Index: head/net/ntimed/Makefile =================================================================== --- head/net/ntimed/Makefile (revision 525558) +++ head/net/ntimed/Makefile (revision 525559) @@ -1,29 +1,29 @@ # Created by: Mark Felder # $FreeBSD$ PORTNAME= ntimed PORTVERSION= 0.0.2015.01.30 -PORTREVISION= 0 +PORTREVISION= 1 CATEGORIES= net MAINTAINER= feld@FreeBSD.org COMMENT= Network time synchronization client LICENSE= BSD2CLAUSE USE_RC_SUBR= ntimed USE_GITHUB= yes GH_ACCOUNT= bsdphk GH_PROJECT= Ntimed GH_TAGNAME= db0abbb PLIST_FILES= sbin/ntimed-client do-configure: cd ${WRKSRC} && ${SH} configure do-install: ${INSTALL_PROGRAM} ${WRKSRC}/ntimed-client ${STAGEDIR}${PREFIX}/sbin .include Index: head/net/ntimed/files/ntimed.in =================================================================== --- head/net/ntimed/files/ntimed.in (revision 525558) +++ head/net/ntimed/files/ntimed.in (revision 525559) @@ -1,38 +1,56 @@ #!/bin/sh # # Author: Mark Felder # # $FreeBSD$ # # PROVIDE: ntimed # REQUIRE: LOGIN # KEYWORD: shutdown # Add the following lines to /etc/rc.conf to enable ntimed: # ntimed_enable="YES" # ntimed_flags="" . /etc/rc.subr name=ntimed rcvar=ntimed_enable load_rc_config $name : ${ntimed_enable:=NO} : ${ntimed_flags:="0.freebsd.pool.ntp.org"} start_precmd=ntimed_prestart pidfile=/var/run/ntimed.pid -procname="/usr/local/sbin/ntimed-client" +ntimed_cmd="/usr/local/sbin/ntimed-client" command=/usr/sbin/daemon -command_args=" -p ${pidfile} ${procname} ${ntimed_flags}" +can_run_nonroot() +{ + # Try to set up the the MAC ntpd policy so ntimed can run with reduced + # privileges. Detect whether MAC is compiled into the kernel, load + # the policy module if not already present, then check whether the + # policy has been disabled via tunable or sysctl. + [ -n "$(sysctl -qn security.mac.version)" ] || return 1 + sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1 + [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1 +} + ntimed_prestart() { - # Have to empty rc_flags so they don't get passed to daemon(8) - rc_flags="" + # Have to empty rc_flags so they don't get passed to daemon(8) + rc_flags="" + + if can_run_nonroot; then + _ntimed_user="ntpd" + else + _ntimed_user="root" + fi + + command_args=" -r -P ${pidfile} -u ${_ntimed_user} ${ntimed_cmd} ${ntimed_flags}" } run_rc_command "$1"