How to run ntp commands as non-root

ntpntpdroot

NTP commands such as ntpd and ntpdate are privileged and belongs to the root group. What is the best way to run these commands as non-root ? Linux capabilities, ownership, any method ? I have openSUSE 13.2 and I prefer if there is a Linux capability that would help (if applicable of course). I looked into into the Linux capabilities list, I have tried applying CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, CAP_SYS_RAWIO, CAP_SYS_TIME to both ntpd and ntpdate and it did not work.

Best Answer

This 2 configuration options should help you to make ntpd more secure:

NTPD_OPTIONS="-g -u ntp:ntp"
NTPD_RUN_CHROOTED="yes"

Explanation

NTPD_OPTIONS="-g -u ntp:ntp" - -g sets once when starts to ntpd ignore the default threshold that is set to 1000 . -u ntp:ntp makes the daemon run as ntp user and group.
NTPD_RUN_CHROOTED="yes" - Makes ntpd run chrooted, reducing the damages caused by exploits.

Since ntpd is running as ntp user, and using ntpdate to adjust manually the time is not a good practice, i don't see why you have to bother with ntpdate. To force a manually query use sudo ntpd -gq and add the following to your /etc/sudoers file:

your-username ALL = (root) NOPASSWD: /usr/sbin/ntpd -gq

Related Solutions

How to update date/time without shutting down the NTP daemon

This is a really, really bad idea. Let me (try to) explain.

The ntp daemon expects to control the system clock. When it starts it will jump the clock if permitted, so that the time approximates that offered by its remote time servers. Thereafter, it regularly compares local time generated by the system clock to that offered remotely, and tweaks the local clock faster or slower to keep it synchronised.

There are two levels of synchronisation:

Keeping the clock accurate when compared to remote time servers
Ensuring that over longer time periods the local clock can be sufficiently disciplined that even without Internet connectivity it will continue to keep approximately accurate time

If you jump the clock, or introduce a new slew by setting the clock (whether with ntpdate or manually) it will upset the long-term calculations for #2 and can potentially cause the clock to be disciplined so badly that it will lose or gain visibly significant time compared to reality. If this happens then the only real solution is to shut down ntp, delete the reference adjustment file, and hard reboot the server. Really.

If you really still want to proceed, you could try this:

ntpdate -u $(awk '$1=="server" {print $2}' /etc/ntp.conf)

But I do not recommend it under any circumstances while ntp is still running.

Use local NTP service

Something like the following should work.

restrict default ignore
restrict 127.0.0.1 nomodify

restrict 192.168.2.102 mask 255.255.255.0 nomodify notrap noquery
server 192.168.2.102 burst iburst

server 127.127.1.0
fudge  127.127.1.0 stratum 10

Best Answer

Related Solutions

How to update date/time without shutting down the NTP daemon

Use local NTP service

Related Question