diff options
Diffstat (limited to 'static/freebsd/man4/mac_ntpd.4 3.html')
| -rw-r--r-- | static/freebsd/man4/mac_ntpd.4 3.html | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/static/freebsd/man4/mac_ntpd.4 3.html b/static/freebsd/man4/mac_ntpd.4 3.html new file mode 100644 index 00000000..56746190 --- /dev/null +++ b/static/freebsd/man4/mac_ntpd.4 3.html @@ -0,0 +1,96 @@ +<table class="head"> + <tr> + <td class="head-ltitle">MAC_NTPD(4)</td> + <td class="head-vol">Device Drivers Manual</td> + <td class="head-rtitle">MAC_NTPD(4)</td> + </tr> +</table> +<div class="manual-text"> +<section class="Sh"> +<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> +<p class="Pp"><code class="Nm">mac_ntpd</code> — <span class="Nd">policy + allowing ntpd to run as non-root user</span></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> +<p class="Pp">To compile the ntpd policy into your kernel, place the following + lines in your kernel configuration file:</p> +<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code> +<br/> +<code class="Cd">options MAC_NTPD</code></div> +<p class="Pp">Alternately, to load the ntpd policy module at boot time, place + the following line in your kernel configuration file:</p> +<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code></div> +<p class="Pp">and in <a class="Xr">loader.conf(5)</a>:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>mac_ntpd_load="YES"</pre> +</div> +</section> +<section class="Sh"> +<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> +<p class="Pp">The <code class="Nm">mac_ntpd</code> policy grants any process + running as user ‘ntpd’ (uid 123) the privileges needed to + manipulate system time, and to (re-)bind to the privileged NTP port.</p> +<p class="Pp">When <a class="Xr">ntpd(8)</a> is started with + ‘<code class="Fl">-u</code> + <var class="Ar"><user>[:group]</var>’ on the command line, it + performs all initializations requiring root privileges, then drops root + privileges by switching to the given user id. From that point on, the only + privileges it requires are the ability to manipulate system time, and the + ability to re-bind a UDP socket to the NTP port (port 123) after a network + interface change.</p> +<p class="Pp">With the <code class="Nm">mac_ntpd</code> policy active, it may + also be possible to start ntpd as a non-root user, because the default ntpd + options don't require any additional root privileges beyond those granted by + the policy.</p> +<section class="Ss"> +<h2 class="Ss" id="Privileges_Granted"><a class="permalink" href="#Privileges_Granted">Privileges + Granted</a></h2> +<p class="Pp">The exact set of kernel privileges granted to any process running + with the configured uid is:</p> +<dl class="Bl-inset Bd-indent Bl-compact"> + <dt id="PRIV_ADJTIME"><a class="permalink" href="#PRIV_ADJTIME"><code class="Dv">PRIV_ADJTIME</code></a></dt> + <dd></dd> + <dt id="PRIV_CLOCK_SETTIME"><a class="permalink" href="#PRIV_CLOCK_SETTIME"><code class="Dv">PRIV_CLOCK_SETTIME</code></a></dt> + <dd></dd> + <dt id="PRIV_NTP_ADJTIME"><a class="permalink" href="#PRIV_NTP_ADJTIME"><code class="Dv">PRIV_NTP_ADJTIME</code></a></dt> + <dd></dd> + <dt id="PRIV_NETINET_RESERVEDPORT"><a class="permalink" href="#PRIV_NETINET_RESERVEDPORT"><code class="Dv">PRIV_NETINET_RESERVEDPORT</code></a></dt> + <dd></dd> + <dt id="PRIV_NETINET_REUSEPORT"><a class="permalink" href="#PRIV_NETINET_REUSEPORT"><code class="Dv">PRIV_NETINET_REUSEPORT</code></a></dt> + <dd></dd> +</dl> +</section> +<section class="Ss"> +<h2 class="Ss" id="Runtime_Configuration"><a class="permalink" href="#Runtime_Configuration">Runtime + Configuration</a></h2> +<p class="Pp">The following <a class="Xr">sysctl(8)</a> MIBs are available for + fine-tuning this MAC policy. All <a class="Xr">sysctl(8)</a> variables can + also be set as <a class="Xr">loader(8)</a> tunables in + <a class="Xr">loader.conf(5)</a>.</p> +<dl class="Bl-tag"> + <dt id="security.mac.ntpd.enabled"><var class="Va">security.mac.ntpd.enabled</var></dt> + <dd>Enable the <code class="Nm">mac_ntpd</code> policy. (Default: 1).</dd> + <dt id="security.mac.ntpd.uid"><var class="Va">security.mac.ntpd.uid</var></dt> + <dd>The numeric uid of the ntpd user. (Default: 123).</dd> +</dl> +</section> +</section> +<section class="Sh"> +<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE + ALSO</a></h1> +<p class="Pp"><a class="Xr">mac(4)</a>, <a class="Xr">ntpd(8)</a></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> +<p class="Pp">MAC first appeared in <span class="Ux">FreeBSD 5.0</span> and + <code class="Nm">mac_ntpd</code> first appeared in <span class="Ux">FreeBSD + 12.0</span>.</p> +</section> +</div> +<table class="foot"> + <tr> + <td class="foot-date">July 20, 2018</td> + <td class="foot-os">FreeBSD 15.0</td> + </tr> +</table> |