[rsbac] rsbac and ntpd
jochem_ippers at email.de
jochem_ippers at email.de
Thu Jan 19 14:37:02 CET 2006
Hi,
I've just tried it in softmode again without chroot jail (it was not the rsbac JAIL before) and with all min-CAPs turned on for /usr/ntpd. But it's still the same error. But now there is also the rsbac NOT GRANTED warning (MODIFY_SYSTEM_DATA) by the RC module.
Hmm, before the reboot into softmode I switched the RC module off when I set the ACL, after that worked I tried to switch RC on again, but that didn't work. So, I rebooted (with RC module and softmode switched on) and now it logs the mentioned rsbac message (again). So, I am not sure how/if both warnings (rsbac, ntp-log) relate to each other. Do I have to create a role for ntpd (first)?
I think I need some time to understand how to control such 'inner' system stuff with rsbac - tricky, but very interesting. And I hope my question won't be too dumb. ;-)
Greetings
Jochem
RSBAC Discussion and Announcements <rsbac at rsbac.org> schrieb am 19.01.06 13:04:59:
>
> On Donnerstag 19 Januar 2006 12:56, jochem_ippers at email.de wrote:
> > I've got a problem with the ntpd (working as a client). I set AUTH
> capabilities (to user/group ntp) and then an ACL entry for ntpd (SCD:
> capability/MODIFY_SYTEM_DATA or: clock) so that the rsbac log entries
> (...NOT GRANTED...) disappeared. When I start ntpd it contacts the
> ntp server but then it mmm dies, and the ntp log says:
> > cap_set_proc() failed to drop root privileges: Operation not
> permitted
> > So I tried different settings, but even setting CAP:min_caps to ALL
> and suid to on (for /usr/sbin/ntpd) doesn't change it.
> > Does anyone know the 'trick'? (Is it a posix capaility (module)
> thing?)
>
> Do you run ntpd in a jail? Or with a max_caps setting?
>
> Does it work in global softmode?
>
> Amon.
> --
> http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
More information about the rsbac
mailing list