Starting with reduced capabilities (non root)

Gary E. Miller gem at
Thu Feb 15 23:28:36 UTC 2018

Yo Hal!

On Thu, 15 Feb 2018 11:53:04 -0800
Hal Murray <hmurray at> wrote:

> >> Yes, please.  I see no reason why ntpd should start up as root
> >> these days.  
> > It needs to be able to read /dev/pps*, SHM(0) and SHM(1)  
> You don't need root for /dev/whatever if you set the owner to ntp:ntp
> before starting ntpd.

Which of course, you have to every time you reboot.  And since most
people now use udevd, it needs a rule change.

And does that work for SHM(0) and SHM(1)

> Linux has split the root-does-everything permissions to various
> separate flags.  See man 7 capabilities for the list and details.
> cap_ipc_lock covers SHM

Doesn't ntpd need to be started as root to set that?

> The idea is to set the capabilities that you need on ntpd and switch
> to ntp:ntp before starting it.

But how does ntpd set its caps before it starts?

> One more tweak that I missed on my previous message:
>   If you use -p <pid file name> on the command line, you need to be
> able to write that file.
> I fixed that with a touch and chown.

Where?  In ntpd, or on the command line?  If on the command line, how
is the newbie supposed to know?

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the devel mailing list