The installed ntpd.service file does not provide any possibility to specify options directly (except to override ntpd.service completely) and calls the ntpd daemon directly. The ntpd.service unit could easily do something like the sntp.service file (also shipped with net-misc/ntp...), i.e. EnvironmentFile=/etc/conf.d/ntpd ExecStart=/usr/sbin/ntpd $NTPD_OPTS reading the configuration from /etc/conf.d/ntpd. Furthermore, I do not understand the need for /etc/systemd/system/ntpdate.service.d/00gentoo.conf /etc/systemd/system/sntp.service.d/00gentoo.conf * The latter is never used for sntp (as evidenced by sntp.service), * Why doesn't ntpdate do the same as sntp, i.e. reading the configuration from /etc/conf.d? On a sidenote: Is there a clear policy where such configuration should be stored? Shall it remain under /etc/conf.d, or the 'systemd' way by overriding parts of the unit file under /etc/systemd/system/[unit].d/* Reproducible: Always
+ 23 Jun 2014; Pacho Ramos <pacho@gentoo.org> ntp-4.2.6_p5-r10.ebuild: + Old unit file was still being installed by error (#514660 by Matthias Maier) + Regarding the configuration, has been explained some times in multiple bug reports and there is a short explanation at: https://wiki.gentoo.org/wiki/Systemd/Ebuild_policy#Unit_file_guidelines Apart of SERVERs, what other options are people needing? Looks like other options are for more exotic cases and allowing people to randomly pass options to the daemons run by unit files is not wanted
Well, options directly passed to the daemon are about the only possibility to * drop root privileges (-u ntp:ntp) * restrict socket binding to specific interfaces. The latter is arguably a more exotic use case. The openrc ntpd.conf file nowadays passes "-u ntp:ntp" as default option to the daemon - so if you dislike above idea to pass generic options from /etc/conf.d to the daemon, I kindly ask to at least pass "-u ntp:ntp" to the daemon.
(In reply to Matthias Maier from comment #2) > The openrc ntpd.conf file nowadays passes "-u ntp:ntp" as default option to > the daemon - so if you dislike above idea to pass generic options from > /etc/conf.d to the daemon, I kindly ask to at least pass "-u ntp:ntp" to the > daemon. Actually, that is only true if you have the "caps" use flag enabled. Without capabilities support, ntpd must run as root.
I think I agree that we should probably modify ExecStart to pass -u ntp:ntp when the caps flag is enabled. Re-opening.
And I guess User/Group will also need to be added to service file in that case
(In reply to Pacho Ramos from comment #5) > And I guess User/Group will also need to be added to service file in that > case Nope. systemd should start it as root, and ntpd takes care of calling setuid() itself.
(In reply to Mike Gilbert from comment #6) > (In reply to Pacho Ramos from comment #5) > > And I guess User/Group will also need to be added to service file in that > > case > > Nope. systemd should start it as root, and ntpd takes care of calling > setuid() itself. Google was not helpful - is there any reason it can't just launch as non-root, vs dropping permissions after launch? It looks like everybody else also relies on ntpd to drop permissions after launch. I imagine that it would at least need CAP_NET_BIND_SERVICE to run non-root. Not really a big security issue as long as it actually drops permissions before accepting connections.
(In reply to Richard Freeman from comment #7) > Google was not helpful - is there any reason it can't just launch as > non-root, vs dropping permissions after launch? It looks like everybody > else also relies on ntpd to drop permissions after launch. > > I imagine that it would at least need CAP_NET_BIND_SERVICE to run non-root. Right, it needs to bind port 123. It also needs cap_sys_time to actually set the local system clock. I suppose it might work with the appropriate filecaps, but I have never tried that.
Actually, it looks like ntpd has a hard-coded root check. See ntpdmain in ntpd.c. #if defined(HAVE_GETUID) && !defined(MPE) /* MPE lacks the concept of root */ { uid_t uid; uid = getuid(); if (uid && !HAVE_OPT( SAVECONFIGQUIT )) { msyslog(LOG_ERR, "ntpd: must be run as root, not uid %ld", (long)uid); printf("must be run as root, not uid %ld\n", (long)uid); exit(1); } } #endif
(In reply to Mike Gilbert from comment #9) > Actually, it looks like ntpd has a hard-coded root check. See ntpdmain in > ntpd.c. Not a surprise, but it seems unnecessary with capabilities. In any case, not a battle for this moment unless we want to start patching, and I don't think any other distros are doing it. If we removed the root check and added any additional required capabilities, I'd think it would "just work." But, it is probably best to pursue this upstream, and they are right in focusing on dropping root after initial setup since the only root capability needed once it is running is the ability to set the time.
+ 01 Jul 2014; Pacho Ramos <pacho@gentoo.org> files/ntpdate.service, + ntp-4.2.6_p5-r10.ebuild: + ntpdate needs network to be really connected and working (#501298 by Juergen + Rose), toggle options for usage with 'caps' USE (#514660 by Matthias Maier). +
