Index: head/net/ntp/Makefile =================================================================== --- head/net/ntp/Makefile (revision 475131) +++ head/net/ntp/Makefile (revision 475132) @@ -1,86 +1,87 @@ # Created by: andreas # $FreeBSD$ PORTNAME= ntp PORTVERSION= 4.2.8p11 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= net ipv6 MASTER_SITES= http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ \ http://archive.ntp.org/ntp4/ntp-4.2/ \ ftp://ftp.netlab.is.tsukuba.ac.jp/pub/network/ntp/ntp4/ DISTNAME= ${PORTNAME}-${PORTVERSION:S/P/p/:S/.r/-RC/} MAINTAINER= cy@FreeBSD.org COMMENT= The Network Time Protocol Distribution LIB_DEPENDS= libevent.so:devel/libevent CONFLICTS= ntp-devel-* openntpd-* USES= cpe pathfix shebangfix libedit libtool localbase:ldflags \ pkgconfig +USES+= autoreconf # until trustedbsd-mac changes accepted upstream GNU_CONFIGURE= yes -CONFIGURE_ARGS= --enable-leap-smear +CONFIGURE_ARGS= --enable-leap-smear --enable-trustedbsd-mac TEST_TARGET= check SHEBANG_FILES= scripts/ntptrace/ntptrace.in \ scripts/ntp-wait/ntp-wait.in \ scripts/update-leap/update-leap.in perl_OLD_CMD= @PATH_PERL@ .include "Makefile.inc" OPTIONS_DEFINE+= DEBUG NLS THREADS OPTIONS_DEFAULT+= THREADS OPTIONS_SUB= yes DEBUG_CONFIGURE_ENABLE= debugging IPV6_CONFIGURE_ENABLE= ipv6 NLS_CONFIGURE_ENABLE= nls NLS_CONFIGURE_OFF= ac_cv_lib_intl_gettext=no NLS_USES= gettext-runtime NTP_SIGND_CONFIGURE_ENABLE= ntp-signd NTPSNMPD_LIB_DEPENDS= libnetsnmp.so:net-mgmt/net-snmp NTPSNMPD_CONFIGURE_OFF= --without-ntpsnmpd PERL_UTILS_USES= perl5 SSL_CONFIGURE_ON= --with-openssl-incdir=${OPENSSLINC} \ --with-openssl-libdir=${OPENSSLLIB} SSL_CONFIGURE_OFF= --without-crypto SSL_USES= ssl DEBUG_CONFIGURE_ON= --enable-debug THREADS_CONFIGURE_ENABLE= thread-support THREADS_CONFIGURE_WITH= threads MD5_LIB_DEPENDS= libmd5.so:www/libwww MD5_IMPLIES= SSL .for D in ${NTP_DRIVERS} ${D}_CONFIGURE_ENABLE= ${D} .endfor .include # XXX Temporary hack. Remember to remove this next commit. post-extract: @${TOUCH} ${WRKSRC}/scripts/build/checkHtmlFileDates @${CHMOD} +x ${WRKSRC}/scripts/build/checkHtmlFileDates post-install: @${MKDIR} ${STAGEDIR}${EXAMPLESDIR} ${INSTALL_DATA} ${WRKSRC}/conf/* ${STAGEDIR}${EXAMPLESDIR} @${MKDIR} ${STAGEDIR}${DOCSDIR} @${FIND} ${WRKSRC}/html -type f | ${XARGS} ${CHMOD} ${SHAREMODE} @cd ${WRKSRC}/html && ${FIND} . -print | \ ${CPIO} -pdu -R ${SHAREOWN}:${SHAREGRP} --quiet ${STAGEDIR}${DOCSDIR} .include Index: head/net/ntp/files/patch-ntpd_ntpd.c =================================================================== --- head/net/ntp/files/patch-ntpd_ntpd.c (nonexistent) +++ head/net/ntp/files/patch-ntpd_ntpd.c (revision 475132) @@ -0,0 +1,45 @@ +--- ntpd/ntpd.c.orig 2018-02-27 15:15:48 UTC ++++ ntpd/ntpd.c +@@ -123,6 +123,9 @@ + #if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS) + # include + #endif /* HAVE_PRIV_H */ ++#if defined(HAVE_TRUSTEDBSD_MAC) ++# include ++#endif /* HAVE_TRUSTEDBSD_MAC */ + #endif /* HAVE_DROPROOT */ + + #if defined (LIBSECCOMP) && (KERN_SECCOMP) +@@ -634,7 +637,12 @@ ntpdmain( + /* MPE lacks the concept of root */ + # if defined(HAVE_GETUID) && !defined(MPE) + uid = getuid(); +- if (uid && !HAVE_OPT( SAVECONFIGQUIT )) { ++ if (uid && !HAVE_OPT( SAVECONFIGQUIT ) ++# if defined(HAVE_TRUSTEDBSD_MAC) ++ /* We can run as non-root if the mac_ntpd policy is enabled. */ ++ && mac_is_present("ntpd") != 1 ++# endif ++ ) { + msyslog_term = TRUE; + msyslog(LOG_ERR, + "must be run as root, not uid %ld", (long)uid); +@@ -1082,7 +1090,17 @@ getgroup: + exit (-1); + } + +-# if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) ++# if defined(HAVE_TRUSTEDBSD_MAC) ++ /* ++ * To manipulate system time and (re-)bind to NTP_PORT as needed ++ * following interface changes, we must either run as uid 0 or ++ * the mac_ntpd policy module must be enabled. ++ */ ++ if (sw_uid != 0 && mac_is_present("ntpd") != 1) { ++ msyslog(LOG_ERR, "Need MAC 'ntpd' policy enabled to drop root privileges"); ++ exit (-1); ++ } ++# elif !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) + /* + * for now assume that the privilege to bind to privileged ports + * is associated with running with uid 0 - should be refined on Property changes on: head/net/ntp/files/patch-ntpd_ntpd.c ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/net/ntp/files/patch-sntp_m4_ntp__libntp.m4 =================================================================== --- head/net/ntp/files/patch-sntp_m4_ntp__libntp.m4 (nonexistent) +++ head/net/ntp/files/patch-sntp_m4_ntp__libntp.m4 (revision 475132) @@ -0,0 +1,32 @@ +--- sntp/m4/ntp_libntp.m4.orig 2017-02-01 09:47:13 UTC ++++ sntp/m4/ntp_libntp.m4 +@@ -693,7 +693,28 @@ esac + + AC_MSG_RESULT([$ntp_have_solarisprivs]) + +-case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs" in ++AC_CHECK_HEADERS([sys/mac.h]) ++ ++AC_ARG_ENABLE( ++ [trustedbsd_mac], ++ [AS_HELP_STRING( ++ [--enable-trustedbsd-mac], ++ [- Use TrustedBSD MAC policy for non-root clock control] ++ )], ++ [ntp_use_trustedbsd_mac=$enableval] ++) ++ ++AC_MSG_CHECKING([if we should use TrustedBSD MAC privileges]) ++ ++case "$ntp_use_trustedbsd_mac$ac_cv_header_sys_mac_h" in ++ yesyes) ++ AC_DEFINE([HAVE_TRUSTEDBSD_MAC], [1], ++ [Are TrustedBSD MAC policy privileges available?]) ++esac ++ ++AC_MSG_RESULT([$ntp_use_trustedbsd_mac]) ++ ++case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs$ntp_use_trustedbsd_mac" in + *yes*) + AC_DEFINE([HAVE_DROPROOT], [1], + [Can we drop root privileges?]) Property changes on: head/net/ntp/files/patch-sntp_m4_ntp__libntp.m4 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property