Starting with reduced capabilities (non root)

Achim Gratz Stromeko at
Fri Feb 16 20:21:04 UTC 2018

Gary E. Miller via devel writes:
>> You don't need root for /dev/whatever if you set the owner to ntp:ntp
>> before starting ntpd.
> Which of course, you have to every time you reboot.  And since most
> people now use udevd, it needs a rule change.

No, that's what udev does for you if you ask it to.

> And does that work for SHM(0) and SHM(1)

I don't use these (yet), but generally udev can deal with all devices
that provide an event to the kernel when they get created.

> But how does ntpd set its caps before it starts?

Capabilities are extended attributes on the executable file.  So they
don't get set by the executable itself.

>> One more tweak that I missed on my previous message:
>>   If you use -p <pid file name> on the command line, you need to be
>> able to write that file.
> Where?  In ntpd, or on the command line?  If on the command line, how
> is the newbie supposed to know?

Systemd doesn't need a pid file anyway and it can already start ntpd as
ntp:ntp and hence ntpd doesn't need to setuid/setgid either.  Both of
these functions could be moved to a wrapper if you assume an init system
that works a bit differently.

+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

DIY Stuff:

More information about the devel mailing list