Re: non-root ntpd

To: coypu%sdf.org@localhost
Subject: Re: non-root ntpd
From: Taylor R Campbell <campbell+netbsd-tech-userlevel%mumble.net@localhost>
Date: Thu, 29 Jun 2017 01:06:35 +0000

> Date: Thu, 29 Jun 2017 00:02:24 +0000
> From: coypu%sdf.org@localhost
> 
> we've been able to run ntpd as non-root for a while. this is not the
> default if you innocently ntpd=yes in rc.conf. it requires
> /dev/clockctl, and most things have it, even one of the sun2 kernels.
> 
> can I change this to become the default, for better default security?

There's one complication: if your IP address ever changes, then ntpd
must be restarted.  So it requires a little wiring with, e.g.,
ifwatchd.  I do this on all my machines, but it is a bit of trouble.

Ideally we ought to find some way to make it work unprivileged out of
the box with no trouble, perhaps by always running ifwatchd in tandem,
or perhaps with an easily audited ntpd-specific supervisor process.

Follow-Ups:
- Re: non-root ntpd
  - From: coypu
- Re: non-root ntpd
  - From: Roy Marples

References:
- non-root ntpd
  - From: coypu

Prev by Date: non-root ntpd
Next by Date: Re: non-root ntpd
Previous by Thread: non-root ntpd
Next by Thread: Re: non-root ntpd
Indexes:

Home | Main Index | Thread Index | Old Index