tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: non-root ntpd

> Date: Thu, 29 Jun 2017 00:02:24 +0000
> From:
> we've been able to run ntpd as non-root for a while. this is not the
> default if you innocently ntpd=yes in rc.conf. it requires
> /dev/clockctl, and most things have it, even one of the sun2 kernels.
> can I change this to become the default, for better default security?

There's one complication: if your IP address ever changes, then ntpd
must be restarted.  So it requires a little wiring with, e.g.,
ifwatchd.  I do this on all my machines, but it is a bit of trouble.

Ideally we ought to find some way to make it work unprivileged out of
the box with no trouble, perhaps by always running ifwatchd in tandem,
or perhaps with an easily audited ntpd-specific supervisor process.

Home | Main Index | Thread Index | Old Index