I've been running on Linux with ntpd starting as non-root with reduced capabilities. Do we want to merge this in?
It's not a big deal, but one more small step in the right direction. The biggest disadvantage I can see is the increased complexity in the startup scripts. It will take a lot of testing and some waf install tweaks that may be over my head. Here are the changes it takes. (I might have missed something). The basic idea is to use setcap to setup the required capabilities. The capabilities on a file get ORed in with the starting-users capabilities, so the second part is to start running as user ntp rather than root. Setuid doesn't do what we need. We need to use runuser or su or ... Install (I have a script where I put this): # cap_sys_resource => setrlimit # cap_ipc_lock => mlockall, mmap, shmctl # cap_sys_nice => sched_setscheduler # cap_setgid,cap_setuid => droproot stuff (may not be needed to drop priv) setcap cap_setgid,cap_setuid,cap_sys_resource,cap_ipc_lock,cap_sys_nice,cap_ sys_time,cap_net_bind_service=pe $DESTDIR/usr/local/sbin/ntpd (the above was one long line before my mail system does whatever it does) chown ntp:ntp $DESTDIR/usr/local/sbin/ntpd chmod +s $DESTDIR/usr/local/sbin/ntpd ntpd.service (systemd): ExecStart=/usr/sbin/runuser -u ntp -- /usr/local/sbin/ntpd -u ntp:ntp $OPTIONS >From /etc/init.d/ntp on Ubuntu 16.04.3 LTS: start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --exec /sbin/runuser -- -u ntp -- $DAEMON -p $PIDFILE $NTPD_OPTS (The first -- is for start-stop-daemon, the second -- is for runuser.) ntpd needs a minor patch to not die if started as non-root. That should probably be changed to die if started without needed capabilities. I think we can avoid cap_setgid and cap_setuid by not switching to ntp:ntp. For testing, I just used the old drop root code to dump the capabilities that are not needed after startup. You also have to get the permissions right on log files and refclock device files. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel