| 4 | |
| 5 | |
| 6 | == NTPD privsep == |
| 7 | Installing ntpd to drop to non-root -[[BR]] |
| 8 | |
| 9 | If you have libacl and libattr installed, you can configure NTP with: |
| 10 | |
| 11 | {{{ |
| 12 | --enable-linuxcaps |
| 13 | }}} |
| 14 | |
| 15 | Then add an ntpd user: |
| 16 | |
| 17 | |
| 18 | {{{ |
| 19 | groupadd ntpd && |
| 20 | useradd -c 'ntpd PrivSep' -d /var/lib/ntpd -g ntpd \ |
| 21 | -s /bin/false ntpd && |
| 22 | install -v -m710 -g ntpd -d /var/lib/ntpd |
| 23 | }}} |
| 24 | |
| 25 | Install the blfs bootscript, and modify /etc/rc.d/init.d/ntp with this: |
| 26 | |
| 27 | |
| 28 | {{{ |
| 29 | loadproc /usr/sbin/ntpd --configfile=/etc/ntpd.conf \ |
| 30 | --jaildir=/var/lib/ntpd --logfile=/var/log/ntpd.log \ |
| 31 | --pidfile=/var/run/ntpd.pid --user=ntpd:ntpd \ |
| 32 | --no-load-opts |
| 33 | }}} |
| 34 | |
| 35 | To give the ntpd user minimal privileges create a tmpfs just big enough for the drift file: |
| 36 | |
| 37 | {{{ |
| 38 | install -d -m 0000 /var/lib/ntpd/drift |
| 39 | }}} |
| 40 | |
| 41 | And add this to /etc/fstab, and replace the gid with ntpd's group id: |
| 42 | |
| 43 | {{{ |
| 44 | tmpfs /var/lib/ntpd/drift tmpfs size=9k,nosuid,noexec,nodev,mode=1770,gid=1003,nr_inodes=2,nr_blocks=2 0 0 |
| 45 | }}} |
| 46 | |