Browse Source

re-add the configurable --with-privsep-path install-time sanity check

While this still doesn't affect the behavior of the daemon, the
configuration option can at least be set to check the correct privsep
directory for permissions. Revisit in 5.8 as a possible extension to the
runtime check instead to remove the 'knob'.
OPENBSD_5_7
Brent Cook 9 years ago
parent
commit
70ed567131
2 changed files with 16 additions and 6 deletions
  1. +9
    -5
      INSTALL
  2. +7
    -1
      configure.ac

+ 9
- 5
INSTALL View File

@ -64,8 +64,8 @@ On most Linux and BSD systems, something like should work:
chmod 0755 /var/empty chmod 0755 /var/empty
/var/empty here is a chroot directory used by ntpd for privilege separation of /var/empty here is a chroot directory used by ntpd for privilege separation of
the DNS and NTP processes. This directory should be completely empty, owned by
root, and must not be group or world-writable.
the DNS and NTP processes. This directory should not contain any files, must be
owned by root, and must not be group or world-writable.
NOTE: NOTE:
If you installed a previous OpenNTPD release and created a /var/empty/ntp If you installed a previous OpenNTPD release and created a /var/empty/ntp
@ -90,13 +90,17 @@ As of OS X 10.10, something like this should work similarly
dseditgroup -o create _ntp dseditgroup -o create _ntp
dscl . append /Groups/_ntp GroupMembership _ntp dscl . append /Groups/_ntp GroupMembership _ntp
There are few options to the configure script in addition to the ones
There are a few options to the configure script in addition to the ones
provided by autoconf itself: provided by autoconf itself:
--with-privsep-user=[user] --with-privsep-user=[user]
Specify unprivileged user used for privilege separation. The default Specify unprivileged user used for privilege separation. The default
is "_ntp". The home directory of this user will be used for privilege
separation.
is "_ntp".
--with-privsep-path=path
ntpd will always use the home directory of the privsep user
to chroot to, but specifying this parameter will change the
post-installation checks and instructions to match the specified path.
--with-cacert=[path] --with-cacert=[path]
Specify the CA certificate location for HTTPS constraint validation. Specify the CA certificate location for HTTPS constraint validation.


+ 7
- 1
configure.ac View File

@ -230,7 +230,13 @@ AC_ARG_WITH(cacert,
) )
AC_SUBST(CONSTRAINT_CA) AC_SUBST(CONSTRAINT_CA)
PRIVSEP_PATH=/var/empty
AC_ARG_WITH(privsep-path,
[ --with-privsep-path=path Specify privilege separation chroot path],
[ AC_DEFINE_UNQUOTED(NTPD_CHROOT_DIR, "$withval",
[Privilege separation chroot path])
PRIVSEP_PATH=$withval ],
[ PRIVSEP_PATH=/var/empty ]
)
AC_SUBST(PRIVSEP_PATH) AC_SUBST(PRIVSEP_PATH)
AC_CONFIG_FILES([ AC_CONFIG_FILES([


Loading…
Cancel
Save