Starting with reduced capabilities (non root)
Hal Murray
hmurray at megapathdsl.net
Fri Feb 16 03:55:02 UTC 2018
> Doesn't ntpd need to be started as root to set that?
> But how does ntpd set its caps before it starts?
man 8 setcap
You set them on your ntpd when you mark it setuid as part of the install
process.
The capabilities on the file get OR-ed in to whatever they inherit from the
starting user. So you have to start from non-root or you already have
everything. Thus the runuser
addition.
[ pid file needs to be writeable by user ntp ]
>> I fixed that with a touch and chown.
> Where? In ntpd, or on the command line? If on the command line, how is the
> newbie supposed to know?
The context was starting from non systemd, so I hacked /etc/init.d/ntpd
systemd doesn't use pid files so I didn't have to cross that bridge.
Yes, we'll have to document this stuff. When I get a chance, I'll clean
things up and add a configure option.
--
These are my opinions. I hate spam.
More information about the devel
mailing list