>Number:         23736
>Category:       bin
>Synopsis:       ntpd should call initgroups()
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sat Dec 13 21:38:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Christian Biere
>Release:        NetBSD 1.6ZF
>Organization:
>Environment:
System: NetBSD cyclonus 1.6ZF NetBSD 1.6ZF (STARSCREAM) #0: Sun Nov 30 01:56:21 CET 2003 bin@cyclonus:/usr/build/obj/sys/arch/i386/compile/STARSCREAM i386
Architecture: i386
Machine: i386
>Description:
ntpd can be configured to run as a certain user and with certain group
privileges. However, it won't run with all group privileges of this user
because ntpd doesn't call initgroups(). For example, ntpd cannot access
directories and files which the user would have access to under normal
circumstances.

>How-To-Repeat:
Add ntpd (the user) to group daemon and put the drift file for ntpd into
a directory writeable for group daemon. Note, that ntpd (the process)
can't write ntp.drift.TEMP because it gets a "permission denied". No wonder
because group ntpd has no permission to write there.

>Fix:
There's of course an easy workaround:
Create a (sub-)directory for the drift file and make it writeable for group
ntpd.

Anyway, if I put a user into a group I can expect that to be
respected and used. The drift file is just one aspect and their might
be similar problems for special device files etc.
>Release-Note:
>Audit-Trail:
>Unformatted: