diff --git a/INSTALL b/INSTALL index 35f29cf..bf75883 100644 --- a/INSTALL +++ b/INSTALL @@ -64,8 +64,8 @@ On most Linux and BSD systems, something like should work: chmod 0755 /var/empty /var/empty here is a chroot directory used by ntpd for privilege separation of -the DNS and NTP processes. This directory should be completely empty, owned by -root, and must not be group or world-writable. +the DNS and NTP processes. This directory should not contain any files, must be +owned by root, and must not be group or world-writable. NOTE: If you installed a previous OpenNTPD release and created a /var/empty/ntp @@ -90,13 +90,17 @@ As of OS X 10.10, something like this should work similarly dseditgroup -o create _ntp dscl . append /Groups/_ntp GroupMembership _ntp -There are few options to the configure script in addition to the ones +There are a few options to the configure script in addition to the ones provided by autoconf itself: --with-privsep-user=[user] Specify unprivileged user used for privilege separation. The default - is "_ntp". The home directory of this user will be used for privilege - separation. + is "_ntp". + +--with-privsep-path=path + ntpd will always use the home directory of the privsep user + to chroot to, but specifying this parameter will change the + post-installation checks and instructions to match the specified path. --with-cacert=[path] Specify the CA certificate location for HTTPS constraint validation. diff --git a/configure.ac b/configure.ac index 378762f..e97c51d 100644 --- a/configure.ac +++ b/configure.ac @@ -230,7 +230,13 @@ AC_ARG_WITH(cacert, ) AC_SUBST(CONSTRAINT_CA) -PRIVSEP_PATH=/var/empty +AC_ARG_WITH(privsep-path, + [ --with-privsep-path=path Specify privilege separation chroot path], + [ AC_DEFINE_UNQUOTED(NTPD_CHROOT_DIR, "$withval", + [Privilege separation chroot path]) + PRIVSEP_PATH=$withval ], + [ PRIVSEP_PATH=/var/empty ] +) AC_SUBST(PRIVSEP_PATH) AC_CONFIG_FILES([