On Tue, Jan 20, 2015 at 12:26:35PM -0600, Brent Cook wrote: > > > On Jan 20, 2015, at 9:59 AM, John Long <codeb...@inbox.lv> wrote: > > > >> LOCALSTATEDIR "/db/ntpd.drift" > > > > Thanks, this helps. It was there, just not where I wanted since I install > > addons in /usr/local. Unfortunately now that I fixed the build to use /var > > like everything else I see there is a problem because /var/db is only root > > writeable and I believe the _ntp user is the one trying to write the drift > > file. It would be unfortunate to have to create a whole directory hierachy > > no matter how small just to have a place the _ntp user could write his drift > > file. I think I would even prefer /var/tmp to that. Any suggestions? > > That's OK. Nothing will be written as the _ntp user. The unprivileged process > instead sends a message to the privileged process, which actually does the > writing of the drift file. You want it to be some place persistent, not > /var/tmp. > > Note that a new drift file is not written immediately on start, only after > the proper frequency adjustment has been determined. That might take a long > time depending on the stability of your systems's clock (e.g. VMs) and how > quickly time can be synced, etc. Give it an hour or ten :)
Ah, ok. Thanks I will watch it. > >>> Also, what is the purpose of /var/empty/ntp in the portable version? It's > >>> empty ;) > >> > >> Thanks for bringing that up. This is a privilege-separation directory > >> that the unprivileged ntpd processes chroot to on startup. It is > >> intentionally empty and unwritable by the unprivileged processes. > >> Having this directory empty and unwritable prevents the processes from > >> having access to any files or file system privileges that they do not > >> need to do their jobs. > >> > >> Since /var/empty might not exist, e.g. Debian does not provide it, > >> your OS's package may have altered the privilege separation user > >> directory to be somewhere else, like '/var/run/openntpd'. But, that > >> should also be empty and unwritable. > > > > Ok, this was also fixed, presumably, when I set localstatedir for the > > build. Oops, no, that's not what I meant: > > I think this might be more likely: > > 'make install' checks to see if you have a properly configured unprivileged > user and gives instructions if none is found. If you already have one > configured, it does not display the instructions again. > I don't remember that happening in 3.9 and by the time I ran this one I already had the user and group defined on this particular box. What I should have written was after reading your first email I deleted the ntp dir from /var/empty which I had created according to the INSTALL instructions from 3.9, and specified --with-privsep-path=/var/empty on the config, along with other options appropriate for my setup and then recompiled and reinstlled. ntpd 5.7p1 runs and responds to ntpctl so presumably it works with /var/empty otherwise I would expect ntpd to sqwak or fail on startup. Thank you. /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary / \ http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
