Logfile permissions and ntp group
bellyacres at gmail.com
Tue Jun 7 22:59:11 UTC 2016
On 06/07/2016 06:46 PM, Eric S. Raymond wrote:
> Mike <bellyacres at gmail.com>:
>> On 06/07/2016 05:57 PM, Hal Murray wrote:
>>>> Ntpd is running as user nobody, whom can't write to that directory.
>>> Hopefully that is user ntp rather than nobody.
>>> The file permissions need to be setup for log files as well as the drift file.
>> The HOWTO setsup ntpd to run as nobody:nogroup.
>> The logfile set to /var/log/ntpd.log is root:root. I'm not getting errors
>> there, gathering that it was opened before privileges were dropped.
> OK, this permissions issue was next on my list of things to fix today,
> but you have just confounded my plans.
> I thought I was going to have to tweak clockmaker to create an ntp
> user and group if it doesn't already exist, then set ntp to run with
> those IDs in the init script. That's easy enough to do.
> You are suggesting that this is not so - that as long as we open log files
> before privilege-dropping the ntp user/group pair isn't necessary at all.
> If true I would mildly prefer to do things that way, it's simpler.
> Input from those with operational experience, please. What are the pros
> and cons here?
I've always run as ntp:ntp. I've never had a publicly exposed server
though, only work/home consumption to keep local lan clocks mostly sane.
I will say that this thread has gone further than what I initially
started above. I was simply pointing out that /var/lib/ntp/ntp.drift
was unable to be written to as setup by the HOWTO. There is no logging
or stats enabled in that file...
More information about the devel