ntpd Certificate Loading
Paul Theodoropoulos
paul at anastrophe.com
Tue Jun 9 17:51:06 UTC 2020
On 6/9/2020 3:51 AM, Hal Murray wrote:
>> When I recently installed 3.19 from repo on the new 'raspberry pi os (64
>> bit)', I had to change /etc/letsencrypt from ownership ntp:ntp to root:ntp
>> in order to get past the 'permission denied' errors.
> 3.19 sounds more like a GPSD version. Did you update ntpsec too?
Sorry, yes, it was 1.1.9 -
root@ A-NTPsec: ~ # ntpd -V
ntpd ntpsec-1.1.9+ 2020-05-30T21:14:07Z (git rev 3191b7fb8)
I'd been working with gpsd so much frequently that my brain did a
substitution.
> I can't figure out how changing something from ntp:ntp to root:ntp is going to
> allow ntpd to read it. Could you say more?
>
> If it tries to read pre-drop root, it is still root and can read anything. If
> it tries to read post-drop-root when it has switched to user ntp, then it
> should be able to read files owned by ntp. Changing to root:ntp would make it
> harder to read.
I wish I knew why it worked that way as well, as it's a nonsensical
'permission denied' failure, just as you describe - but it was the only
way I could get ntpsec to start up again.
I'll do some testing.
--
Paul Theodoropoulos
www.anastrophe.com
More information about the devel
mailing list