Description of problem: /etc/init.d/ntpd calls ntpdate as follows: /usr/sbin/ntpdate -s -b -p 8 $tickers It's missing "-U ntp", so ntpdate ends up running with root privileges. Running network programs with root privileges when they aren't needed of course isn't good for security. Version-Release number of selected component (if applicable): ntp-4.1.2-4 How reproducible: Always Steps to Reproduce: n/a Actual Results: ntpdate runs as 'root' Expected Results: ntpdate runs as 'ntp' Additional info: ntpd is run with "-U ntp" (see /etc/sysconfig/ntpd) so this issue is specific to the ntpdate call.
ntpdate has not been patched to drop root privileges, yet...
Hmm? I can run "ntpdate -U ntp ..." by hand and it works. Also "man ntpdate" mentions the -U option.
oops... forgot about that :) ... ok, then you are right :)
Removing Security keyword, because there's no known exploit vector.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0414.html