Starting with reduced capabilities (non root)
Achim Gratz
Stromeko at nexgo.de
Fri Feb 16 20:21:04 UTC 2018
Gary E. Miller via devel writes:
>> You don't need root for /dev/whatever if you set the owner to ntp:ntp
>> before starting ntpd.
>
> Which of course, you have to every time you reboot. And since most
> people now use udevd, it needs a rule change.
No, that's what udev does for you if you ask it to.
> And does that work for SHM(0) and SHM(1)
I don't use these (yet), but generally udev can deal with all devices
that provide an event to the kernel when they get created.
> But how does ntpd set its caps before it starts?
Capabilities are extended attributes on the executable file. So they
don't get set by the executable itself.
>> One more tweak that I missed on my previous message:
>> If you use -p <pid file name> on the command line, you need to be
>> able to write that file.
>
> Where? In ntpd, or on the command line? If on the command line, how
> is the newbie supposed to know?
Systemd doesn't need a pid file anyway and it can already start ntpd as
ntp:ntp and hence ntpd doesn't need to setuid/setgid either. Both of
these functions could be moved to a wrapper if you assume an init system
that works a bit differently.
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
DIY Stuff:
http://Synth.Stromeko.net/DIY.html
More information about the devel
mailing list