[ntp:questions] New Windows NTP Installer available

Danny Mayer mayer at ntp.isc.org
Wed Aug 1 03:52:42 UTC 2007


Heiko Gerstung wrote:
> Ulrich Windl schrieb:
>> "David J Taylor" <david-taylor at blueyonder.not-this-bit.nor-this-bit.co.uk> writes:
>>
>>> Heiko Gerstung wrote:
>>>> Hi Gurus of Time!
>>>>
>>>> I am very happy to announce that we just released a new stable
>>>> version of our NTP Installer for Windows, including ntp-4.2.4p3 and
>>>> openssl-0.9.8e.
>>> []
>>>> Best Regards,
>>>>  Heiko
>>> Heiko,
>>>
>>> There /may/ be another issue with Windows 2000, in that NTP is producing 
>>> event-log messages about not being able to write ntp.drift.TEMP.  I 
>>> checked the ntp.drift (actually in \WinNT\ in this installation) and it 
>>> didn't have a permissions entry for the ntp account, so I have now changed 
>>> the permissions to all-users, full control.  It's about 30 minutes before 
>>> the next error message is due, so I'll try and check back then....
>> Why not use %USERPROFILE% instead of "%SystemRoot% for state information?
>> There may be also %TMP% or %TEMP% defined.  UNIX users always make a
>> difference between program directories (which may be shared read-only) and
>> data directories which should be writable and private).
> 
> This is how it works with the installer per default. It creates an 
> account with which the service is running and uses %PROGRAM 
> FILES%\ntp\etc as its default location for the drift file. The service 
> account is granted read-write access to "his" directories and there is 
> no need to grant any rights to other directories.
> 
> Older versions of the NTP port for Windows did not honor all file 
> location statements in the config file (such as "driftfile") and ignored 
> the "-c configfile" commandline parameter, instead they searched for the 
> config file in three fixed locations (in the windir subtree) and used 
> hardcoded (AFAIK) locations for the driftfile.
> 

I will be updating the code at some point to put default locations for
the config file and drift file into NTP service location of the registry
rather than using those fixed locations.

> I guess that David's system once ran such an old ntpd and the installer 
> now does not touch this existing setup, if you choose the "update 
> binaries only" approach.
> 
>>> No, it seems to still want to write to ntp.drift.TEMP rather than 
>>> ntp.drift, so I've started NTP after checking the permissions on 
>>> ntp.drift.  Check back in just over an hour....
>> AFAIK: if the temporary file is removed, so are your ACLs.
> 
> Correct. The biggest problem in terms of security was that using the 
> temporary file approach requires ntpd to have write access to the whole 
> directory.

You need to have write access to write the drift file. We can do a
better job of specifying ACL's.

Danny




More information about the questions mailing list