ntpsec fails to droproot (attempting to run with uid/gid "ntp" (123) instead of "root") when being runned as a daemon
Using Alpine Linux 3.14.2.
Installing ntpsec (ntpsec-1.2.1-r0 x86_64) through apk and modifying /etc/conf.d/ntpd into:
NTPD_OPTS="-g -N -c /etc/ntp.conf -u 123:123"so that the ntpd daemon will run with user ntp (123) and group ntp (123).
However attemping to do so I receive this during startup using /etc/init.d/ntpd start:
Oct 9 23:57:25 alpine daemon.notice ntpd[2796]: INIT: ntpd ntpsec-1.2.1: Starting
Oct 9 23:57:25 alpine daemon.notice ntpd[2796]: INIT: Command line: /usr/sbin/ntpd -4 -g -N -c /etc/ntp.conf -u 123:123
Oct 9 23:57:26 alpine daemon.info ntpd[2798]: INIT: precision = 0.082 usec (-23)
Oct 9 23:57:26 alpine daemon.info ntpd[2798]: INIT: successfully locked into RAM
Oct 9 23:57:26 alpine daemon.info ntpd[2798]: CONFIG: readconfig: parsing file: /etc/ntp.conf
Oct 9 23:57:26 alpine daemon.info ntpd[2798]: Found 1 trusted keys.
Oct 9 23:57:26 alpine daemon.err ntpd[2798]: AUTH: authreadkeys: reading /etc/ntp.keys
Oct 9 23:57:26 alpine daemon.err ntpd[2798]: AUTH: authreadkeys: added 1 keys
Oct 9 23:57:26 alpine daemon.err ntpd[2798]: CONFIG: restrict notrap ignored
Oct 9 23:57:26 alpine daemon.err ntpd[2798]: CONFIG: restrict nopeer ignored
Oct 9 23:57:26 alpine daemon.err ntpd[2798]: CONFIG: restrict notrap ignored
Oct 9 23:57:26 alpine daemon.err ntpd[2798]: CONFIG: restrict nopeer ignored
Oct 9 23:57:26 alpine daemon.err ntpd[2798]: CONFIG: restrict: ignoring line 21, mask '::' unusable.
Oct 9 23:57:26 alpine daemon.err ntpd[2798]: CONFIG: restrict notrap ignored
Oct 9 23:57:26 alpine daemon.notice ntpd[2798]: CLOCK: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): good hash signature
Oct 9 23:57:26 alpine daemon.notice ntpd[2798]: CLOCK: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): loaded, expire=2022-06-28T00:00Z last=2017-01-01T00:00Z ofs=37
Oct 9 23:57:26 alpine daemon.info ntpd[2798]: INIT: Using SO_TIMESTAMPNS
Oct 9 23:57:26 alpine daemon.info ntpd[2798]: IO: Listen normally on 0 lo 127.0.0.1:123
Oct 9 23:57:26 alpine daemon.info ntpd[2798]: IO: Listen normally on 1 eth0 192.168.1.1:123
Oct 9 23:57:26 alpine daemon.info ntpd[2798]: IO: Listening on routing socket on fd #50 for interface updates
Oct 9 23:57:26 alpine daemon.info ntpd[2798]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes
Oct 9 23:57:26 alpine daemon.info ntpd[2798]: INIT: Built with OpenSSL 1.1.1k 25 Mar 2021, 101010bf
Oct 9 23:57:26 alpine daemon.info ntpd[2798]: INIT: Running with OpenSSL 1.1.1l 24 Aug 2021, 101010cf
Oct 9 23:57:26 alpine daemon.info ntpd[2798]: NTSc: Using system default root certificates.
Oct 9 23:57:26 alpine daemon.err ntpd[2798]: INIT: root can't be dropped due to missing capabilities.Note that last line above, this gives that ntpd fails to start.
Adjusting /etc/conf.d/ntpd into (that is removing -u xxx:xxx):
NTPD_OPTS="-g -N -c /etc/ntp.conf"Will make ntpd to start however it will be runned with root as uid/gid:
2989 root 0:00 /usr/sbin/ntpd -4 -g -N -c /etc/ntp.confThe error is available at around line 77 of https://github.com/ntpsec/ntpsec/blob/master/ntpd/ntp_sandbox.c
Edited by Apachez