ntpd w/ --enable-early-droproot

Achim Gratz Stromeko at nexgo.de
Sun Nov 27 09:37:37 UTC 2016

Achim Gratz writes:
>> Our philosophy in situations like this is to go for the high-security option
>> even if it needs a little more one-time setup, like a chmod or a udev rule.
> I'll try that tomorrow as well.  I have these devices set up by udev
> anyway, so I only need to figure out how to tell it to give them a
> different group.

Adding 'GROUP="ntp"' to the udev rules setting up the device symlinks
correctly changes the actual device files' group to ntp and lets ntpd
use these devices while --enable-early-droproot is configured.

[what markup language is INSTALL in?]
@@ -226,6 +226,15 @@ of options.
 refclocks are enabled with `--refclock=<n1,n2,n3..> or --refclock=all'
 `waf configure --list' will print a list of available refclocks.
+=== --enable-early-droproot ===
+Drop root privileges as early as possible.  This requires the refclock
+devices to be owned by the same owner or group that ntpd will be
+running under (most likely that group will be named "ntp") so that it
+can still open the devices.  This can be accomplished by adding
+`GROUP="ntp"` or `OWNER="ntp"` to the udev rules that create the
+device symlinks for the refclocks.
 == Developer options ==

+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for KORG EX-800 and Poly-800MkII V0.9:

More information about the devel mailing list