I've been running on Linux with ntpd starting as non-root with reduced
capabilities. Do we want to merge this in?
It's not a big deal, but one more small step in the right direction. The
biggest disadvantage I can see is the increased complexity in the startup
It will take a lot of testing and some waf install tweaks that may be over my
Here are the changes it takes. (I might have missed something).
The basic idea is to use setcap to setup the required capabilities. The
capabilities on a file get ORed in with the starting-users capabilities, so
the second part is to start running as user ntp rather than root. Setuid
doesn't do what we need. We need to use runuser or su or ...
Install (I have a script where I put this):
# cap_sys_resource => setrlimit
# cap_ipc_lock => mlockall, mmap, shmctl
# cap_sys_nice => sched_setscheduler
# cap_setgid,cap_setuid => droproot stuff (may not be needed to drop priv)
(the above was one long line before my mail system does whatever it does)
chown ntp:ntp $DESTDIR/usr/local/sbin/ntpd
chmod +s $DESTDIR/usr/local/sbin/ntpd
ExecStart=/usr/sbin/runuser -u ntp -- /usr/local/sbin/ntpd -u ntp:ntp
>From /etc/init.d/ntp on Ubuntu 16.04.3 LTS:
start-stop-daemon --start --quiet --oknodo --pidfile
$PIDFILE --exec /sbin/runuser -- -u ntp -- $DAEMON -p $PIDFILE $NTPD_OPTS
(The first -- is for start-stop-daemon, the second -- is for runuser.)
ntpd needs a minor patch to not die if started as non-root. That should
probably be changed to die if started without needed capabilities.
I think we can avoid cap_setgid and cap_setuid by not switching to ntp:ntp.
For testing, I just used the old drop root code to dump the capabilities that
are not needed after startup.
You also have to get the permissions right on log files and refclock device
These are my opinions. I hate spam.
devel mailing list