On 29/06/2017 02:06, Taylor R Campbell wrote: >> we've been able to run ntpd as non-root for a while. this is not the >> default if you innocently ntpd=yes in rc.conf. it requires >> /dev/clockctl, and most things have it, even one of the sun2 kernels. >> >> can I change this to become the default, for better default security? > > There's one complication: if your IP address ever changes, then ntpd > must be restarted. So it requires a little wiring with, e.g., > ifwatchd. I do this on all my machines, but it is a bit of trouble. > > Ideally we ought to find some way to make it work unprivileged out of > the box with no trouble, perhaps by always running ifwatchd in tandem, > or perhaps with an easily audited ntpd-specific supervisor process.
I could modify /libexec/dhcpcd-hooks/50-ntp.conf to restart ntpd if the IP address changes if that helps your use-case. However it's a waste of resource if ntpd is running as root as it can use the new address itself without restarting. Roy
