LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 06-05-2010, 01:02 AM   #1
mikewc02
LQ Newbie
 
Registered: Jan 2010
Location: St. Louis, MO
Distribution: Arch Linux
Posts: 12

Rep: Reputation: 3
NTP Error - "Failed to drop root privileges."


I encountered an issue after installing NTP on a VM running CentOS 5.5. (I installed it using the standard "yum install ntp".) When I attempted to start NTP, it would fail to sync with the NTP servers, but seemed to start ok. If I checked its status, though, I would see that there was a dead PID file in /var/run, and that it wasn't actually running.

Checking the /var/log/messages file, I would see this each time I attempted to start it.


Jun 5 03:46:25 cent01 ntpdate[31933]: cap_set_proc failed.
Jun 5 03:46:25 cent01 ntpd[31936]: ntpd 4.2.2p1@1.1570-o Sat Dec 19 00:56:13 UTC 2009 (1)
Jun 5 03:46:25 cent01 ntpd[31937]: precision = 1.000 usec
Jun 5 03:46:25 cent01 ntpd[31937]: Listening on interface wildcard, 0.0.0.0#123 Disabled
Jun 5 03:46:25 cent01 ntpd[31937]: Listening on interface wildcard, ::#123 Disabled
Jun 5 03:46:25 cent01 ntpd[31937]: Listening on interface lo, ::1#123 Enabled
Jun 5 03:46:25 cent01 ntpd[31937]: Listening on interface lo, 127.0.0.1#123 Enabled
Jun 5 03:46:25 cent01 ntpd[31937]: Listening on interface venet0, 127.0.0.1#123 Enabled
Jun 5 03:46:25 cent01 ntpd[31937]: Listening on interface venet0:0, [MY SERVER IP]#123 Enabled
Jun 5 03:46:25 cent01 ntpd[31937]: kernel time sync status 0040
Jun 5 03:46:26 cent01 ntpd[31937]: cap_set_proc() failed to drop root privileges: Operation not permitted


I did some Googling, and tried a couple of things.

- Uninstalled and reinstalled ntpd.
- Updated the libcap package.
- Temporarily disabled iptables. Verified nothing was blocking port 123.
- Verified connectivity to NTP servers.

I eventually ran across a post that alluded to the /etc/sysconfig/ntpd file, one that I hadn't touched yet. Taking a look at that, I saw this at the top.


# Drop root to id 'ntp:ntp' by default.
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"


This seemed to match the error I was seeing in the messages file. For grins, I commented this line out and attempted to start NTP. It sycned and fired right up. The resulting PID file is also owned by root, as would be expected as a result of commenting out that line.

My question is this. I feel like my workaround is sort of a band-aid, and probably not the most secure solution. This is a personal server, so if something happens to it, it's not really a huge deal. For my own understanding, though, I'd like to get a better understanding of this, and see if anyone has encountered this issue before, or has a better solution. Various articles and threads I have read allude to various "kernel bugs" and things of this nature, but nothing specific is ever mentioned.

Here are the relevant stats.

[root@cent01 run]# cat /etc/redhat-release
CentOS release 5.5 (Final)

[root@cent01 run]# uname -a
Linux cent01.xxxxxxxxx.net 2.6.18-028stab068.9 #1 SMP Tue Mar 30 17:22:31 MSD 2010 x86_64 x86_64 x86_64 GNU/Linux

[root@cent01 run]# rpm -qa | grep ntp
ntp-4.2.2p1-9.el5.centos.2.1

[root@cent01 run]# grep ntp /etc/passwd
ntp:x:38:38::/etc/ntp:/sbin/nologin



Config files:


Code:
[root@cent01 run]# cat /etc/sysconfig/ntpd
# Drop root to id 'ntp:ntp' by default.
#OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"

# Set to 'yes' to sync hw clock after successful ntpdate
SYNC_HWCLOCK=no

# Additional options for ntpdate
NTPDATE_OPTIONS=""

Code:
[root@cent01 run]# cat /etc/ntp.conf
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org

#broadcast 192.168.1.255 key 42         # broadcast server
#broadcastclient                        # broadcast client
#broadcast 224.0.1.1 key 42             # multicast server
#multicastclient 224.0.1.1              # multicast client
#manycastserver 239.255.254.254         # manycast server
#manycastclient 239.255.254.254 key 42  # manycast client

# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
server 127.127.1.0      # local clock
fudge  127.127.1.0 stratum 10

# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
driftfile /var/lib/ntp/drift

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

Code:
[root@cent01 run]# cat /etc/ntp/step-tickers
0.us.pool.ntp.org
1.us.pool.ntp.org
2.us.pool.ntp.org
3.us.pool.ntp.org

If anyone has any thoughts, or has seen this before, your feedback would be most appreciated.

Last edited by mikewc02; 06-05-2010 at 01:12 AM.
 
Old 06-05-2010, 08:19 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,675
Blog Entries: 54

Rep: Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954
Quote:
Originally Posted by mikewc02 View Post
Uninstalled and reinstalled ntpd.
With all due respect but that sort of reflex is almost never needed with GNU/Linux software.


Quote:
Originally Posted by mikewc02 View Post
Updated the libcap package.
If installed by rpm or Yum the default libcap package will work OK.


Quote:
Originally Posted by mikewc02 View Post
Temporarily disabled iptables. Verified nothing was blocking port 123. Verified connectivity to NTP servers.
It's about POSIX Capabilities not the firewall or remote servers.


[root@cent01 run]2.6.18-028stab068.9 #1 SMP[/QUOTE]
That looks like a non-standard kernel to me. To drop root privileges your kernel needs to be compiled with POSIX Capabilities enabled. If it's an external module you should load it before starting the NTPd.
 
1 members found this post helpful.
Old 06-05-2010, 11:59 PM   #3
mikewc02
LQ Newbie
 
Registered: Jan 2010
Location: St. Louis, MO
Distribution: Arch Linux
Posts: 12

Original Poster
Rep: Reputation: 3
Thank you.
 
Old 06-06-2010, 06:08 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,675
Blog Entries: 54

Rep: Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954
Quote:
Originally Posted by mikewc02 View Post
Thank you.
Well, OK, but was it about POSIX Capabilities or not?

Last edited by unSpawn; 06-06-2010 at 06:14 AM.
 
Old 06-06-2010, 11:35 AM   #5
mikewc02
LQ Newbie
 
Registered: Jan 2010
Location: St. Louis, MO
Distribution: Arch Linux
Posts: 12

Original Poster
Rep: Reputation: 3
Yes, it was.
 
Old 12-08-2010, 11:37 AM   #6
mainebob
LQ Newbie
 
Registered: May 2009
Posts: 1

Rep: Reputation: 0
Ok, This is a great thread that allowed me to get NTP running on my new "CentOS release 5.5 (Final)"
I edited out the line in: /etc/sysconfig/ntpd Now I started ntpd and it stays running.
I went to an older server "CentOS release 4.8 (Final)" and had to do the same fix to keep ntpd running.
The 5.5 release was new out of the box... so the 4.8 has been running a good while so I don't consider
it a non standard installation. I do want to be secure and not run ntpd as root if it is a security issue.

I did a simple yum install ntp version 4.2.2p1 on the Centos5.5
and ntp 4.2.0.a.20040617 on Centos 4.8

Any other suggestions to make this work without the hack of sysconfig ?

-Bob O
 
Old 01-04-2011, 12:28 PM   #7
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,563
Blog Entries: 29

Rep: Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179
Clocks in VMs are subtle; I vaguely recall that it is better not to run NTP in guests and to rely on the NTP-synchronised host's clock. This excerpt from the VirtualBox Manual alludes to some of the issues which presumably apply to all virtualisation products:
Code:
Time synchronization
     With the Guest Additions installed, VirtualBox can ensure that the
     guest’s system time is better synchronized with that of the host.

     For various reasons, the time in the guest might run at a slightly different rate than the
     time on the host. The host could be receiving updates via NTP and its own time might not
     run linearly. A VM could also be paused, which stops the flow of time in the guest for a
     shorter or longer period of time. When the wall clock time between the guest and host only
     differs slightly, the time synchronization service attempts to gradually and smoothly adjust
     the guest time in small increments to either “catch up” or “lose” time. When the difference
     is too great (e.g., a VM paused for hours or restored from saved state), the guest time is
     changed immediately, without a gradual adjustment.

     The Guest Additions will re-synchronize the time regularly. See chapter 9.12.3, Tuning
     the Guest Additions time synchronization parameters, page 141 for how to configure the
     parameters of the time synchronization mechanism.
 
  


Reply

Tags
centos, ntpd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Need solution to "failed to fork PTY" and "error creating the child process" problems Gnusboy Linux - Newbie 4 01-02-2010 08:54 AM
"failed to execute child process" "Input/output error" fl.bratu Fedora 4 12-15-2008 05:03 AM
"Failed Dependency error" while installing RPM for "DateTime" perl modules giridhargopal.cj Linux - Newbie 7 11-19-2008 01:05 AM
ivman broke, "couldn't drop root privileges" hedpe Linux - Software 1 04-18-2006 09:23 AM
Error launching gnome apps as root: " Failed to contact configuration server" Kropotkin Fedora 1 12-16-2005 12:11 PM


All times are GMT -5. The time now is 10:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration