy: I think a message to syslog to inform the sysadmin that directory permissions have changed… | |||||
# default value of ntpd:ntpd, attempt to automatically set up the MAC | |||||
# policy that allows unprivileged ntpd to change kernel time. If it | |||||
# has any other value, we assume the admin has set everything up. | |||||
if [ ! -f $ntp_db_leapfile ]; then | if [ -n "${ntpd_usergroup}" ]; then | ||||
Done Inline ActionsSimilarly, inform the sysadmin that files are being moved. cy: Similarly, inform the sysadmin that files are being moved.
| |||||
ntpd_fetch_leapfile | local nuser="-u ${ntpd_usergroup}" | ||||
if [ "${ntpd_usergroup}" = "${_ntp_default_user}" ]; then | |||||
ntpd_mac_setup || nuser="-u root:wheel" | |||||
fi | fi | ||||
command_args="${command_args} ${nuser}" | |||||
if [ -z "$ntpd_chrootdir" ]; then | |||||
return 0; | |||||
fi | fi | ||||
# If running in a chroot cage, ensure that the appropriate files | # If $ntpd_chrootdir is set, pass it along to ntpd on the command | ||||
# exist inside the cage, as well as helper symlinks into the cage | # line using -i. If it has the default value, attempt to set up | ||||
# from outside. | # the chroot automatically. If it has a non-default value, assume | ||||
# | # the admin has created and populated the chroot and established | ||||
# As this is called after the is_running and required_dir checks | # any outside->inside symlinks needed for ntpd startup. | ||||
Done Inline ActionsIf MAC is not present, should it be treated as a fail (e.g. else return 1;;)? delphij: If MAC is not present, should it be treated as a fail (e.g. else return 1;;)? | |||||
Not Done Inline ActionsOh, good catch. This got screwed up on the latest refactoring. Fixed now, and this time tested as well. :) ian: Oh, good catch. This got screwed up on the latest refactoring. Fixed now, and this time… | |||||
# are made in run_rc_command(), we can safely assume ${ntpd_chrootdir} | |||||
# exists and ntpd isn't running at this point (unless forcestart | if [ -n "${ntpd_chrootdir}" ]; then | ||||
# is used). | local cdir="-i ${ntpd_chrootdir}" | ||||
# | if [ "${ntpd_chrootdir}" = "${_ntp_default_chrootdir}" ]; then | ||||
if [ ! -c "${ntpd_chrootdir}/dev/clockctl" ]; then | ntpd_default_chroot_setup || cdir="" | ||||
rm -f "${ntpd_chrootdir}/dev/clockctl" | |||||
( cd /dev ; /bin/pax -rw -pe clockctl "${ntpd_chrootdir}/dev" ) | |||||
fi | fi | ||||
ln -fs "${ntpd_chrootdir}/var/db/ntp.drift" /var/db/ntp.drift | command_args="${command_args} ${cdir}" | ||||
ln -fs "${ntpd_chrootdir}${ntp_tmp_leapfile}" ${ntp_tmp_leapfile} | fi | ||||
# Change run_rc_commands()'s internal copy of $ntpd_flags | # Make sure the leapfile is ready to use. | ||||
# | |||||
rc_flags="-u ntpd:ntpd -i ${ntpd_chrootdir} $rc_flags" | ntpd_init_leapfile | ||||
if [ ! -f "${ntp_db_leapfile}" ]; then | |||||
ntpd_fetch_leapfile | |||||
fi | |||||
} | } | ||||
current_ntp_ts() { | current_ntp_ts() { | ||||
# Seconds between 1900-01-01 and 1970-01-01 | # Seconds between 1900-01-01 and 1970-01-01 | ||||
# echo $(((70*365+17)*86400)) | # echo $(((70*365+17)*86400)) | ||||
ntp_to_unix=2208988800 | ntp_to_unix=2208988800 | ||||
echo $(($(date -u +%s)+$ntp_to_unix)) | echo $(($(date -u +%s)+$ntp_to_unix)) | ||||
Show All 29 Lines | ntpd_needfetch_leapfile() { | ||||
else | else | ||||
verbose=: | verbose=: | ||||
fi | fi | ||||
ntp_ver_no_src=$(get_ntp_leapfile_ver $ntp_src_leapfile) | ntp_ver_no_src=$(get_ntp_leapfile_ver $ntp_src_leapfile) | ||||
ntp_expiry_src=$(get_ntp_leapfile_expiry $ntp_src_leapfile) | ntp_expiry_src=$(get_ntp_leapfile_expiry $ntp_src_leapfile) | ||||
ntp_ver_no_db=$(get_ntp_leapfile_ver $ntp_db_leapfile) | ntp_ver_no_db=$(get_ntp_leapfile_ver $ntp_db_leapfile) | ||||
ntp_expiry_db=$(get_ntp_leapfile_expiry $ntp_db_leapfile) | ntp_expiry_db=$(get_ntp_leapfile_expiry $ntp_db_leapfile) | ||||
$verbose ntp_src_leapfile version is $ntp_ver_no_src | $verbose ntp_src_leapfile version is $ntp_ver_no_src expires $ntp_expiry_src | ||||
$verbose ntp_db_leapfile version is $ntp_ver_no_db | $verbose ntp_db_leapfile version is $ntp_ver_no_db expires $ntp_expiry_db | ||||
cyUnsubmitted Done Inline ActionsThis is not related to this review. I have no objection but it needs to be committed in a separate commit. cy: This is not related to this review. I have no objection but it needs to be committed in a… | |||||
ianAuthorUnsubmitted Done Inline ActionsOoops, yeah, leftover debugging unrelated to these changes, but I do think I'll commit it on it's own since it's useful. ian: Ooops, yeah, leftover debugging unrelated to these changes, but I do think I'll commit it on… | |||||
cyUnsubmitted Done Inline ActionsThanks. cy: Thanks. | |||||
if [ "$ntp_ver_no_src" -gt "$ntp_ver_no_db" -o \ | if [ "$ntp_ver_no_src" -gt "$ntp_ver_no_db" -o \ | ||||
"$ntp_ver_no_src" -eq "$ntp_ver_no_db" -a \ | "$ntp_ver_no_src" -eq "$ntp_ver_no_db" -a \ | ||||
"$ntp_expiry_src" -gt "$ntp_expiry_db" ]; then | "$ntp_expiry_src" -gt "$ntp_expiry_db" ]; then | ||||
$verbose replacing $ntp_db_leapfile with $ntp_src_leapfile | $verbose replacing $ntp_db_leapfile with $ntp_src_leapfile | ||||
cp -p $ntp_src_leapfile $ntp_db_leapfile | cp -p $ntp_src_leapfile $ntp_db_leapfile | ||||
ntp_ver_no_db=$ntp_ver_no_src | ntp_ver_no_db=$ntp_ver_no_src | ||||
else | else | ||||
Show All 16 Lines | if checkyesno ntp_leapfile_fetch_verbose; then | ||||
verbose=echo | verbose=echo | ||||
else | else | ||||
verbose=: | verbose=: | ||||
fi | fi | ||||
if ntpd_needfetch_leapfile ; then | if ntpd_needfetch_leapfile ; then | ||||
for url in $ntp_leapfile_sources ; do | for url in $ntp_leapfile_sources ; do | ||||
$verbose fetching $url | $verbose fetching $url | ||||
fetch $ntp_leapfile_fetch_opts -o $ntp_tmp_leapfile $url && break | fetch $ntp_leapfile_fetch_opts -o $_ntp_tmp_leapfile $url && break | ||||
done | done | ||||
ntp_ver_no_tmp=$(get_ntp_leapfile_ver $ntp_tmp_leapfile) | ntp_ver_no_tmp=$(get_ntp_leapfile_ver $_ntp_tmp_leapfile) | ||||
ntp_expiry_tmp=$(get_ntp_leapfile_expiry $ntp_tmp_leapfile) | ntp_expiry_tmp=$(get_ntp_leapfile_expiry $_ntp_tmp_leapfile) | ||||
cyUnsubmitted Done Inline ActionsWhy the name change? cy: Why the name change? | |||||
ianAuthorUnsubmitted Done Inline ActionsI was getting lost in the maze of similar-named ntp-related rcvars, so I decided to name all the ones that are local to this script (rather than coming from rc.conf) to start with an underbar. I might just commit this alone too, so that it doesn't clutter up the next rev of the main diff. ian: I was getting lost in the maze of similar-named ntp-related rcvars, so I decided to name all… | |||||
cyUnsubmitted Done Inline ActionsYes, alone so it doesn't confuse this change with unrelated changes. Thanks again. cy: Yes, alone so it doesn't confuse this change with unrelated changes.
Thanks again. | |||||
if [ "$ntp_expiry_tmp" -gt "$ntp_expiry_db" -o \ | if [ "$ntp_expiry_tmp" -gt "$ntp_expiry_db" -o \ | ||||
"$ntp_expiry_tmp" -eq "$ntp_expiry_db" -a \ | "$ntp_expiry_tmp" -eq "$ntp_expiry_db" -a \ | ||||
"$ntp_ver_no_tmp" -gt "$ntp_ver_no_db" ]; then | "$ntp_ver_no_tmp" -gt "$ntp_ver_no_db" ]; then | ||||
$verbose using $url as $ntp_db_leapfile | $verbose using $url as $ntp_db_leapfile | ||||
mv -f $ntp_tmp_leapfile $ntp_db_leapfile || | mv -f $_ntp_tmp_leapfile $ntp_db_leapfile || | ||||
$verbose "warning: cannot replace $ntp_db_leapfile (read-only fs?)" | $verbose "warning: cannot replace $ntp_db_leapfile (read-only fs?)" | ||||
else | else | ||||
$verbose using existing $ntp_db_leapfile | $verbose using existing $ntp_db_leapfile | ||||
fi | fi | ||||
fi | fi | ||||
} | } | ||||
run_rc_command "$1" | run_rc_command "$1" |
Oops, typo here, already fixed locally; it'll be nullfs on the next rev.