1 .\" Copyright (c) 2018 Ian Lepore <ian@FreeBSD.org>
3 .\" Redistribution and use in source and binary forms, with or without
4 .\" modification, are permitted provided that the following conditions
6 .\" 1. Redistributions of source code must retain the above copyright
7 .\" notice, this list of conditions and the following disclaimer.
8 .\" 2. Redistributions in binary form must reproduce the above copyright
9 .\" notice, this list of conditions and the following disclaimer in the
10 .\" documentation and/or other materials provided with the distribution.
12 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
13 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
15 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
16 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
18 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
19 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
20 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
21 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 .Nd "policy allowing ntpd to run as non-root user"
33 To compile the ntpd policy into your kernel, place the following lines
34 in your kernel configuration file:
35 .Bd -ragged -offset indent
37 .Cd "options MAC_NTPD"
40 Alternately, to load the ntpd policy module at boot time,
41 place the following line in your kernel configuration file:
42 .Bd -ragged -offset indent
48 .Bd -literal -offset indent
54 policy grants any process running as user
56 (uid 123) the privileges needed to manipulate
57 system time, and to (re-)bind to the privileged NTP port.
62 .Sq Fl u Ar <user>[:group]
63 on the command line, it performs all initializations requiring root
64 privileges, then drops root privileges by switching to the given user id.
65 From that point on, the only privileges it requires are the ability
66 to manipulate system time, and the ability to re-bind a UDP socket
67 to the NTP port (port 123) after a network interface change.
71 policy active, it may also be possible to start ntpd as a non-root user,
72 because the default ntpd options don't require any additional root
73 privileges beyond those granted by the policy.
75 .Ss Privileges Granted
76 The exact set of kernel privileges granted to any process running
77 with the configured uid is:
78 .Bl -inset -compact -offset indent
80 .It Dv PRIV_CLOCK_SETTIME
81 .It Dv PRIV_NTP_ADJTIME
82 .It Dv PRIV_NETINET_RESERVEDPORT
83 .It Dv PRIV_NETINET_REUSEPORT
86 .Ss Runtime Configuration
89 MIBs are available for fine-tuning this MAC policy.
92 variables can also be set as
96 .Bl -tag -width indent
97 .It Va security.mac.ntpd.enabled
102 .It Va security.mac.ntpd.uid
103 The numeric uid of the ntpd user.
110 MAC first appeared in