[rsbac] rsbac and ntpd

[jochem_ippers at email.de]

Hi,
I've just tried it in softmode again without chroot jail  (it was not the rsbac JAIL before) and with all min-CAPs turned on for /usr/ntpd. But it's still the same error. But now there is also the rsbac NOT GRANTED warning (MODIFY_SYSTEM_DATA) by the RC module. 
Hmm, before the reboot into softmode I switched the RC module off when I set the ACL, after that worked I tried to switch RC on again, but that didn't work. So, I rebooted (with RC module and softmode switched on) and now it logs the mentioned rsbac message (again). So, I am not sure how/if both warnings (rsbac, ntp-log) relate to each other. Do I have to create a role for ntpd (first)?
I think I need some time to understand how to control such 'inner' system stuff with rsbac - tricky, but very interesting. And I hope my question won't be too dumb. ;-)
Greetings
Jochem



RSBAC Discussion and Announcements <rsbac at rsbac.org> schrieb am 19.01.06 13:04:59:
> 
> On Donnerstag 19 Januar 2006 12:56, jochem_ippers at email.de wrote:
> > I've got a problem with the ntpd (working as a client). I set AUTH 
> capabilities (to user/group ntp) and then an ACL entry for ntpd (SCD: 
> capability/MODIFY_SYTEM_DATA or: clock) so that the rsbac log entries 
> (...NOT GRANTED...) disappeared. When I start ntpd it contacts the 
> ntp server but then it mmm dies, and the ntp log says: 
> > cap_set_proc() failed to drop root privileges: Operation not 
> permitted
> > So I tried different settings, but even setting CAP:min_caps to ALL 
> and suid to on (for /usr/sbin/ntpd) doesn't change it.
> > Does anyone know the 'trick'?  (Is it a posix capaility (module) 
> thing?)
> 
> Do you run ntpd in a jail? Or with a max_caps setting?
> 
> Does it work in global softmode?
> 
> Amon.
> -- 
> http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac