[ntp:questions] NTP daemon broken in 2.6.19?

Per Hedeland per at hedeland.org
Mon Jan 1 10:22:14 UTC 2007


In article
<Pine.LNX.4.58.0612311332250.16319 at uranos.quantum.physik.uni-potsdam.de>
Timo Felbinger <Timo.Felbinger at physik.uni-potsdam.de> writes:
>
>On Sat, 30 Dec 2006, Per Hedeland wrote:
>>
>> It should probably be noted that the problem here is not just specific
>> to running ntpd on Linux, but to running the "Linux-modified" ntpd on
>> Linux - the reference implementation provided by ntp.isc.org doesn't
>> have the capability-dropping stuff that seems to be the problem (or at
>> least it didn't last time I looked).
>
>It's in the sources from ntp.isc.org for three years now.

Oops, sorry, seems it was a while since I last looked for that
particualr thing...:-) Though I wouldn't be surprised if most Linux
users are still running a version that had this code added after the
release (the version wasn't mentioned in this thread as far as I can
see).

>> That being said, I can't be bothered to hunt down the rpm or whatever to
>> find the "open" source for this version, but does it really fail fatally
>> if the capability-dropping doesn't work? It would seem to make more
>> sense to just continue running with root privileges in that case.
>
>I beg to disagree: falling back, silently, to a less secure behaviour
>would be wrong, IMHO.

I didn't say that it should fall back *silently*, logging the problem
would of course be appropriate. And I was thinking of it along the lines
of other "probably-useful-but-not-essential-to-keeping-the-time" things
that ntpd does (or used to do:-), like locking the process into RAM,
requesting real-time priority, etc - things which may be nominally
available on a given OS, but not enabled/configured in the running
kernel, and where it's clearly the right thing to carry on without if
they fail.

But of course there is a difference (besides security) with the
privilege-dropping - you specifically ask for it via command-line
arguments, and if ntpd can't do what you ask it to do, it arguably makes
sense to exit with an error code (after reporting the problem), as the
current "official" sources do.

--Per Hedeland
per at hedeland.org




More information about the questions mailing list