In article <[EMAIL PROTECTED]> Timo Felbinger <[EMAIL PROTECTED]> writes: > >On Sat, 30 Dec 2006, Per Hedeland wrote: >> >> It should probably be noted that the problem here is not just specific >> to running ntpd on Linux, but to running the "Linux-modified" ntpd on >> Linux - the reference implementation provided by ntp.isc.org doesn't >> have the capability-dropping stuff that seems to be the problem (or at >> least it didn't last time I looked). > >It's in the sources from ntp.isc.org for three years now.
Oops, sorry, seems it was a while since I last looked for that particualr thing...:-) Though I wouldn't be surprised if most Linux users are still running a version that had this code added after the release (the version wasn't mentioned in this thread as far as I can see). >> That being said, I can't be bothered to hunt down the rpm or whatever to >> find the "open" source for this version, but does it really fail fatally >> if the capability-dropping doesn't work? It would seem to make more >> sense to just continue running with root privileges in that case. > >I beg to disagree: falling back, silently, to a less secure behaviour >would be wrong, IMHO. I didn't say that it should fall back *silently*, logging the problem would of course be appropriate. And I was thinking of it along the lines of other "probably-useful-but-not-essential-to-keeping-the-time" things that ntpd does (or used to do:-), like locking the process into RAM, requesting real-time priority, etc - things which may be nominally available on a given OS, but not enabled/configured in the running kernel, and where it's clearly the right thing to carry on without if they fail. But of course there is a difference (besides security) with the privilege-dropping - you specifically ask for it via command-line arguments, and if ntpd can't do what you ask it to do, it arguably makes sense to exit with an error code (after reporting the problem), as the current "official" sources do. --Per Hedeland [EMAIL PROTECTED] _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
