Logfile permissions and ntp group

Mike bellyacres at gmail.com
Tue Jun 7 22:59:11 UTC 2016

On 06/07/2016 06:46 PM, Eric S. Raymond wrote:
> Mike <bellyacres at gmail.com>:
>> On 06/07/2016 05:57 PM, Hal Murray wrote:
>>>> Ntpd is running as user nobody, whom can't write to that directory.
>>> Hopefully that is user ntp rather than nobody.
>>> The file permissions need to be setup for log files as well as the drift file.
>> The HOWTO setsup ntpd to run as nobody:nogroup.
>> The logfile set to /var/log/ntpd.log is root:root.  I'm not getting errors
>> there, gathering that it was opened before privileges were dropped.
> OK, this permissions issue was next on my list of things to fix today,
> but you have just confounded my plans.
> I thought I was going to have to tweak clockmaker to create an ntp
> user and group if it doesn't already exist, then set ntp to run with
> those IDs in the init script.  That's easy enough to do.
> You are suggesting that this is not so - that as long as we open log files
> before privilege-dropping the ntp user/group pair isn't necessary at all.
> If true I would mildly prefer to do things that way, it's simpler.
> Input from those with operational experience, please.  What are the pros
> and cons here?

I've always run as ntp:ntp.  I've never had a publicly exposed server 
though, only work/home consumption to keep local lan clocks mostly sane.

I will say that this thread has gone further than what I initially 
started above.  I was simply pointing out that /var/lib/ntp/ntp.drift 
was unable to be written to as setup by the HOWTO.  There is no logging 
or stats enabled in that file...


More information about the devel mailing list