currently net-misc/ntp-4.1.1b-r5 runs as root after it is installed.
the ebuild should create a user and group called ntp (maybe uid/gid 123 since
ntp runs on port 123?). in /etc/conf.d/ntpd NTPD_OPTS="-U ntp" should be set.
gentoo currently does this for bind and sshd, and possibly others.
also, /etc/ntp/ should be created and owned by ntp/ntp. then
/usr/share/ntp/ntp.conf should be copied to /etc/ntp.conf but modified so the
drift file is stored in /etc/ntp/drift.
Due to NTP's functionality (setting the system clock), it cannot be run as a normal
user. Nor does the -U option you suggested exist for ntpd.
turns out that this feature is provided by a patch included with redhat rpms. check out <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=35653> for more info. note: "This requires kernel >=2.2.18 and libcap package..."
i downloaded the src rpm from ftp://ftp.redhat.com/pub/redhat/linux/7.2/en/os/i386/SRPMS/ntp-4.1.0-4.src.rpm and extracted the patch.
Created attachment 12278 [details, diff]
ntp droproot patch.
... i modified the patch file by adding this source url to the top of it. i
made no modifications to the code.
doesn't change the fact that normal users can't change the system time, does
fyi i submitted this patch to the ntp maintainers. even though it looks like it was written in august 2001, they had not seen it. i will try and find out if/when they are going to include it with the source. lets hold off on adding it.
Why not apply the patch for now, though? Most of the patches in gentoo-sources
are in future kernels, yet we apply them instead of waiting for a new version with
re comment #6: makes sense. the maintainers are looking to include the patch but it could be a while because they are waiting for something similar on bsd. so let's go ahead and include this one with the ebuild.
also fyi, once the patch is in gentoo-src/eid_database/ needs to be updated.
all yours luke-jr.
i updated the patch to work with 4.1.2 and added it to portage
i also added enewgroup/enewuser to the ebuild to add ntp
finally, i updated the ntp server to (by default) pass '-U ntp' in the OPTS
test, works great. thanks.
4.2.0 is out and here is the patch: