James Browning said: > The permissions required by NTPsec are a mess partly because it is not a do > one thing well daemon. Instead, you have the Lernean Hydra, which has too > many heads and gaining more.
I don't get it. Could you please say more? ntpd needs file permissions for all the files it uses. That much seems pretty obvious. Is the problem that the files are scattered all over the place? The one tricky case I can think of is ntpd.log (or whatever you call it). If you start on a bare system, it gets created with owner root. Then when logrotate comes along, ntpd as user ntpd can't open the new file. We could fix that with a bit of code. If it is going to drop-root (a good thing), then ntpd also needs permission to set the clock. That part is ugly because it varies with the OS. Would it help if we wrote a script to scan ntp.conf and check the file permissions and/or the permission for updating the clock? > I was writing a long blob on how doing too many > things was bloating the list of required permissions, but I decided t scrap > it. If you still have the text, a short version might be very helpful. > Also, a rewrite would allow and encourage skipping the problematic parts > of singlesock, events, and goprep. Please say more. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
