"ntpd -U ntp" not working with kernel 2.6

Message

geophagus · Post by **geophagus** » Sat Dec 20, 2003 1:50 pm

The error message in ntpd.log is

20 Dec 14:39:58 ntpd[19866]: frequency initialized 0.000 from /var/lib/ntp/ntp.drift
20 Dec 14:39:58 ntpd[19867]: signal_no_reset: signal 17 had flags 4000000
20 Dec 14:39:58 ntpd[19866]: cap_set_proc failed.
20 Dec 14:40:00 ntpd[19867]: parent died before we finished, exiting

The problem is caused by libcap. This library is needed when ntpd should drop root privileges. But libcap seems to be available only for kernel versions lower than 2.6. Even on the libcap homepage (www.kernel.org) I didn't find a 2.6 aware version of libcap.

Running ntpd as root works fine. But ist's not really what I want. Did someone else experience this problem?

geophagus · Post by **geophagus** » Sat Dec 20, 2003 2:19 pm

Hmmm. I tried to find an answer for days now. But just after having written down my problem, the solution flashed into my mind. It's (not only?) libcap, it's the new kernel config parameter CONFIG_SECURITY_CAPABILITIES. On my system it's set to "m". After having modprobe'd capability, ntpd now runs as user ntp

kepik_k · Post by **kepik_k** » Wed Dec 22, 2004 2:12 am

Thanks for the pointer, I just got my nptd -u ntp:ntp to work after recompiling 2.6.9-r10 with CONFIG_SECURITY_CAPABILITIES=yes

tecknojunky · Post by **tecknojunky** » Sat Feb 26, 2005 5:12 am

kepik_k wrote:Thanks for the pointer, I just got my nptd -u ntp:ntp to work after recompiling 2.6.9-r10 with CONFIG_SECURITY_CAPABILITIES=yes

Thank you

jonaswidarsson · Post by **jonaswidarsson** » Wed Mar 22, 2006 12:32 pm

Doesn't work for me.
Running gentoo sources 2.6.10-gentoo-r6 on a file server.

Code: Select all

fp1 jonas # grep CONFIG_SECURITY /usr/src/linux/.config
CONFIG_SECURITY=y
# CONFIG_SECURITY_NETWORK is not set
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set
# CONFIG_SECURITY_SECLVL is not set
# CONFIG_SECURITY_SELINUX is not set
fp1 jonas #

but still:

Code: Select all

fp1 jonas # tail /var/log/everything/current
Mar 22 13:25:52 [rc-scripts] WARNING:  "ntpd" has already been started.
Mar 22 13:25:57 [rc-scripts] Failed to stop ntpd
Mar 22 13:25:59 [rc-scripts] WARNING:  "ntpd" has already been started.
Mar 22 13:26:04 [ntpd] ntpd 4.2.0a@1.1190-r Wed Mar 22 13:16:53 CET 2006 (1)
Mar 22 13:26:04 [ntpd] precision = 1.000 usec
Mar 22 13:26:04 [ntpd] Listening on interface wildcard, 0.0.0.0#123
Mar 22 13:26:04 [ntpd] Listening on interface lo, 127.0.0.1#123
Mar 22 13:26:04 [ntpd] Listening on interface eth0, 192.168.1.196#123
Mar 22 13:26:04 [ntpd] kernel time sync status 0040
Mar 22 13:26:04 [ntpd] cap_set_proc() failed to drop root privileges: Operation not permitted
fp1 jonas #

Is it required to be a module?
Maybe I should upgrade to a newer kernel, but you know how lazy one can get...

here's my command line, echoed from the initscript:
/usr/sbin/ntpd -p /var/run/ntpd.pid -u ntp:ntp

jonaswidarsson · Post by **jonaswidarsson** » Wed Mar 22, 2006 10:31 pm

SOLVED by upgrading to latest kernel 2.6.15-gentoo-r1, which forced me to upgrade baselayout first, due to the udev stuff.
I am not sure what fixed the problem, but I am glad to see ntpd survives the user switch now.

Note that I do not have CONFIG_SECURITY_CAPABILITIES as a module. It is compiled in, and works fine with this newer kernel.

BizarroJack · Post by **BizarroJack** » Tue Oct 17, 2006 8:31 pm

I had a problem in the same ballpark, more or less - From an older version of the ebuild, I automatically had ntpd configured to start with " -u ntp:ntp" (based on conf.d/ntpd), but this would never work without a build with "USE=caps" enabled. Interestingly, ntpd had been failing with no error message, so I wasn't even aware that it wasn't running for a time. More importantly, I was not shown WHY it wasn't running. My only clue was that when I tested in debug mode of ntpd (-d), a "usage:" text was printed that wasn't shown before, and I saw that the "-u" syntax was not part of the usage text. From that, I inferred that it must be a build problem, and examined the meanings of the USE options for the ntp package.

mbaecker · Post by **mbaecker** » Tue Oct 31, 2006 8:23 am

I tried the solution from the last post:

/etc/portage/package.use:
net-misc/ntp caps

After this change, it worked like a charme.

Thanks for the help!

numbaonestunna · Post by **numbaonestunna** » Mon Mar 12, 2007 8:27 pm

mbaecker wrote:I tried the solution from the last post:

/etc/portage/package.use:
net-misc/ntp caps

After this change, it worked like a charm!

Thanks for the help!

Most beautiful post ever. =) /sniff Thank you. Fixed my problem too!

nobspangle · Post by **nobspangle** » Thu Mar 22, 2007 8:49 am

Thanks, I've been searching for a solution to this too.

drumgod · Post by **drumgod** » Thu Apr 19, 2007 2:58 am

WooHoo! Another thank you from me...

ben_dash · Post by **ben_dash** » Mon May 28, 2007 6:20 pm

Thanks from here too!