Browse Source

Change default privsep directory to /var/empty.

Add a post-install check to ensure that PRIVSEP_PATH is really empty.
OPENBSD_5_7
Brent Cook 10 years ago
parent
commit
c72225ad1e
3 changed files with 28 additions and 7 deletions
  1. +14
    -5
      INSTALL
  2. +13
    -1
      Makefile.am
  3. +1
    -1
      configure.ac

+ 14
- 5
INSTALL View File

@ -57,11 +57,20 @@ for creating the user and group are system dependant):
On most Linux and BSD systems, something like should work: On most Linux and BSD systems, something like should work:
groupadd _ntp groupadd _ntp
useradd -g _ntp -s /sbin/nologin -d /var/empty/ntp -c 'OpenNTP daemon' _ntp
mkdir -p /var/empty/ntp
chown 0 /var/empty/ntp
chgrp 0 /var/empty/ntp
chmod 0755 /var/empty/ntp
useradd -g _ntp -s /sbin/nologin -d /var/empty -c 'OpenNTP daemon' _ntp
mkdir -p /var/empty
chown 0 /var/empty
chgrp 0 /var/empty
chmod 0755 /var/empty
NOTE:
If you installed a previous OpenNTPD release and created a /var/empty/ntp
directory, please delete the /var/empty/ntp directory and adjust the _ntp
user's home directory to point to /var/empty instead.
This is important because, if you have any other daemons that also use
/var/empty as a home directory, they will all have an empty privilege
separation directory.
As of OS X 10.10, something this this should work similarly As of OS X 10.10, something this this should work similarly
(thanks to jasper@ for suggesting) (thanks to jasper@ for suggesting)


+ 13
- 1
Makefile.am View File

@ -66,7 +66,8 @@ install-exec-hook:
@if [ ! -f "$(DESTDIR)$(sysconfdir)/ntpd.conf" ]; then \ @if [ ! -f "$(DESTDIR)$(sysconfdir)/ntpd.conf" ]; then \
$(INSTALL) -m 644 "$(srcdir)/ntpd.conf" "$(DESTDIR)$(sysconfdir)/ntpd.conf"; \ $(INSTALL) -m 644 "$(srcdir)/ntpd.conf" "$(DESTDIR)$(sysconfdir)/ntpd.conf"; \
else \ else \
echo "$(DESTDIR)$(sysconfdir)/ntpd.conf already exists, install will not overwrite"; \
echo; \
echo " $(DESTDIR)$(sysconfdir)/ntpd.conf already exists, install will not overwrite"; \
fi fi
@if [ ! -d "$(PRIVSEP_PATH)" ]; then \ @if [ ! -d "$(PRIVSEP_PATH)" ]; then \
echo; \ echo; \
@ -100,6 +101,17 @@ install-exec-hook:
echo ; \ echo ; \
echo " useradd -g $(PRIVSEP_USER) -s /sbin/nologin -d $(PRIVSEP_PATH) -c 'OpenNTP daemon' $(PRIVSEP_USER)" ; \ echo " useradd -g $(PRIVSEP_USER) -s /sbin/nologin -d $(PRIVSEP_PATH) -c 'OpenNTP daemon' $(PRIVSEP_USER)" ; \
fi fi
@if [ -d $(PRIVSEP_PATH) ]; then \
if [ `ls -A $(PRIVSEP_PATH)|wc -l` != "0" ]; then \
echo; \
echo " WARNING: the privilege separation path is specified as $(PRIVSEP_PATH), " ; \
echo " but this directory contains files!" ; \
echo ; \
echo " Please ensure that $(PRIVSEP_PATH) is empty. If you installed a previous " ; \
echo " OpenNTPD version and created a user with a home directory at /var/empty/ntpd, " ; \
echo " please adjust that user to use /var/empty instead and delete /var/empty/ntpd." ; \
fi; \
fi
@echo @echo
uninstall-local: uninstall-local:


+ 1
- 1
configure.ac View File

@ -204,7 +204,7 @@ AC_ARG_WITH(privsep-path,
[ AC_DEFINE_UNQUOTED(NTPD_CHROOT_DIR, "$withval", [ AC_DEFINE_UNQUOTED(NTPD_CHROOT_DIR, "$withval",
[Privilege separation chroot path]) [Privilege separation chroot path])
PRIVSEP_PATH=$withval ], PRIVSEP_PATH=$withval ],
[ PRIVSEP_PATH=/var/empty/ntp ]
[ PRIVSEP_PATH=/var/empty ]
) )
AC_SUBST(PRIVSEP_PATH) AC_SUBST(PRIVSEP_PATH)


Loading…
Cancel
Save