Starting with reduced capabilities (non root)

Hal Murray hmurray at
Fri Feb 16 03:55:02 UTC 2018

> Doesn't ntpd need to be started as root to set that?
> But how does ntpd set its caps before it starts?

man 8 setcap

You set them on your ntpd when you mark it setuid as part of the install 

The capabilities on the file get OR-ed in to whatever they inherit from the 
starting user.  So you have to start from non-root or you already have 
everything.  Thus the runuser

[ pid file needs to be writeable by user ntp ]
>> I fixed that with a touch and chown.
> Where?  In ntpd, or on the command line?  If on the command line, how is the
> newbie supposed to know? 

The context was starting from non systemd, so I hacked /etc/init.d/ntpd

systemd doesn't use pid files so I didn't have to cross that bridge.

Yes, we'll have to document this stuff.  When I get a chance, I'll clean 
things up and add a configure option.

These are my opinions.  I hate spam.

More information about the devel mailing list