This is nice thing, and I like one less daemon would be able to
run without root privs.

However, I'm a bit converned whether this really needs to be
implemented this way. I'd prolly liked much more if the device
would be used as way to control who can call ntp_adjtime() only - like,
if ntp_adjtime() would be called by non-root, it would allow the
change if the calling process has the clockctl device open for
write. Simple, and no read/writes on critical path. This would also
simplify the userland stubs a lot (they'd only need to open/close
the device file before calling the syscall, no other special handling
would be necessary).

Jaromir
-- 
Jaromir Dolecek <jdolecek@NetBSD.org>      http://www.ics.muni.cz/~dolecek/
NetBSD - just plain best OS! -=*=- Got spare MCA cards or docs? Hand me them!