Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 37412

Summary: ntpd crashes with "cap_set_proc failed" when using -U ntp
Product: Gentoo Linux Reporter: Jeremy Heslop <jeremy>
Component: [OLD] ServerAssignee: SpanKY <vapier>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
URL: http://forums.gentoo.org/viewtopic.php?t=116871&highlight=capsetproc
Whiteboard:
Package list:
Runtime testing required: ---

Description Jeremy Heslop 2004-01-06 12:09:02 UTC 
ntpd does not startup when NTPD_OPTS="-U ntp" is set under /etc/conf.d/ntpd. When NTPD_OPTS is commented out ntpd runs fine as root. Here is /var/log/ntp.log output:

6 Jan 15:02:09 ntpd[4382]: cap_set_proc failed.

Doing some searching on forums led to this article: http://forums.gentoo.org/viewtopic.php?t=116871&highlight=capsetproc

Could not find any other info.

Reproducible: Always
Steps to Reproduce:
1. Set NTPD_OPTS to "-U ntp" in /etc/conf.d/ntpd
2. /etc/init.d/ntpd start
3. tail /var/log/ntp.log

Actual Results:  
Error in /var/log/ntp.log

6 Jan 15:02:09 ntpd[4382]: cap_set_proc failed.

Expected Results:  
ntpd to function normally and start.

Portage 2.0.49-r20 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r3, 2.6.1-rc1)
=================================================================
System uname: 2.6.1-rc1 i686 Intel(R) Xeon(TM) CPU 2.80GHz
Gentoo Base System version 1.4.3.10
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O3 -march=pentium4 -funroll-loops -fprefetch-loop-arrays -pipe"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-O3 -march=pentium4 -funroll-loops -fprefetch-loop-arrays -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache sandbox"
GENTOO_MIRRORS="http://www.gtlib.cc.gatech.edu/pub/gentoo
http://csociety-ftp.ecn.purdue.edu/pub/gentoo/ http://gentoo.mirrors.pair.com/
http://gentoo.seren.com/gentoo http://gentoo.chem.wisc.edu/gentoo/
http://cudlug.cudenver.edu/gentoo/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl apache2 apm arts avi berkdb crypt cups encode foomaticdb gdbm gif gpm
gtk2 imlib java jpeg ldap libg++ libwww mad mikmod motif mpeg mysql ncurses nls
oggvorbis opengl oss pam pdflib perl png python quicktime readline sdl slang
spell ssl svga tcpd truetype x86 xml2 xmms xv zlib"
Comment 1 Jeremy Heslop 2004-01-16 13:34:33 UTC 
I think I figured this out. Maybe someone else can test it. 

(note: you should only need this if using 2.6 kernels (possibly 2.5 as well))

The forum link up above was the answer. For a complete bug fix and entry I have included the fix I used here.

I turned on these options in the kernel:

CONFIG_SECURITY=y
CONFIG_SECURITY_CAPABILITIES=m or y

use these in "make menuconfig":
Security options  --->
    [*] Enable different security models
    <M>   Default Linux Capabilities
 or <*>   Default Linux Capabilities

If you use the module you will need to modprobe the capability module like so:

modprobe capability

and include the line capability in the "/etc/modules.autoload.d/kernel-2.6" file.

I was then able to ue the NTPD_OPTS="-U ntp" option in the "/etc/conf.d/ntpd" file successfully and have a more secure ntpd running.
Comment 2 SpanKY gentoo-dev 2004-01-16 16:15:39 UTC 
thanks for the link

hopefully ntp-4.2.0 wont need this