Bug 219255

Summary:	/etc/rc.d/ntpd has an unprotected mv command
Product:	Base System	Reporter:	Joe Greco <bugs.freebsd.org>
Component:	conf	Assignee:	Ian Lepore <ian>
Status:	Closed FIXED
Severity:	Affects Some People	CC:	emaste, ian
Priority:	---
Version:	10.3-RELEASE
Hardware:	Any
OS:	Any

Description Joe Greco 2017-05-13 12:10:31 UTC

There is an unprotected mv command in /etc/rc.d/ntpd.

In certain cases, such as a schg-hardened or other read-only system, it may not be possible to update /var/db/ntpd.leap-seconds.list.  In such cases, the rc script processing halts with

overrride rw-r--r-- root/wheel for /var/db/ntpd.leap-seconds.list? (y/n [n])

which effectively blocks rc from proceeding.

Commands that could result in a console prompt should be protected from such a possibility.  In this case, it appears that "mv" should be changed to "mv -f".

Comment 1 Ian Lepore freebsd_committer

2018-06-23 02:36:26 UTC

Verified.  Fix will be committed and MFC'd to stable branches shortly.  Sorry it took a year to get to this simple fix.

Comment 2 commit-hook freebsd_committer

2018-06-23 02:42:29 UTC

A commit references this bug:

Author: ian
Date: Sat Jun 23 02:42:08 UTC 2018
New revision: 335575
URL: https://svnweb.freebsd.org/changeset/base/335575

Log:
  Use 'mv -f' in rc.d/ntpd to avoid spuriously halting the boot.

  The final 'mv' to install a fetched leap-list file can fail (due to a
  readonly fs, or schg flags, for example), and that leads to mv(1)
  prompting the user, stopping the boot process.  Instead, use mv -f
  to supress the prompting, and if verbose mode is on, emit a warning
  that the existing file cannot be replaced.

  PR:		219255

Changes:
  head/etc/rc.d/ntpd

Comment 3 commit-hook freebsd_committer

2018-07-04 14:02:06 UTC

A commit references this bug:

Author: ian
Date: Wed Jul  4 14:01:57 UTC 2018
New revision: 335948
URL: https://svnweb.freebsd.org/changeset/base/335948

Log:
  MFC r335575, r335786-r335787

  r335575:
  Use 'mv -f' in rc.d/ntpd to avoid spuriously halting the boot.

  The final 'mv' to install a fetched leap-list file can fail (due to a
  readonly fs, or schg flags, for example), and that leads to mv(1)
  prompting the user, stopping the boot process.  Instead, use mv -f
  to supress the prompting, and if verbose mode is on, emit a warning
  that the existing file cannot be replaced.

  PR:		219255

  r335786:
  Rename variable ntp_tmp_leapfile to have a leading underbar, to distinguish
  it from variables with similar names which are set in rc.conf.  This will
  make more sense as the script grows more similar-name local variables in
  some upcoming changes.

  r335787:
  When being verbose about various leapfile versions, also mention expiration.

  The expiration date is actually more of a version number than the version
  date, because expiration changes twice a year, whereas the version only
  changes when actual leap second events occur (except in USNO leapfiles,
  which inappropriately bump the version with every expiration date change).

Changes:
_U  stable/11/
  stable/11/etc/rc.d/ntpd

Comment 4 commit-hook freebsd_committer

2018-07-04 14:12:34 UTC

A commit references this bug:

Author: ian
Date: Wed Jul  4 14:12:09 UTC 2018
New revision: 335952
URL: https://svnweb.freebsd.org/changeset/base/335952

Log:
  MFC r335575, r335786

  r335575:
  Use 'mv -f' in rc.d/ntpd to avoid spuriously halting the boot.

  The final 'mv' to install a fetched leap-list file can fail (due to a
  readonly fs, or schg flags, for example), and that leads to mv(1)
  prompting the user, stopping the boot process.  Instead, use mv -f
  to supress the prompting, and if verbose mode is on, emit a warning
  that the existing file cannot be replaced.

  PR:		219255

  r335786:
  Rename variable ntp_tmp_leapfile to have a leading underbar, to distinguish
  it from variables with similar names which are set in rc.conf.  This will
  make more sense as the script grows more similar-name local variables in
  some upcoming changes.

Changes:
_U  stable/10/
  stable/10/etc/rc.d/ntpd