ntpd Certificate Loading

Paul Theodoropoulos paul at anastrophe.com
Tue Jun 9 17:51:06 UTC 2020


On 6/9/2020 3:51 AM, Hal Murray wrote:
>> When I recently installed 3.19 from repo on the new 'raspberry pi os (64
>> bit)', I had to change /etc/letsencrypt from ownership ntp:ntp to root:ntp
>> in order to get past the 'permission denied' errors.
> 3.19 sounds more like a GPSD version.  Did you update ntpsec too?

Sorry, yes, it was 1.1.9 -
root@ A-NTPsec: ~ # ntpd -V
ntpd ntpsec-1.1.9+ 2020-05-30T21:14:07Z (git rev 3191b7fb8)

I'd been working with gpsd so much frequently that my brain did a 
substitution.

> I can't figure out how changing something from ntp:ntp to root:ntp is going to
> allow ntpd to read it.  Could you say more?
>
> If it tries to read pre-drop root, it is still root and can read anything.  If
> it tries to read post-drop-root when it has switched to user ntp, then it
> should be able to read files owned by ntp.  Changing to root:ntp would make it
> harder to read.

I wish I knew why it worked that way as well, as it's a nonsensical 
'permission denied' failure, just as you describe - but it was the only 
way I could get ntpsec to start up again.

I'll do some testing.

-- 
Paul Theodoropoulos
www.anastrophe.com



More information about the devel mailing list