[ntp:questions] NTP daemon broken in 2.6.19?
Timo.Felbinger at physik.uni-potsdam.de
Sun Dec 31 13:47:50 UTC 2006
On Sat, 30 Dec 2006, Per Hedeland wrote:
> In article
> It should probably be noted that the problem here is not just specific
> to running ntpd on Linux, but to running the "Linux-modified" ntpd on
> Linux - the reference implementation provided by ntp.isc.org doesn't
> have the capability-dropping stuff that seems to be the problem (or at
> least it didn't last time I looked).
It's in the sources from ntp.isc.org for three years now. And this
is one of the (few) examples where the concept of "Linux capabilities"
can really help (because "setting the system clock" is such a limited
privilege, well separable from other root privileges and not so easy
to exploit to get a "root shell").
I have added some instructions concerning this feature to to
> That being said, I can't be bothered to hunt down the rpm or whatever to
> find the "open" source for this version, but does it really fail fatally
> if the capability-dropping doesn't work? It would seem to make more
> sense to just continue running with root privileges in that case.
I beg to disagree: falling back, silently, to a less secure behaviour
would be wrong, IMHO. If you really want ntpd to run as root, the
change in the startup script is trivial enough. But better fix your
system. A properly configured kernel and a non-broken libcap should
be all you need to make it work. The vanilla kernel and libcap sources
from kernel.org work fine for me.
> course, if ntpd isn't actually started with root privileges, it would
> explain both the failure to drop privileges and the subsequent failure
> to discipline the clock...
Yes but then it could never have worked with the old kernel version
Timo Felbinger http://www.felbinger.net
Quantum Physics Group Phone: +49 331 977 1793 Fax: -1767
Institut fuer Physik Mobile: +49 177 735 1936
Universitaet Potsdam, Germany PGP key-id: E92567B2
More information about the questions