Is there any reason the drift file should be mode 600?
Richard Laager
rlaager at wiktel.com
Thu Dec 14 06:45:23 UTC 2017
On 12/14/2017 12:01 AM, Hal Murray wrote:
> Is it easy to hack the startup scripts to change the mode so root can read it?
Yes, that could be done. I'm not sure I like that as a solution. It
seems weird to have something that only works correctly when run through
the init system, and subtly misbehaves if started by hand.
> That sort of stuff used to be easy before systemd
It's still easy. Add this to ntpd.service:
ExecStartPre=-/bin/chmod -f 664 /var/lib/ntp/ntp.drift
In sysvinit, you'd want:
chmod -f 664 /var/lib/ntp/ntp.drift || true
> Have you tried refclocks with apparmor?
Yes. I have one system that uses the spectracom driver.
With the Debian/Ubuntu apparmor policy, you have to add the serial
device to /etc/apparmor.d/tunables/ntpd. For example, I am using
/dev/ttyS0. ntpd is not allowed to access a serial port by default. It
*is* allowed to access /dev/pps* by default.
I've inherited this apparmor policy from the ntp package. I have made a
few changes, but this seems reasonable. I don't think the distro needs
to allow ntpd to access serial ports by default.
> I think the current code opens them before dropping root.
I assume it does. My /dev/ttyS0 is 660 root dialout, ntpd is running as
ntp:ntp, and the ntp user is not a member of dialout.
--
Richard
More information about the devel
mailing list