Alexander Nasonov wrote:
> I didn't set nodev specifically for /var/chroot, my /var is mounted with
> nodev,noexec. It worked for me with no problem until I tried to chroot
> ntpd. It didn't fail to start but it clearly didn't work. It's even
> more subtle for named. If it tries to open /dev/{rando
Christos Zoulas wrote:
> named seems to be needing random and null... It is reasonable to run
> with nodev, but it buys you little... I mean they processes run as non
> root in a chroot you have created that only has the device nodes they
> need. It would be hard for them to create more.
I didn't
On May 1, 9:09am, al...@yandex.ru (Alexander Nasonov) wrote:
-- Subject: Re: /dev/clockctl, O_CLOEXEC and forking
| Christos Zoulas wrote:
| > In article <20180429192706.GA25516@neva>,
| > Alexander Nasonov wrote:
| >
| > >I don't think adjtime will work because n
Christos Zoulas wrote:
> In article <20180429192706.GA25516@neva>,
> Alexander Nasonov wrote:
>
> >I don't think adjtime will work because ntpd still runs as root and
> >it can't drop to an unprivileged user before it calls chroot(2).
>
> Right it is the chicken and the egg problem. Your case o
In article <20180429192706.GA25516@neva>,
Alexander Nasonov wrote:
>I don't think adjtime will work because ntpd still runs as root and
>it can't drop to an unprivileged user before it calls chroot(2).
Right it is the chicken and the egg problem. Your case of running it in
a non-dev chroot is s
Alexander Nasonov wrote:
> Christos Zoulas wrote:
> > After fork it would work fine, after exec, not so much as the name implies
> > :-)
>
> Ah, you're right. 'step-systime: Bad file descriptor' messages in syslog
> confused me.
It was a pilot error.
> > Nevertheless
> > we should not be exposi
Christos Zoulas wrote:
> After fork it would work fine, after exec, not so much as the name implies :-)
Ah, you're right. 'step-systime: Bad file descriptor' messages in syslog
confused me.
> It may be closed by something else, but not the fork.
Something else breaks it, I guess. I will look fur
In article <20180429165331.GA8898@neva>,
Alexander Nasonov wrote:
>-=-=-=-=-=-
>
>While looking whether it's possible to change ntpd to work when
>chrooted to a file system mounted with the nodev flag, I noticed
>that /dev/clockctl is open with O_CLOEXEC and its file descriptor
>is kept in a stat
While looking whether it's possible to change ntpd to work when
chrooted to a file system mounted with the nodev flag, I noticed
that /dev/clockctl is open with O_CLOEXEC and its file descriptor
is kept in a static variable. I'm not sure it will work after a
fork correctly. ntpd doesn't open /dev/
