LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   NTP Error - "Failed to drop root privileges." (https://www.linuxquestions.org/questions/linux-software-2/ntp-error-failed-to-drop-root-privileges-812256/)

mikewc02 06-05-2010 12:02 AM
NTP Error - "Failed to drop root privileges."
 
I encountered an issue after installing NTP on a VM running CentOS 5.5. (I installed it using the standard "yum install ntp".) When I attempted to start NTP, it would fail to sync with the NTP servers, but seemed to start ok. If I checked its status, though, I would see that there was a dead PID file in /var/run, and that it wasn't actually running.

Checking the /var/log/messages file, I would see this each time I attempted to start it.


Jun 5 03:46:25 cent01 ntpdate[31933]: cap_set_proc failed.
Jun 5 03:46:25 cent01 ntpd[31936]: ntpd 4.2.2p1@1.1570-o Sat Dec 19 00:56:13 UTC 2009 (1)
Jun 5 03:46:25 cent01 ntpd[31937]: precision = 1.000 usec
Jun 5 03:46:25 cent01 ntpd[31937]: Listening on interface wildcard, 0.0.0.0#123 Disabled
Jun 5 03:46:25 cent01 ntpd[31937]: Listening on interface wildcard, ::#123 Disabled
Jun 5 03:46:25 cent01 ntpd[31937]: Listening on interface lo, ::1#123 Enabled
Jun 5 03:46:25 cent01 ntpd[31937]: Listening on interface lo, 127.0.0.1#123 Enabled
Jun 5 03:46:25 cent01 ntpd[31937]: Listening on interface venet0, 127.0.0.1#123 Enabled
Jun 5 03:46:25 cent01 ntpd[31937]: Listening on interface venet0:0, [MY SERVER IP]#123 Enabled
Jun 5 03:46:25 cent01 ntpd[31937]: kernel time sync status 0040
Jun 5 03:46:26 cent01 ntpd[31937]: cap_set_proc() failed to drop root privileges: Operation not permitted


I did some Googling, and tried a couple of things.

- Uninstalled and reinstalled ntpd.
- Updated the libcap package.
- Temporarily disabled iptables. Verified nothing was blocking port 123.
- Verified connectivity to NTP servers.

I eventually ran across a post that alluded to the /etc/sysconfig/ntpd file, one that I hadn't touched yet. Taking a look at that, I saw this at the top.


# Drop root to id 'ntp:ntp' by default.
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"


This seemed to match the error I was seeing in the messages file. For grins, I commented this line out and attempted to start NTP. It sycned and fired right up. The resulting PID file is also owned by root, as would be expected as a result of commenting out that line.

My question is this. I feel like my workaround is sort of a band-aid, and probably not the most secure solution. This is a personal server, so if something happens to it, it's not really a huge deal. For my own understanding, though, I'd like to get a better understanding of this, and see if anyone has encountered this issue before, or has a better solution. Various articles and threads I have read allude to various "kernel bugs" and things of this nature, but nothing specific is ever mentioned.

Here are the relevant stats.

[root@cent01 run]# cat /etc/redhat-release
CentOS release 5.5 (Final)

[root@cent01 run]# uname -a
Linux cent01.xxxxxxxxx.net 2.6.18-028stab068.9 #1 SMP Tue Mar 30 17:22:31 MSD 2010 x86_64 x86_64 x86_64 GNU/Linux

[root@cent01 run]# rpm -qa | grep ntp
ntp-4.2.2p1-9.el5.centos.2.1

[root@cent01 run]# grep ntp /etc/passwd
ntp:x:38:38::/etc/ntp:/sbin/nologin



Config files:


Code:
[root@cent01 run]# cat /etc/sysconfig/ntpd
# Drop root to id 'ntp:ntp' by default.
#OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"

# Set to 'yes' to sync hw clock after successful ntpdate
SYNC_HWCLOCK=no

# Additional options for ntpdate
NTPDATE_OPTIONS=""

Code:
[root@cent01 run]# cat /etc/ntp.conf
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org

#broadcast 192.168.1.255 key 42        # broadcast server
#broadcastclient                        # broadcast client
#broadcast 224.0.1.1 key 42            # multicast server
#multicastclient 224.0.1.1              # multicast client
#manycastserver 239.255.254.254        # manycast server
#manycastclient 239.255.254.254 key 42  # manycast client

# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
server 127.127.1.0      # local clock
fudge  127.127.1.0 stratum 10

# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
driftfile /var/lib/ntp/drift

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

Code:
[root@cent01 run]# cat /etc/ntp/step-tickers
0.us.pool.ntp.org
1.us.pool.ntp.org
2.us.pool.ntp.org
3.us.pool.ntp.org

If anyone has any thoughts, or has seen this before, your feedback would be most appreciated. :)

unSpawn 06-05-2010 07:19 PM
Quote:
Originally Posted by mikewc02 (Post 3993036)
Uninstalled and reinstalled ntpd.
With all due respect but that sort of reflex is almost never needed with GNU/Linux software.


Quote:
Originally Posted by mikewc02 (Post 3993036)
Updated the libcap package.
If installed by rpm or Yum the default libcap package will work OK.


Quote:
Originally Posted by mikewc02 (Post 3993036)
Temporarily disabled iptables. Verified nothing was blocking port 123. Verified connectivity to NTP servers.
It's about POSIX Capabilities not the firewall or remote servers.


[root@cent01 run]2.6.18-028stab068.9 #1 SMP[/QUOTE]
That looks like a non-standard kernel to me. To drop root privileges your kernel needs to be compiled with POSIX Capabilities enabled. If it's an external module you should load it before starting the NTPd.

mikewc02 06-05-2010 10:59 PM
Thank you.

unSpawn 06-06-2010 05:08 AM
Quote:
Originally Posted by mikewc02 (Post 3993913)
Thank you.
Well, OK, but was it about POSIX Capabilities or not?

mikewc02 06-06-2010 10:35 AM
Yes, it was.

mainebob 12-08-2010 10:37 AM
Ok, This is a great thread that allowed me to get NTP running on my new "CentOS release 5.5 (Final)"
I edited out the line in: /etc/sysconfig/ntpd Now I started ntpd and it stays running.
I went to an older server "CentOS release 4.8 (Final)" and had to do the same fix to keep ntpd running.
The 5.5 release was new out of the box... so the 4.8 has been running a good while so I don't consider
it a non standard installation. I do want to be secure and not run ntpd as root if it is a security issue.

I did a simple yum install ntp version 4.2.2p1 on the Centos5.5
and ntp 4.2.0.a.20040617 on Centos 4.8

Any other suggestions to make this work without the hack of sysconfig ?

-Bob O

catkin 01-04-2011 11:28 AM
Clocks in VMs are subtle; I vaguely recall that it is better not to run NTP in guests and to rely on the NTP-synchronised host's clock. This excerpt from the VirtualBox Manual alludes to some of the issues which presumably apply to all virtualisation products:
Code:
Time synchronization
    With the Guest Additions installed, VirtualBox can ensure that the
    guest’s system time is better synchronized with that of the host.

    For various reasons, the time in the guest might run at a slightly different rate than the
    time on the host. The host could be receiving updates via NTP and its own time might not
    run linearly. A VM could also be paused, which stops the flow of time in the guest for a
    shorter or longer period of time. When the wall clock time between the guest and host only
    differs slightly, the time synchronization service attempts to gradually and smoothly adjust
    the guest time in small increments to either “catch up” or “lose” time. When the difference
    is too great (e.g., a VM paused for hours or restored from saved state), the guest time is
    changed immediately, without a gradual adjustment.

    The Guest Additions will re-synchronize the time regularly. See chapter 9.12.3, Tuning
    the Guest Additions time synchronization parameters, page 141 for how to configure the
    parameters of the time synchronization mechanism.


All times are GMT -5. The time now is 11:51 AM.