Starting with reduced capabilities (non root)
hmurray at megapathdsl.net
Thu Feb 15 19:53:04 UTC 2018
>> Yes, please. I see no reason why ntpd should start up as root these
> It needs to be able to read /dev/pps*, SHM(0) and SHM(1)
You don't need root for /dev/whatever if you set the owner to ntp:ntp before
Linux has split the root-does-everything permissions to various separate
flags. See man 7 capabilities for the list and details. cap_ipc_lock covers
The idea is to set the capabilities that you need on ntpd and switch to
ntp:ntp before starting it. Then you only start with some of the
capabilities, not everything. You can still drop the capabilities that you
don't need any more.
One more tweak that I missed on my previous message:
If you use -p <pid file name> on the command line, you need to be able to
write that file.
I fixed that with a touch and chown.
These are my opinions. I hate spam.
More information about the devel