On 2/12/19 10:15 PM, Hal Murray via devel wrote: > It's possible to start ntpd non-root. > > I've been using the following: > > Post normal install: > chown ntp:ntp /usr/local/sbin/ntpd > chmod +s /usr/local/sbin/ntpd > setcap cap_setgid,cap_setuid,cap_sys_resource,cap_ipc_lock,\ > cap_sys_nice,cap_sys_time,cap_net_bind_service=pe /usr/local/sbin/ntpd
I think the setuid/setcap as described above is dangerous. Unless you limit the permissions on "other" (e.g. chmod 2700 or 2750), any user will be able to execute ntpd (with a config file of their choice) and have it set the system time! Also, you probably don't want the ntp user to be able to modify the ntpd executable, so you would probably want 2500 or 2550 as the mode. Given the user thing isn't useful anyway (per your comments below)... How does this work (in conjunction with the code below to set the user/group at runtime): chown root:root /usr/local/sbin/ntpd chmod 750 /usr/local/sbin/ntpd setcap cap_setgid,cap_setuid,cap_sys_resource,cap_ipc_lock,\ cap_sys_nice,cap_sys_time,cap_net_bind_service=pe /usr/local/sbin/ntpd > Patch to ntpd.service for Fedora/systemd > ExecStart=/usr/sbin/runuser -u ntp -- /usr/local/sbin/ntpd $OPTIONS Don't use runuser with systemd. Have systemd set the user: User=ntp and if you want to set a group: Group=ntp > For debian: > start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE > --startas /sbin/runuser -- -u ntp -- $DAEMON -p $PIDFILE $NTPD_OPTS Do you want "-g ntp" here? ---- Here is an alternatively for systemd only, but it avoids the need for setcap and permissions changes. Leave things as per a normal install (no chown/chmod/setcap), and add this to the unit file: User=ntp Group=ntp CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CapabilityBoundingSet=CAP_IPC_LOCK CAP_SYS_NICE CAP_SYS_TIME CapabilityBoundingSet=CAP_NET_BIND_SERVICE=PE You can probably set NoNewPrivileges=yes for good measure too. The sysvinit script could be left alone to continue to run the daemon as root and let it drop privileges as it always has. -- Richard _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
