Starting ntpd as non-root
Hal Murray
halmurray at sonic.net
Wed Mar 19 08:04:19 UTC 2025
Found it:
https://lists.ntpsec.org/pipermail/devel/2019-February/007659.html
From: Richard Laager
Subject: Is it time to drop seccomp?
Here is the key chunk. Thanks Richard!!
I think the setuid/setcap as described above is dangerous. Unless you
limit the permissions on "other" (e.g. chmod 2700 or 2750), any user
will be able to execute ntpd (with a config file of their choice) and
have it set the system time! Also, you probably don't want the ntp user
to be able to modify the ntpd executable, so you would probably want
2500 or 2550 as the mode.
--
These are my opinions. I hate spam.
More information about the devel
mailing list