# NTPd not willing to run as non-root with 2.6.15-gentoo-r1

## JustJoe

Hi there,

I'm having a hard time trying to get ntpd to drop root-privileges on startup. As you can see below, i do have the security options enabled in the kernel and i have loaded the capability module:

```
mybox ~ # grep SECURITY /boot/config

CONFIG_EXT2_FS_SECURITY=y

CONFIG_EXT3_FS_SECURITY=y

CONFIG_SECURITY=y

# CONFIG_SECURITY_NETWORK is not set

CONFIG_SECURITY_CAPABILITIES=m

# CONFIG_SECURITY_ROOTPLUG is not set

# CONFIG_SECURITY_SECLVL is not set

# CONFIG_SECURITY_SELINUX is not set

mybox ~ # lsmod|grep capability

capability              4552  0

commoncap               6656  1 capability

mybox ~ # cat /etc/conf.d/ntpd

# /etc/conf.d/ntpd

# Options to pass to the ntpd process

# Most people should leave this line alone ...

# however, if you know what you're doing, feel free to tweak

NTPD_OPTS="-u ntp:ntp"
```

Now, when i start ntpd with the -u parameter, it doesn't give me any errors of some kind but it just doesn't start:

```
mybox ~ # ntpd -u ntp:ntp

mybox ~ # ps aux|grep ntpd

root      9142  0.0  0.0   1520   456 pts/0    R+   05:43   0:00 grep ntpd
```

It can be started as root though:

```
mybox ~ # ntpd

mybox ~ # ps aux|grep ntpd

root      9144  0.0  0.7   3772  3772 ?        SLs  05:43   0:00 ntpd

root      9149  0.0  0.0   1520   456 pts/0    R+   05:43   0:00 grep ntpd
```

So it's clear to me ntpd doesnt want to run as anything else than root. I'm puzzled and might be overlooking something here, but what ?

----------

## PaulBredbury

What does emerge -pv ntp say? You don't want the nodroproot USE flag.

----------

## JustJoe

The nodroproot USE flag is not set:

```
emerge -pv ntp

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] net-misc/ntp-4.2.0.20040617-r3  -debug -ipv6 -logrotate -nodroproot -openntpd -parse-clocks (-selinux) +ssl 0 kB
```

[edit] On a different machine i unmasked an ~x86 version of ntp, ntp-4.2.0.20050303-r1. This doesn't help though, a have the same problem there. Same kernel version. [/edit]

----------

## JustJoe

Little bump, NTPd still refuses to drop root privileges...  

Everything seems to be configured OK to me, should i file a bugreport or does anybody have an other tip i could try ?

----------

## PaulBredbury

What's in your /etc/ntp.conf? Did you follow the wiki?

----------

## JustJoe

I followed that wiki tutorial indeed. 

Security options  --->

 [*] Enable different security models

 <*>   Default Linux Capabilities

At first i followed the wiki in compiling above features into the kernel. Since that didn't seem to work for me i searched and i found some threads on the forum suggesting to modulise Default Linux Capabilities and load the capability module. That doesn't work for me either.

Just now i recompiled my kernel as suggested in the wiki (just to be sure) but still, no-go.

Here's my ntp.conf:

```
server  0.nl.pool.ntp.org

server  1.nl.pool.ntp.org

server  2.nl.pool.ntp.org

driftfile       /var/lib/ntp/ntp.drift

logfile         /var/log/ntp/ntp.log

# To deny other machines from changing the

# configuration but allow localhost:

restrict 127.0.0.1 nomodify
```

----------

## JustJoe

Follow up: I have another server running the same kernel and ntpd is working as user ntp.

The difference is on that server the security options are not configured into the kernel nor as modules:

```
grep SECURITY /boot/config-2.6.15-gentoo-r1-memsplit

# CONFIG_EXT3_FS_SECURITY is not set

# CONFIG_SECURITY is not set
```

So i'm  recompiling the kernel on one of the machines i have trouble with right now. I'll post my findings in a minute. [edit: been called for dinner. First things first, so i'll be a while.  :Smile:  ]

----------

## JustJoe

Well, that didn't work either.   :Confused:   Any ideas ?

----------

## JustJoe

Wellwell, it seems ntp needs to be re-emerged after a kernel reconfiguration.

On all three machines ntpd is running as non root now, no security options configured in the kernel, nor as modules.

----------

## PaulBredbury

 *JustJoe wrote:*   

> no security options configured in the kernel, nor as modules.

 

I wonder whether your ntp is really dropping root privileges. Does ps ax -f | grep ntp return:

 *Quote:*   

> ntp       7565     1  0 02:23 ?        SLs    0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntp

 

----------

## JustJoe

To my own surprise it does, on all three boxes:

```
box1 ~ # grep SECURITY /boot/config

# CONFIG_EXT2_FS_SECURITY is not set

# CONFIG_EXT3_FS_SECURITY is not set

# CONFIG_SECURITY is not set

box1 ~ # ps ax -f | grep ntp

ntp       7813     1  0 04:20 ?        SLs    0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntp

root     13590 13579  0 16:16 pts/0    R+     0:00 grep ntp

box2 ~ # grep SECURITY /boot/config

CONFIG_EXT2_FS_SECURITY=y

# CONFIG_SECURITY is not set

box2 ~ # ps ax -f | grep ntp

ntp       7280     1  0 16:01 ?        SLs    0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntp

root      7643  7629  0 16:17 pts/0    S+     0:00 grep ntp

box3 ~ # grep SECURITY /boot/config

# CONFIG_SECURITY is not set

box3 ~ # ps ax -f |grep ntp

ntp      18595     1  0 16:20 ?        SLs    0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntp

root     18605  7706  0 16:22 pts/0    S+     0:00 grep ntp
```

As you can see it seems to work correctly. I don't know if there are other security issues i should worry about now ?

----------

## PaulBredbury

It sounds like the kernel still has the "linuxcaps" ability. In comment 9:

 *Quote:*   

> If not using different security models, unsetting CONFIG_SECURITY will also enable linuxcaps in the kernel.

 

Personally, I would set up the kernel as the wiki says, rather than run the pointless risk of future ntp security problems  :Wink: 

----------

## JustJoe

Yes, you are absolutely right. I'm recompiling the kernel of 1 of the machines right now to include security.

I'm eager to see if ntpd will still work after that, or if i should re-emerge it again.  I'll keep you posted.

----------

## JustJoe

Well after enabling security in the kernel ntpd still operates fine as user ntp.

I really don't understand what caused the trouble in the first place but i'm happy i got it working now.

----------

## mog

I am having the same problem. I followed the NTP wiki, but I modified the NTPD_OPTS line to

However, ntpd does not start at all. If I use empty NTPD_OPTS as suggested in the wiki it runs at root  :Evil or Very Mad: 

 *Quote:*   

> NTPD_OPTS="-u ntp:ntp"

 

a grep SECURITY /boot/.config.current reveals the following 

 *Quote:*   

> CONFIG_EXT2_FS_SECURITY=y
> 
> CONFIG_EXT3_FS_SECURITY=y
> 
> CONFIG_REISERFS_FS_SECURITY=y
> ...

 

I am running a 2.6.17-gentoo-r7 kernel

----------

## mog

recompiling ntp with USE="caps" solved the problem for me ... I left NTPD_OPTS="-u ntp:ntp"

----------

