[rsbac] rsbac and ntpd

Andrea Pasquinucci andrea at rsbac.org
Thu Jan 19 15:25:38 CET 2006

I am using ntpd and rsbac, there is a little bit of config to do to run 
it. I have a script (no menus) which does that for me (and no JAIL), it 
is not the best and most secure script, I am sure, but ntpd works fine 
with it. At least it can give you an idea of what it could be needed to 
get ntpd to work. You can find the script in the rpm at 


PS. If an rpm is no good for you, mail me directly and I'll send you
just the ntpd script.

On Thu, Jan 19, 2006 at 02:37:02PM +0100, jochem_ippers at email.de wrote:
* Hi,
* I've just tried it in softmode again without chroot jail  (it was not the rsbac JAIL before) and with all min-CAPs turned on for /usr/ntpd. But it's still the same error. But now there is also the rsbac NOT GRANTED warning (MODIFY_SYSTEM_DATA) by the RC module. 
* Hmm, before the reboot into softmode I switched the RC module off when I set the ACL, after that worked I tried to switch RC on again, but that didn't work. So, I rebooted (with RC module and softmode switched on) and now it logs the mentioned rsbac message (again). So, I am not sure how/if both warnings (rsbac, ntp-log) relate to each other. Do I have to create a role for ntpd (first)?
* I think I need some time to understand how to control such 'inner' system stuff with rsbac - tricky, but very interesting. And I hope my question won't be too dumb. ;-)
* Greetings
* Jochem
* RSBAC Discussion and Announcements <rsbac at rsbac.org> schrieb am 19.01.06 13:04:59:
* > 
* > On Donnerstag 19 Januar 2006 12:56, jochem_ippers at email.de wrote:
* > > I've got a problem with the ntpd (working as a client). I set AUTH 
* > capabilities (to user/group ntp) and then an ACL entry for ntpd (SCD: 
* > capability/MODIFY_SYTEM_DATA or: clock) so that the rsbac log entries 
* > (...NOT GRANTED...) disappeared. When I start ntpd it contacts the 
* > ntp server but then it mmm dies, and the ntp log says: 
* > > cap_set_proc() failed to drop root privileges: Operation not 
* > permitted
* > > So I tried different settings, but even setting CAP:min_caps to ALL 
* > and suid to on (for /usr/sbin/ntpd) doesn't change it.
* > > Does anyone know the 'trick'?  (Is it a posix capaility (module) 
* > thing?)
* > 
* > Do you run ntpd in a jail? Or with a max_caps setting?
* > 
* > Does it work in global softmode?
* > 
* > Amon.
* > -- 
* > http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
* > _______________________________________________
* > rsbac mailing list
* > rsbac at rsbac.org
* > http://www.rsbac.org/mailman/listinfo/rsbac
* _______________________________________________
* rsbac mailing list
* rsbac at rsbac.org
* http://www.rsbac.org/mailman/listinfo/rsbac

Andrea Pasquinucci      andrea at rsbac.org       http:/www.rsbac.org/
My public PGP key is at http://www.ucci.it/andrea_rsbac_key.asc
fingerprint = E74B E276 0F75 F894 0DBD  3A04 AE80 B557 6550 270F

More information about the rsbac mailing list