When a use sets umask in login.conf(5) to 027 or 077 a subsequently
fetched /var/db/ntpd.leap-seconds.list will inherit the permissions
allowed by the umask, resulting in a file that may not be readable
ntpd running under the ntp account. This patch adds a umask command
to preempt the umask in login.conf(5) prior to fetching a new copy
of the leap-seconds file.

PR:		261298
Reported by:	Martin Waschbusch <martin@waschbuesch.de>

(cherry picked from commit c6806434)

Allow opt-out of automatic ntpd leapfile checking/fetching.

When a system has no internet connection, or when it is configured to obtain
ntpd leapfiles from some source other than the internet, or even when the
sysadmin has decided for some reason to customize ntp.conf to eliminate use
of the leapfile, the rc.d/ntpd script emits various error messages related
to the file.

This change allows setting the rc var ntp_db_leapfile to NONE to disable all
automatic processing related to that file in rc.d/ntpd.

Differential Revision:	https://reviews.freebsd.org/D22461

Allow opt-out of automatic ntpd leapfile checking/fetching.

When a system has no internet connection, or when it is configured to obtain
ntpd leapfiles from some source other than the internet, or even when the
sysadmin has decided for some reason to customize ntp.conf to eliminate use
of the leapfile, the rc.d/ntpd script emits various error messages related
to the file.

This change allows setting the rc var ntp_db_leapfile to NONE to disable all
automatic processing related to that file in rc.d/ntpd.

Differential Revision:	https://reviews.freebsd.org/D22461

r348141:
Handle the driftfile option correctly when ntpd_flags is empty.

The logic I originally wrote to detect whether a driftfile option was in the
set of flags was based on the result of removing the pattern *flag* being an
empty string.  That didn't handle the case where the string was empty to
begin with.  Doh!  So now it also specifically checks for an empty string.

The result of the bad check was that ntpd would run without a driftfile, but
it would do so only if it was running as root instead of the non-priveleged
ntpd user, which isn't a typical case.  Ntpd runs fine without a driftfile,
although it does take it longer to stabilize the clock frequency at startup.

Reported by:	avg@
Pointy hat:	ian@

r348143:
Remove accidentally-added blank line; the style throughout this file
is to use no whitespace between a comment block and the code it describes.

r348141:
Handle the driftfile option correctly when ntpd_flags is empty.

The logic I originally wrote to detect whether a driftfile option was in the
set of flags was based on the result of removing the pattern *flag* being an
empty string.  That didn't handle the case where the string was empty to
begin with.  Doh!  So now it also specifically checks for an empty string.

The result of the bad check was that ntpd would run without a driftfile, but
it would do so only if it was running as root instead of the non-priveleged
ntpd user, which isn't a typical case.  Ntpd runs fine without a driftfile,
although it does take it longer to stabilize the clock frequency at startup.

Reported by:	avg@
Pointy hat:	ian@

r348143:
Remove accidentally-added blank line; the style throughout this file
is to use no whitespace between a comment block and the code it describes.

The reasons for this are forward looking to pkgbase:
 * /sbin/init is a special binary; try not to replace it with
   every package update because an rc script was touched.
   (a follow-up commit will make init its own package)
 * having rc in its own place will allow more easy replacement
   of the rc framework with alternatives, such as openrc.

Discussed with:		brd (during BSDCam), kmoore
Requested by:		cem, bz
PR:			231522
Approved by:		re (gjb)

The reasons for this are forward looking to pkgbase:
 * /sbin/init is a special binary; try not to replace it with
   every package update because an rc script was touched.
   (a follow-up commit will make init its own package)
 * having rc in its own place will allow more easy replacement
   of the rc framework with alternatives, such as openrc.

Discussed with:		brd (during BSDCam), kmoore
Requested by:		cem, bz
PR:			231522
Approved by:		re (gjb)

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by:	will (mentor)
Differential Revision:	https://reviews.freebsd.org/D16466

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by:	will (mentor)
Differential Revision:	https://reviews.freebsd.org/D16466

Ntpd needs only a subset of full root privileges to do its job. Specifically
it needs the ability to manipulate system time, and to re-bind to a
privileged UDP port after interface changes. The mac_ntpd(4) policy module
(see r336525) can grant these privs.

These changes detect the availability of mac_ntpd(4). If enabled, and if the
ntpd configuration is fairly vanilla, it automatically runs ntpd as the
non-root user 'ntpd' (uid 123). "Vanilla" means the config doesn't include
command line or ntp.conf options changing the location of files or using any
files/dirs likely to be inaccessible to user ntpd.  Ntpd can still run as
non-root when using such options, but the admin must ensure all required
files and dirs are accessible, and then set ntpd_user=ntpd in rc.conf.

Note that these changes also address PR 199127 by using the command_args
technique suggested in the patch. They also tangentially address PR 113552,
which is primarily about inconsistent filenames in documentation, but some
of the inconsistancy was caused by old code in rc.d/ntpd which is leftover
from the intial import from netbsd. There was code to do chroot setup which
required the use of the netbsd clockctl(4) device; that code never had any
effect on freebsd, because we lack that device and don't build ntpd with the
options that would allow using it.

PR:		113552 199127
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D16050

Ntpd needs only a subset of full root privileges to do its job. Specifically
it needs the ability to manipulate system time, and to re-bind to a
privileged UDP port after interface changes. The mac_ntpd(4) policy module
(see r336525) can grant these privs.

These changes detect the availability of mac_ntpd(4). If enabled, and if the
ntpd configuration is fairly vanilla, it automatically runs ntpd as the
non-root user 'ntpd' (uid 123). "Vanilla" means the config doesn't include
command line or ntp.conf options changing the location of files or using any
files/dirs likely to be inaccessible to user ntpd.  Ntpd can still run as
non-root when using such options, but the admin must ensure all required
files and dirs are accessible, and then set ntpd_user=ntpd in rc.conf.

Note that these changes also address PR 199127 by using the command_args
technique suggested in the patch. They also tangentially address PR 113552,
which is primarily about inconsistent filenames in documentation, but some
of the inconsistancy was caused by old code in rc.d/ntpd which is leftover
from the intial import from netbsd. There was code to do chroot setup which
required the use of the netbsd clockctl(4) device; that code never had any
effect on freebsd, because we lack that device and don't build ntpd with the
options that would allow using it.

PR:		113552 199127
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D16050

The expiration date is actually more of a version number than the version
date, because expiration changes twice a year, whereas the version only
changes when actual leap second events occur (except in USNO leapfiles,
which inappropriately bump the version with every expiration date change).

The expiration date is actually more of a version number than the version
date, because expiration changes twice a year, whereas the version only
changes when actual leap second events occur (except in USNO leapfiles,
which inappropriately bump the version with every expiration date change).

it from variables with similar names which are set in rc.conf.  This will
make more sense as the script grows more similar-name local variables in
some upcoming changes.

it from variables with similar names which are set in rc.conf.  This will
make more sense as the script grows more similar-name local variables in
some upcoming changes.

The final 'mv' to install a fetched leap-list file can fail (due to a
readonly fs, or schg flags, for example), and that leads to mv(1)
prompting the user, stopping the boot process.  Instead, use mv -f
to supress the prompting, and if verbose mode is on, emit a warning
that the existing file cannot be replaced.

PR:		219255

The final 'mv' to install a fetched leap-list file can fail (due to a
readonly fs, or schg flags, for example), and that leads to mv(1)
prompting the user, stopping the boot process.  Instead, use mv -f
to supress the prompting, and if verbose mode is on, emit a warning
that the existing file cannot be replaced.

PR:		219255

leapseconds last-update field and incorrectly increment it when changing
the file even though the leapsecond data has not changed. For instance,
if a leapsecond file is obtained from USNO, when it expires it will not
be replaced by a newer file from other sources because it has an
incorrect later last-update (version).

This corrects r304780.

PR:		225029
Submitted by:	ian
MFC after:	3 days

leapseconds last-update field and incorrectly increment it when changing
the file even though the leapsecond data has not changed. For instance,
if a leapsecond file is obtained from USNO, when it expires it will not
be replaced by a newer file from other sources because it has an
incorrect later last-update (version).

This corrects r304780.

PR:		225029
Submitted by:	ian
MFC after:	3 days

Submitted by:	Ronald Klop <ronald-lists@klop.ws>
Reviewed by:	asomers
MFC after:	3 days
X-MFC-With:	325256

Submitted by:	Ronald Klop <ronald-lists@klop.ws>
Reviewed by:	asomers
MFC after:	3 days
X-MFC-With:	325256

and checks if ntp leapfile needs fetching before entering into the
anticongestion sleep.

Unfortunately some ports still use their own sleeps so, this commit
doesn't address the complete problem which is compounded by every
port that uses its own anticongestion mechanism.

Discussed with:		asomers

and checks if ntp leapfile needs fetching before entering into the
anticongestion sleep.

Unfortunately some ports still use their own sleeps so, this commit
doesn't address the complete problem which is compounded by every
port that uses its own anticongestion mechanism.

Discussed with:		asomers

r304779:

  Revert r298887 (spelling fix) and remove $FreeBSD$ because text changes
  to leap-seconds invaldidates validation hash at the end of the file.

  Remove svn:keywords and replace with fbsd:nokeywords=yes to
  support this change.

r304780:

  Change the algorithm by which /var/db/leap-seconds is updated.

  1. Use the leap-seconds version number (update time) to determine
     whether to update the file or not.

  2. If the version numbers of the files is the same, use the later
     expiry date to determine which file to use.

  Suggested by:	ian@

r304781:

  Add logic to replace the working ntp leap-seconds file in /var/db
  if it contains a $FreeBSD$ header. The header will cause the file
  to fail checksum of the hash causing ntpd to ignore the file.

r304782:

  Make validation of the leap-seconds file unconditional.

r304802:

  Remove the gratuitous check for $FreeBSD$ and rename the function
  to ntpd_init_leapfile, to ensure a copy exists in /var/db if a copy
  isn't already there.

  Reported by:	ache@

to ntpd_init_leapfile, to ensure a copy exists in /var/db if a copy
isn't already there.

Reported by:	ache@
MFC after:	1 day

to ntpd_init_leapfile, to ensure a copy exists in /var/db if a copy
isn't already there.

Reported by:	ache@
MFC after:	1 day

MFC after:	1 day

MFC after:	1 day

if it contains a $FreeBSD$ header. The header will cause the file
to fail checksum of the hash causing ntpd to ignore the file.

MFC after:	1 day

if it contains a $FreeBSD$ header. The header will cause the file
to fail checksum of the hash causing ntpd to ignore the file.

MFC after:	1 day

1. Use the leap-seconds version number (update time) to determine
   whether to update the file or not.

2. If the version numbers of the files is the same, use the later
   expiry date to determine which file to use.

Suggested by:	ian@
MFC after:	1 day

1. Use the leap-seconds version number (update time) to determine
   whether to update the file or not.

2. If the version numbers of the files is the same, use the later
   expiry date to determine which file to use.

Suggested by:	ian@
MFC after:	1 day

Use the expiry date to determine whether to replace the DB copy of
leapfile instead of using the leapfile serial number (create
timestamp).

PR:		209577

leapfile instead of using the leapfile serial number (create
timestamp).

PR:		209577
MFC after:	3 days

leapfile instead of using the leapfile serial number (create
timestamp).

PR:		209577
MFC after:	3 days

  daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by:	bapt, brueffer
Differential Revision:	D452

  daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by:	bapt, brueffer
Differential Revision:	D452

PR:		207095
Submitted by:	madpilot
Approved by:	re (marius)

PR:		207095
Submitted by:	madpilot
MFC after:	3 days