Logfile permissions and ntp group

Gary E. Miller gem at rellim.com
Tue Jun 7 23:25:20 UTC 2016


Yo Eric!

On Tue, 7 Jun 2016 18:46:44 -0400
"Eric S. Raymond" <esr at thyrsus.com> wrote:

> I thought I was going to have to tweak clockmaker to create an ntp
> user and group if it doesn't already exist, then set ntp to run with
> those IDs in the init script.  That's easy enough to do.

And certainly my preference.
 
> You are suggesting that this is not so - that as long as we open log
> files before privilege-dropping the ntp user/group pair isn't
> necessary at all. If true I would mildly prefer to do things that
> way, it's simpler.

At some point in the future, it would be cool if ntpd could roll the log
file without restarting.  If ntpd does not have permissions on its own
log files anymore that will not work.

> Input from those with operational experience, please.  What are the
> pros and cons here?

You gotta drop to something, and nobody is not a good one to use.  Then
ntp is lumped in with all the other nobodies and that crowd can become
a somebody.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ntpsec.org/pipermail/devel/attachments/20160607/ac894007/attachment.bin>


More information about the devel mailing list