On Monday, March 17, 2025 4:52:25 PM Pacific Daylight Time Hal Murray via devel
wrote:
> Back in 2018, I did some work on getting ntpd to start as ntp:ntp
> There was a way on Linux to set some capabilities on a file.
>
> Somebody talked me/us out of this. I don't remember why.
>
> I've poked a
Found it:
https://lists.ntpsec.org/pipermail/devel/2019-February/007659.html
From: Richard Laager
Subject: Is it time to drop seccomp?
Here is the key chunk. Thanks Richard!!
I think the setuid/setcap as described above is dangerous. Unless you
limit the permissions on "other" (e.g. chmod 27
James said:
> I do not; a quick search suggests that SHM needed root.
"needed root" doesn't make sense in the context of that discussion. Linux
has a fine grained capabilities facility. See man capabilities(7). There
is one for SHM.
CAP_IPC_LOCK
. Lock memory (mlock(2
Back in 2018, I did some work on getting ntpd to start as ntp:ntp
There was a way on Linux to set some capabilities on a file.
Somebody talked me/us out of this. I don't remember why.
I've poked around in the archives, but I haven't found the message that
I'm looking for.
Does anybody rememb