Starting with reduced capabilities (non root)

Gary E. Miller gem at rellim.com
Fri Feb 16 21:06:02 UTC 2018 

Yo Achim!

On Fri, 16 Feb 2018 21:21:04 +0100
Achim Gratz via devel <devel at ntpsec.org> wrote:

> Gary E. Miller via devel writes:
> >> You don't need root for /dev/whatever if you set the owner to
> >> ntp:ntp before starting ntpd.  
> >
> > Which of course, you have to every time you reboot.  And since most
> > people now use udevd, it needs a rule change.  
> 
> No, that's what udev does for you if you ask it to.

Well, my udevd does not currently.  Since I am an idiot about udevd I
need examples, samples and doc needed.

> I don't use these (yet), but generally udev can deal with all devices
> that provide an event to the kernel when they get created.

Which  does not appy the SHM().  They are outside of udev control.
But setcaps can, sort of, handle the case.

> > But how does ntpd set its caps before it starts?  
> 
> Capabilities are extended attributes on the executable file.  So they
> don't get set by the executable itself.

So I need samples, examples, and doc, all specific to NTPsec.

> >> One more tweak that I missed on my previous message:
> >>   If you use -p <pid file name> on the command line, you need to be
> >> able to write that file.  
> >
> > Where?  In ntpd, or on the command line?  If on the command line,
> > how is the newbie supposed to know?  
> 
> Systemd doesn't need a pid file anyway

I NEVER use systemd.  Pe********* of ***********.  It **************
problems and ************

> Both
> of these functions could be moved to a wrapper if you assume an init
> system that works a bit differently.

Or, as I think Hal intends, give ntpd that capability.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20180216/ebb68a2d/attachment.bin>

More information about the devel mailing list