There is an unprotected mv command in /etc/rc.d/ntpd. In certain cases, such as a schg-hardened or other read-only system, it may not be possible to update /var/db/ntpd.leap-seconds.list. In such cases, the rc script processing halts with overrride rw-r--r-- root/wheel for /var/db/ntpd.leap-seconds.list? (y/n [n]) which effectively blocks rc from proceeding. Commands that could result in a console prompt should be protected from such a possibility. In this case, it appears that "mv" should be changed to "mv -f".
Verified. Fix will be committed and MFC'd to stable branches shortly. Sorry it took a year to get to this simple fix.
A commit references this bug: Author: ian Date: Sat Jun 23 02:42:08 UTC 2018 New revision: 335575 URL: https://svnweb.freebsd.org/changeset/base/335575 Log: Use 'mv -f' in rc.d/ntpd to avoid spuriously halting the boot. The final 'mv' to install a fetched leap-list file can fail (due to a readonly fs, or schg flags, for example), and that leads to mv(1) prompting the user, stopping the boot process. Instead, use mv -f to supress the prompting, and if verbose mode is on, emit a warning that the existing file cannot be replaced. PR: 219255 Changes: head/etc/rc.d/ntpd
A commit references this bug: Author: ian Date: Wed Jul 4 14:01:57 UTC 2018 New revision: 335948 URL: https://svnweb.freebsd.org/changeset/base/335948 Log: MFC r335575, r335786-r335787 r335575: Use 'mv -f' in rc.d/ntpd to avoid spuriously halting the boot. The final 'mv' to install a fetched leap-list file can fail (due to a readonly fs, or schg flags, for example), and that leads to mv(1) prompting the user, stopping the boot process. Instead, use mv -f to supress the prompting, and if verbose mode is on, emit a warning that the existing file cannot be replaced. PR: 219255 r335786: Rename variable ntp_tmp_leapfile to have a leading underbar, to distinguish it from variables with similar names which are set in rc.conf. This will make more sense as the script grows more similar-name local variables in some upcoming changes. r335787: When being verbose about various leapfile versions, also mention expiration. The expiration date is actually more of a version number than the version date, because expiration changes twice a year, whereas the version only changes when actual leap second events occur (except in USNO leapfiles, which inappropriately bump the version with every expiration date change). Changes: _U stable/11/ stable/11/etc/rc.d/ntpd
A commit references this bug: Author: ian Date: Wed Jul 4 14:12:09 UTC 2018 New revision: 335952 URL: https://svnweb.freebsd.org/changeset/base/335952 Log: MFC r335575, r335786 r335575: Use 'mv -f' in rc.d/ntpd to avoid spuriously halting the boot. The final 'mv' to install a fetched leap-list file can fail (due to a readonly fs, or schg flags, for example), and that leads to mv(1) prompting the user, stopping the boot process. Instead, use mv -f to supress the prompting, and if verbose mode is on, emit a warning that the existing file cannot be replaced. PR: 219255 r335786: Rename variable ntp_tmp_leapfile to have a leading underbar, to distinguish it from variables with similar names which are set in rc.conf. This will make more sense as the script grows more similar-name local variables in some upcoming changes. Changes: _U stable/10/ stable/10/etc/rc.d/ntpd