Red Hat Bugzilla – Bug 126360
init script does ntpdate with -U to drop root priv
Last modified: 2007-11-30 17:10:45 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Description of problem:
In the ntpd init script it does:
/usr/sbin/ntpdate $dropstr -s -b -p 8 $tickers 2>/dev/null >/dev/null
The $drop string contains:
This works fine on the standard Redhat kernel.
On a kernel without SE Linux turned on it fails.
debug.5:May 25 17:36:11 smirl ntpdate: cap_set_proc failed.
debug.5:May 25 17:36:12 smirl ntpd: cap_set_proc failed.
Workaround is to remove $dropstr on non-SE kernels.
Version-Release number of selected component (if applicable):
IIRC, this can be done with a non-selinux-enabled kernel, but
CAP_SETPCAP may need to have been unmasked in the kernel source
If you test, you'll probably want to test for the presense of
capability flags, rather than for specific patches.
does loading the 'capability' module solve your problem?
I believe the 'capabilities' module is a 2.4 feature. I looked around
in the 2.6 tree can couldn't find anything by that name. I have the
'default' security model turned on. If I turn on 'selinux' the problem
goes away. The problem is still there with kernel 2.6.8-rc1.
I suspect ntpd -U is using a SELinux feature that is not there in a
To change your kernel security mode, make xconfig, select security,
select enable different security mode, pick default instead of se.
capabilites are present in the kernel 2.6 and are essential for Red
Hat's security model. Without capabilities ntp cannot drop root
rights, so you have to remove the command line parameters yourself. sorry!