Version 4 (modified by ken@…, 7 years ago) ( diff )

This is a workaround for dodgy kernels. See #8759


The download URL is

NTPD privsep

Installing ntpd to drop to non-root -

If you have libacl and libattr installed, you can configure NTP with:


Then add an ntpd user:

groupadd ntpd &&
useradd -c 'ntpd PrivSep' -d /var/lib/ntpd -g ntpd \
    -s /bin/false ntpd &&
install -v -m710 -g ntpd -d /var/lib/ntpd

Install the blfs bootscript, and modify /etc/rc.d/init.d/ntp with this:

loadproc /usr/sbin/ntpd --configfile=/etc/ntpd.conf \
                   --jaildir=/var/lib/ntpd --logfile=/var/log/ntpd.log \
                   --pidfile=/var/run/ --user=ntpd:ntpd \

To give the ntpd user minimal privileges create a tmpfs just big enough for the drift file:

install -d -m 0000 /var/lib/ntpd/drift

And add this to /etc/fstab, and replace the gid with ntpd's group id:

tmpfs /var/lib/ntpd/drift tmpfs size=9k,nosuid,noexec,nodev,mode=1770,gid=1003,nr_inodes=2,nr_blocks=2 0 0

Fixes if synchronisation fails

For a long time the default kernel clocksource has been tsc, but it used to be acpi_pm. On one of my machines, in one kernel release, I lost synchronisation and the log showed:

frequency error 1726 PPM exceeds tolerance 500 PPM

Google found a not-too-old link to redhat [​] which suggested checking the available drivers with

cat /sys/devices/system/clocksource/clocksource0/available_clocksource 

and assuming that acpi_pm is available, temporarily changing to it with

echo acpi_pm >/sys/devices/system/clocksource/clocksource0/current_clocksource 

and seeing if that helps. If useful, it can forced by adding


to the bootargs in grub.

When the clock is too far away from the correct time

If ntpd bails out because the clock is too far from the correct time, try stopping ntpd, using

ntpd -gq

to let it sync, and then restarting ntpd. According to the man page, -g can be used multiple times if the clock is far adrift.


Note: See TracWiki for help on using the wiki.