NTP commands such as ntpd
and ntpdate
are privileged and belongs to the root group. What is the best way to run these commands as non-root ? Linux capabilities, ownership, any method ? I have openSUSE 13.2 and I prefer if there is a Linux capability that would help (if applicable of course). I looked into into the Linux capabilities list, I have tried applying CAP_DAC_OVERRIDE
, CAP_SYS_ADMIN
, CAP_SYS_RAWIO
, CAP_SYS_TIME
to both ntpd
and ntpdate
and it did not work.
How to run ntp commands as non-root
ntpntpdroot
Best Answer
This 2 configuration options should help you to make
ntpd
more secure:Explanation
NTPD_OPTIONS="-g -u ntp:ntp"
--g
sets once when starts to ntpd ignore the default threshold that is set to 1000 .-u ntp:ntp
makes the daemon run as ntp user and group.NTPD_RUN_CHROOTED="yes"
- Makes ntpd run chrooted, reducing the damages caused by exploits.Since ntpd is running as ntp user, and using ntpdate to adjust manually the time is not a good practice, i don't see why you have to bother with ntpdate. To force a manually query use
sudo ntpd -gq
and add the following to your/etc/sudoers
file:your-username ALL = (root) NOPASSWD: /usr/sbin/ntpd -gq