ntpd w/ --enable-early-droproot
Achim Gratz
Stromeko at nexgo.de
Sun Nov 27 09:37:37 UTC 2016
Achim Gratz writes:
>> Our philosophy in situations like this is to go for the high-security option
>> even if it needs a little more one-time setup, like a chmod or a udev rule.
>
> I'll try that tomorrow as well. I have these devices set up by udev
> anyway, so I only need to figure out how to tell it to give them a
> different group.
Adding 'GROUP="ntp"' to the udev rules setting up the device symlinks
correctly changes the actual device files' group to ntp and lets ntpd
use these devices while --enable-early-droproot is configured.
[what markup language is INSTALL in?]
--- a/INSTALL
+++ b/INSTALL
@@ -226,6 +226,15 @@ of options.
refclocks are enabled with `--refclock=<n1,n2,n3..> or --refclock=all'
`waf configure --list' will print a list of available refclocks.
+=== --enable-early-droproot ===
+
+Drop root privileges as early as possible. This requires the refclock
+devices to be owned by the same owner or group that ntpd will be
+running under (most likely that group will be named "ntp") so that it
+can still open the devices. This can be accomplished by adding
+`GROUP="ntp"` or `OWNER="ntp"` to the udev rules that create the
+device symlinks for the refclocks.
+
== Developer options ==
--enable-debug-gdb::
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
SD adaptations for KORG EX-800 and Poly-800MkII V0.9:
http://Synth.Stromeko.net/Downloads.html#KorgSDada
More information about the devel
mailing list