Starting with reduced capabilities (non root)

Hal Murray hmurray at megapathdsl.net
Thu Feb 15 19:53:04 UTC 2018


>> Yes, please.  I see no reason why ntpd should start up as root these
>> days.

> It needs to be able to read /dev/pps*, SHM(0) and SHM(1)

You don't need root for /dev/whatever if you set the owner to ntp:ntp before 
starting ntpd.

Linux has split the root-does-everything permissions to various separate 
flags.  See man 7 capabilities for the list and details.  cap_ipc_lock covers 
SHM

The idea is to set the capabilities that you need on ntpd and switch to 
ntp:ntp before starting it.  Then you only start with some of the 
capabilities, not everything.  You can still drop the capabilities that you 
don't need any more.

One more tweak that I missed on my previous message:
  If you use -p <pid file name> on the command line, you need to be able to 
write that file.
I fixed that with a touch and chown.


-- 
These are my opinions.  I hate spam.





More information about the devel mailing list