Fincer
/
openntpd-portable
mirror of https://github.com/Fincer/openntpd-portable
1
0
Fork 0
Code Issues 0 Projects 0 Releases 10 Wiki Activity
Portable build framework for OpenNTPD
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
223 Commits
9 Branches
4.4 MiB
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
openntpd-portable/INSTALL

131 lines
4.5 KiB
Raw Permalink Normal View History

new OpenNTPD portable tree First attempt at building a new OpenNTPD portable project, based on the latest OpenBSD source.
9 years ago
move to README.md, update platform list
3 years ago
new OpenNTPD portable tree First attempt at building a new OpenNTPD portable project, based on the latest OpenBSD source.
9 years ago
update source checkout install instructions
9 years ago
Added bison as a build dependency
6 years ago
update source checkout install instructions
9 years ago
new OpenNTPD portable tree First attempt at building a new OpenNTPD portable project, based on the latest OpenBSD source.
9 years ago
update install docs, fix outdated links - add OS X privsep user creation instructions from jasper@ - update install instructions to be the same everywhere - remove outdated compiler flags
9 years ago
Change default privsep directory to /var/empty. Add a post-install check to ensure that PRIVSEP_PATH is really empty.
9 years ago
add extra note about properties of the privilege separation directory
9 years ago
re-add the configurable --with-privsep-path install-time sanity check While this still doesn't affect the behavior of the daemon, the configuration option can at least be set to check the correct privsep directory for permissions. Revisit in 5.8 as a possible extension to the runtime check instead to remove the 'knob'.
9 years ago
add extra note about properties of the privilege separation directory
9 years ago
Change default privsep directory to /var/empty. Add a post-install check to ensure that PRIVSEP_PATH is really empty.
9 years ago
update install docs, fix outdated links - add OS X privsep user creation instructions from jasper@ - update install instructions to be the same everywhere - remove outdated compiler flags
9 years ago
fix typo at line 79 replace "this this" by "like this"
9 years ago
update install docs, fix outdated links - add OS X privsep user creation instructions from jasper@ - update install instructions to be the same everywhere - remove outdated compiler flags
9 years ago
new OpenNTPD portable tree First attempt at building a new OpenNTPD portable project, based on the latest OpenBSD source.
9 years ago
re-add the configurable --with-privsep-path install-time sanity check While this still doesn't affect the behavior of the daemon, the configuration option can at least be set to check the correct privsep directory for permissions. Revisit in 5.8 as a possible extension to the runtime check instead to remove the 'knob'.
9 years ago
new OpenNTPD portable tree First attempt at building a new OpenNTPD portable project, based on the latest OpenBSD source.
9 years ago
re-add the configurable --with-privsep-path install-time sanity check While this still doesn't affect the behavior of the daemon, the configuration option can at least be set to check the correct privsep directory for permissions. Revisit in 5.8 as a possible extension to the runtime check instead to remove the 'knob'.
9 years ago
new OpenNTPD portable tree First attempt at building a new OpenNTPD portable project, based on the latest OpenBSD source.
9 years ago
note libtls dependency for HTTPS constraint Document CA path option.
9 years ago
new OpenNTPD portable tree First attempt at building a new OpenNTPD portable project, based on the latest OpenBSD source.
9 years ago
update install docs, fix outdated links - add OS X privsep user creation instructions from jasper@ - update install instructions to be the same everywhere - remove outdated compiler flags
9 years ago
new OpenNTPD portable tree First attempt at building a new OpenNTPD portable project, based on the latest OpenBSD source.
9 years ago
update install docs, fix outdated links - add OS X privsep user creation instructions from jasper@ - update install instructions to be the same everywhere - remove outdated compiler flags
9 years ago
new OpenNTPD portable tree First attempt at building a new OpenNTPD portable project, based on the latest OpenBSD source.
9 years ago
move to README.md, update platform list
3 years ago
 
  1. 1. Prerequisites
  2. ----------------
  3. 

  4. You will need an entropy (randomness) source.  If your OS has arc4random or
  5. getentropy then that is ideal. Otherwise, OpenNTPD will use its builtin
  6. arc4random implementation, which is also part of the LibreSSL project.
  7. 

  8. 2. Building / Installation
  9. --------------------------
  10. 

  11. If you have checked this source using Git, follow these initial steps to
  12. prepare the source tree for building:
  13. 

  14.  1. ensure you have the following packages installed:
  15.       automake, autoconf, git, libtool, bison
  16.  2. run './autogen.sh' to prepare the source tree for building
  17.     or run './dist.sh' to prepare a tarball.
  18. 

  19. To install OpenNTPD with default options:
  20. 

  21. ./configure
  22. make
  23. make install
  24. 

  25. This will install the OpenNTPD binary in /usr/local/sbin, configuration
  26. files in /usr/local/etc. To specify a different installation prefix,
  27. use the --prefix option to configure:
  28. 

  29. ./configure --prefix=/opt
  30. make
  31. make install
  32. 

  33. Will install OpenNTPD in /opt/{etc,sbin}. You can also override
  34. specific paths, for example:
  35. 

  36. ./configure --prefix=/opt --sysconfdir=/etc/ntp
  37. make
  38. make install
  39. 

  40. This will install the binaries in /opt/sbin, but will place the
  41. configuration files in /etc/ntp.
  42. 

  43. OpenNTPD always uses Privilege Separation (ie the majority of the
  44. processing is done as a chroot'ed, unprivileged user).
  45. 

  46. This requires that a user, group and directory to be created for it.
  47. The user should not be permitted to log in, and its home directory
  48. should be owned by root and be mode 755.
  49. 

  50. If you do "make install", the Makefile will create the directory with
  51. the correct permissions and will prompt you for the rest if required.
  52. If, however, you need to perform all of these tasks yourself (eg if you
  53. are moving the built binaries to another system) then you will need to
  54. do something like the following (although the exact commands required
  55. for creating the user and group are system dependant):
  56. 

  57. On most Linux and BSD systems, something like should work:
  58. 

  59.  groupadd _ntp
  60.  useradd -g _ntp -s /sbin/nologin -d /var/empty -c 'OpenNTP daemon' _ntp
  61.  mkdir -p /var/empty
  62.  chown 0 /var/empty
  63.  chgrp 0 /var/empty
  64.  chmod 0755 /var/empty
  65. 

  66. /var/empty here is a chroot directory used by ntpd for privilege separation of
  67. the DNS and NTP processes. This directory should not contain any files, must be
  68. owned by root, and must not be group or world-writable.
  69. 

  70. NOTE:
  71. If you installed a previous OpenNTPD release and created a /var/empty/ntp
  72. directory, please delete the /var/empty/ntp directory and adjust the _ntp
  73. user's home directory to point to /var/empty instead.
  74. 

  75. This is important because, if you have any other daemons that also use
  76. /var/empty as a home directory, they will all have an empty privilege
  77. separation directory.
  78. 

  79. As of OS X 10.10, something like this should work similarly
  80. (thanks to jasper@ for suggesting)
  81. 

  82.  dscl . create /Users/_ntp
  83.  dscl . create /Users/_ntp UserShell /sbin/nologin
  84. # Prevent user from showing up on the login screen
  85.  dscl . delete /Users/_ntp AuthenticationAuthority
  86. # Arbitrarily chosen UID that was free
  87.  dscl . create /Users/_ntp UniqueID 400
  88.  dscl . create /Users/_ntp PrimaryGroupID 400
  89.  dscl . create /Users/_ntp RealName "OpenNTPD user"
  90.  dseditgroup -o create _ntp
  91.  dscl . append /Groups/_ntp GroupMembership _ntp
  92. 

  93. There are a few options to the configure script in addition to the ones
  94. provided by autoconf itself:
  95. 

  96. --with-privsep-user=[user]
  97. 	Specify unprivileged user used for privilege separation.  The default
  98. 	is "_ntp".
  99. 

  100. --with-privsep-path=path
  101. 	ntpd will always use the home directory of the privsep user
  102. 	to chroot to, but specifying this parameter will change the
  103. 	post-installation checks and instructions to match the specified path.
  104. 

  105. --with-cacert=[path]
  106. 	Specify the CA certificate location for HTTPS constraint validation.
  107. 	Defaults to /etc/ssl/certs/ca-certificates.crt
  108. 

  109. If you need to pass special options to the compiler or linker, you
  110. can specify these as environment variables before running ./configure.
  111. For example:
  112. 

  113. CFLAGS="-O2 " LDFLAGS="-s" ./configure
  114. 

  115. 

  116. 3. Configuration
  117. ----------------
  118. 

  119. The runtime configuration files are installed by in ${prefix}/etc or
  120. whatever you specified as your --sysconfdir (/usr/local/etc by default).
  121. 

  122. If no configuration file exists, the default one is used.  The default
  123. configuration file uses a selection of publicly accessible "pool" servers
  124. (see http://support.ntp.org/bin/view/Servers/NTPPoolServers)
  125. 

  126. 

  127. 4. Problems?
  128. ------------
  129. 

  130. If you experience problems compiling, installing or running OpenNTPD,
  131. please report the problem to the address in the README.md file.