MAC_NTPD(4) FreeBSD Kernel Interfaces Manual MAC_NTPD(4)
NAME
mac_ntpd - policy allowing ntpd to run as non-root user
SYNOPSIS
To compile the ntpd policy into your kernel, place the following lines in
your kernel configuration file:
options MAC
options MAC_NTPD
Alternately, to load the ntpd policy module at boot time, place the
following line in your kernel configuration file:
options MAC
and in loader.conf(5):
mac_ntpd_load="YES"
DESCRIPTION
The mac_ntpd policy grants any process running as user `ntpd' (uid 123)
the privileges needed to manipulate system time, and to (re-)bind to the
privileged NTP port.
When ntpd(8) is started with `-u <user>[:group]' on the command line, it
performs all initializations requiring root privileges, then drops root
privileges by switching to the given user id. From that point on, the
only privileges it requires are the ability to manipulate system time,
and the ability to re-bind a UDP socket to the NTP port (port 123) after
a network interface change.
With the mac_ntpd policy active, it may also be possible to start ntpd as
a non-root user, because the default ntpd options don't require any
additional root privileges beyond those granted by the policy.
Privileges Granted
The exact set of kernel privileges granted to any process running with
the configured uid is:
PRIV_ADJTIME
PRIV_CLOCK_SETTIME
PRIV_NTP_ADJTIME
PRIV_NETINET_RESERVEDPORT
PRIV_NETINET_REUSEPORT
Runtime Configuration
The following sysctl(8) MIBs are available for fine-tuning this MAC
policy. All sysctl(8) variables can also be set as loader(8) tunables in
loader.conf(5).
security.mac.ntpd.enabled
Enable the mac_ntpd policy. (Default: 1).
security.mac.ntpd.uid
The numeric uid of the ntpd user. (Default: 123).
SEE ALSO
mac(4), ntpd(8)
HISTORY
MAC first appeared in FreeBSD 5.0 and mac_ntpd first appeared in
FreeBSD 12.0.
FreeBSD 13.1-RELEASE-p6 July 20, 2018 FreeBSD 13.1-RELEASE-p6
man2web Home...