37412 – ntpd crashes with "cap_set_proc failed" when using -U ntp

Bug 37412 - ntpd crashes with "cap_set_proc failed" when using -U ntp

Summary: ntpd crashes with "cap_set_proc failed" when using -U ntp

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	x86 Linux

Importance:	High normal
Assignee:	SpanKY

URL:	http://forums.gentoo.org/viewtopic.ph...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-01-06 12:09 UTC by Jeremy Heslop
Modified:	2004-01-16 16:15 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeremy Heslop 2004-01-06 12:09:02 UTC

ntpd does not startup when NTPD_OPTS="-U ntp" is set under /etc/conf.d/ntpd. When NTPD_OPTS is commented out ntpd runs fine as root. Here is /var/log/ntp.log output:

6 Jan 15:02:09 ntpd[4382]: cap_set_proc failed.

Doing some searching on forums led to this article: http://forums.gentoo.org/viewtopic.php?t=116871&highlight=capsetproc

Could not find any other info.

Reproducible: Always
Steps to Reproduce:
1. Set NTPD_OPTS to "-U ntp" in /etc/conf.d/ntpd
2. /etc/init.d/ntpd start
3. tail /var/log/ntp.log

Actual Results:  
Error in /var/log/ntp.log

6 Jan 15:02:09 ntpd[4382]: cap_set_proc failed.

Expected Results:  
ntpd to function normally and start.

Portage 2.0.49-r20 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r3, 2.6.1-rc1)
=================================================================
System uname: 2.6.1-rc1 i686 Intel(R) Xeon(TM) CPU 2.80GHz
Gentoo Base System version 1.4.3.10
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O3 -march=pentium4 -funroll-loops -fprefetch-loop-arrays -pipe"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-O3 -march=pentium4 -funroll-loops -fprefetch-loop-arrays -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache sandbox"
GENTOO_MIRRORS="http://www.gtlib.cc.gatech.edu/pub/gentoo
http://csociety-ftp.ecn.purdue.edu/pub/gentoo/ http://gentoo.mirrors.pair.com/
http://gentoo.seren.com/gentoo http://gentoo.chem.wisc.edu/gentoo/
http://cudlug.cudenver.edu/gentoo/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl apache2 apm arts avi berkdb crypt cups encode foomaticdb gdbm gif gpm
gtk2 imlib java jpeg ldap libg++ libwww mad mikmod motif mpeg mysql ncurses nls
oggvorbis opengl oss pam pdflib perl png python quicktime readline sdl slang
spell ssl svga tcpd truetype x86 xml2 xmms xv zlib"

Comment 1 Jeremy Heslop 2004-01-16 13:34:33 UTC

I think I figured this out. Maybe someone else can test it. 

(note: you should only need this if using 2.6 kernels (possibly 2.5 as well))

The forum link up above was the answer. For a complete bug fix and entry I have included the fix I used here.

I turned on these options in the kernel:

CONFIG_SECURITY=y
CONFIG_SECURITY_CAPABILITIES=m or y

use these in "make menuconfig":
Security options  --->
    [*] Enable different security models
    <M>   Default Linux Capabilities
 or <*>   Default Linux Capabilities

If you use the module you will need to modprobe the capability module like so:

modprobe capability

and include the line capability in the "/etc/modules.autoload.d/kernel-2.6" file.

I was then able to ue the NTPD_OPTS="-U ntp" option in the "/etc/conf.d/ntpd" file successfully and have a more secure ntpd running.

Comment 2 SpanKY gentoo-dev

2004-01-16 16:15:39 UTC

thanks for the link

hopefully ntp-4.2.0 wont need this