[ntp:questions] NTP daemon broken in 2.6.19?

Timo Felbinger Timo.Felbinger at physik.uni-potsdam.de
Sun Dec 31 13:47:50 UTC 2006


On Sat, 30 Dec 2006, Per Hedeland wrote:

> In article
>
> It should probably be noted that the problem here is not just specific
> to running ntpd on Linux, but to running the "Linux-modified" ntpd on
> Linux - the reference implementation provided by ntp.isc.org doesn't
> have the capability-dropping stuff that seems to be the problem (or at
> least it didn't last time I looked).

It's in the sources from ntp.isc.org for three years now. And this
is one of the (few) examples where the concept of "Linux capabilities"
can really help (because "setting the system clock" is such a limited
privilege, well separable from other root privileges and not so easy
to exploit to get a "root shell").

I have added some instructions concerning this feature to to
http://ntp.isc.org/Support/KnownOsIssues

> That being said, I can't be bothered to hunt down the rpm or whatever to
> find the "open" source for this version, but does it really fail fatally
> if the capability-dropping doesn't work? It would seem to make more
> sense to just continue running with root privileges in that case.

I beg to disagree: falling back, silently, to a less secure behaviour
would be wrong, IMHO. If you really want ntpd to run as root, the
change in the startup script is trivial enough. But better fix your
system. A properly configured kernel and a non-broken libcap should
be all you need to make it work. The vanilla kernel and libcap sources
from kernel.org work fine for me.

> Of
> course, if ntpd isn't actually started with root privileges, it would
> explain both the failure to drop privileges and the subsequent failure
> to discipline the clock...
>
Yes but then it could never have worked with the old kernel version
either.

Regards,

Timo

-- 
Timo Felbinger                  http://www.felbinger.net
Quantum Physics Group           Phone:  +49 331 977 1793   Fax: -1767
Institut fuer Physik            Mobile: +49 177 735 1936
Universitaet Potsdam, Germany   PGP key-id: E92567B2




More information about the questions mailing list