>> Anybody understand setcap? > Alas, I've never used it. I think I've figured out what is going on.
The capabilities on a file are OR-ed in to what you start with. Thus if you run it as non-root, you get the specified capabilities. If you run it as root, you start with root's capabilities. I'm currently experimenting with starting it via runuser. It's working well enough to find a few more capabilities that are needed. To clean things up, the droproot area needs some work. The current setup needs -u ntp:ntp to drop the privileges only needed during initialization, and the setuid/setgid needs more priveleges. I think we can hack it to skip the setuid/setgid part if it is already running as ntp:ntp. Better would be to drop privs if it was started as ntp:ntp without requiring -u ntp:ntp on the command line. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
