On Sat, 30 Dec 2006, Per Hedeland wrote: > In article > > It should probably be noted that the problem here is not just specific > to running ntpd on Linux, but to running the "Linux-modified" ntpd on > Linux - the reference implementation provided by ntp.isc.org doesn't > have the capability-dropping stuff that seems to be the problem (or at > least it didn't last time I looked).
It's in the sources from ntp.isc.org for three years now. And this is one of the (few) examples where the concept of "Linux capabilities" can really help (because "setting the system clock" is such a limited privilege, well separable from other root privileges and not so easy to exploit to get a "root shell"). I have added some instructions concerning this feature to to http://ntp.isc.org/Support/KnownOsIssues > That being said, I can't be bothered to hunt down the rpm or whatever to > find the "open" source for this version, but does it really fail fatally > if the capability-dropping doesn't work? It would seem to make more > sense to just continue running with root privileges in that case. I beg to disagree: falling back, silently, to a less secure behaviour would be wrong, IMHO. If you really want ntpd to run as root, the change in the startup script is trivial enough. But better fix your system. A properly configured kernel and a non-broken libcap should be all you need to make it work. The vanilla kernel and libcap sources from kernel.org work fine for me. > Of > course, if ntpd isn't actually started with root privileges, it would > explain both the failure to drop privileges and the subsequent failure > to discipline the clock... > Yes but then it could never have worked with the old kernel version either. Regards, Timo -- Timo Felbinger http://www.felbinger.net Quantum Physics Group Phone: +49 331 977 1793 Fax: -1767 Institut fuer Physik Mobile: +49 177 735 1936 Universitaet Potsdam, Germany PGP key-id: E92567B2 _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
