Starting with reduced capabilities (non root)

Hal Murray hmurray at megapathdsl.net
Fri Feb 16 19:55:59 UTC 2018


devel at ntpsec.org said:
> You know our users do not read man pages!  Can you provide a script, or at
> least a detailed procedure? 

Sure.  If you look back in the message that started this thread there are 
snippets of code.

The initial message was asking if there was any interest.  (Or implicitly, 
any objections.)  I wasn't going to polish things like documentation if 
somebody pointed out a fatal flaw.



> Also, I do not see a CAP for /dev/pps* or /dev/tty* specific access. Did I
> miss something? 

We don't need anything for that since you can set the owner to ntp.

There is a capability for that.  It covers all file access, not just /dev/
       CAP_DAC_OVERRIDE
              Bypass file read, write, and execute permission checks.  (DAC is
              an abbreviation of "discretionary access control".)


>> You set them on your ntpd when you mark it setuid as
>> part of the install process.
> Does our install process do that now?
No.  I have a script that I use as a wrapper for install.  I put it in there 
because that was the simplest way for me to get off the ground and see if it 
worked.

I may need help fixing the waf install stuff.  (I haven't looked yet.)


-- 
These are my opinions.  I hate spam.





More information about the devel mailing list