On 12/14/2017 12:01 AM, Hal Murray wrote: > Is it easy to hack the startup scripts to change the mode so root can read it?
Yes, that could be done. I'm not sure I like that as a solution. It seems weird to have something that only works correctly when run through the init system, and subtly misbehaves if started by hand. > That sort of stuff used to be easy before systemd It's still easy. Add this to ntpd.service: ExecStartPre=-/bin/chmod -f 664 /var/lib/ntp/ntp.drift In sysvinit, you'd want: chmod -f 664 /var/lib/ntp/ntp.drift || true > Have you tried refclocks with apparmor? Yes. I have one system that uses the spectracom driver. With the Debian/Ubuntu apparmor policy, you have to add the serial device to /etc/apparmor.d/tunables/ntpd. For example, I am using /dev/ttyS0. ntpd is not allowed to access a serial port by default. It *is* allowed to access /dev/pps* by default. I've inherited this apparmor policy from the ntp package. I have made a few changes, but this seems reasonable. I don't think the distro needs to allow ntpd to access serial ports by default. > I think the current code opens them before dropping root. I assume it does. My /dev/ttyS0 is 660 root dialout, ntpd is running as ntp:ntp, and the ntp user is not a member of dialout. -- Richard _______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
