discrete units

Hal Murray hmurray at megapathdsl.net
Wed Jan 20 20:17:38 UTC 2021


James Browning said:
> The permissions required by NTPsec are a mess partly because it is not a do
> one thing well daemon. Instead, you have the Lernean Hydra, which has too
> many heads and gaining more.

I don't get it.  Could you please say more?  ntpd needs file permissions for 
all the files it uses.  That much seems pretty obvious.  Is the problem that 
the files are scattered all over the place?

The one tricky case I can think of is ntpd.log (or whatever you call it).  If 
you start on a bare system, it gets created with owner root.  Then when 
logrotate comes along, ntpd as user ntpd can't open the new file.  We could 
fix that with a bit of code.

If it is going to drop-root (a good thing), then ntpd also needs permission to 
set the clock.  That part is ugly because it varies with the OS.

Would it help if we wrote a script to scan ntp.conf and check the file 
permissions and/or the permission for updating the clock?

> I was writing a long blob on how doing too many
> things was bloating the list of required permissions, but I decided t scrap
> it.

If you still have the text, a short version might be very helpful.

> Also, a rewrite would allow and encourage skipping the problematic parts
> of singlesock, events, and goprep. 

Please say more.


-- 
These are my opinions.  I hate spam.





More information about the devel mailing list