Found it. (It was right in front of my eyes.)
setcap isn't doing what I expect.
My install script says:
setcap cap_ipc_lock,cap_sys_nice,cap_sys_time,cap_net_bind_service=pe \
/usr/local/sbin/ntpd
Note the =pe on the end.
But getcap says:
/usr/local/sbin/ntpd = cap_net_bind_service,cap_ipc_lock,cap_sys_nice,cap_sys_
time+ep
Note the +ep on the end. It's adding the caps I want to what root has rather
than replacing them.
If I start it as non-root, it can't read the keys file. If I change the
owner, it works.
Anybody understand setcap?
--
These are my opinions. I hate spam.
_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
