tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: non-root ntpd



On 29/06/2017 02:06, Taylor R Campbell wrote:
>> we've been able to run ntpd as non-root for a while. this is not the
>> default if you innocently ntpd=yes in rc.conf. it requires
>> /dev/clockctl, and most things have it, even one of the sun2 kernels.
>>
>> can I change this to become the default, for better default security?
> 
> There's one complication: if your IP address ever changes, then ntpd
> must be restarted.  So it requires a little wiring with, e.g.,
> ifwatchd.  I do this on all my machines, but it is a bit of trouble.
> 
> Ideally we ought to find some way to make it work unprivileged out of
> the box with no trouble, perhaps by always running ifwatchd in tandem,
> or perhaps with an easily audited ntpd-specific supervisor process.

I could modify /libexec/dhcpcd-hooks/50-ntp.conf to restart ntpd if the
IP address changes if that helps your use-case.

However it's a waste of resource if ntpd is running as root as it can
use the new address itself without restarting.

Roy


Home | Main Index | Thread Index | Old Index