* Don't run ntpd as root.

svn path=/nixos/trunk/; revision=7463
2006-12-22 19:23:19 +00:00 · 2006-12-22 19:23:19 +00:00 · 2d605d7041
commit 2d605d7041
parent f037f6fbd4
2 changed files with 10 additions and 6 deletions
--- a/configuration/upstart.nix
+++ b/configuration/upstart.nix
@ -84,7 +84,7 @@ import ../upstart-jobs/gather.nix {
  # NTP daemon.
  ++ optional ["services" "ntp" "enable"]
    (import ../upstart-jobs/ntpd.nix {
-      inherit (pkgs) ntp glibc pwdutils writeText;
+      inherit (pkgs) ntp kernel module_init_tools glibc pwdutils writeText;
      servers = config.get ["services" "ntp" "servers"];
    })

--- a/upstart-jobs/ntpd.nix
+++ b/upstart-jobs/ntpd.nix
@ -1,4 +1,4 @@
-{ntp, glibc, pwdutils, writeText, servers}:
+{ntp, kernel, module_init_tools, glibc, pwdutils, writeText, servers}:

 let

@ -12,6 +12,8 @@ let
    ${toString (map (server: "server " + server + "\n") servers)}
  ";

+  ntpFlags = "-c ${config} -u ${ntpUser}:nogroup";
+
 in

 {
@ -34,13 +36,15 @@ start script
    mkdir -m 0755 -p ${stateDir}
    chown ${ntpUser} ${stateDir}

-    date
-    ${ntp}/bin/ntpd -c ${config} -q -g
-    date
+    # Needed to run ntpd as an unprivileged user.
+    export MODULE_DIR=${kernel}/lib/modules/
+    ${module_init_tools}/sbin/modprobe capability
+
+    ${ntp}/bin/ntpd -q -g ${ntpFlags}
    
 end script

-respawn ${ntp}/bin/ntpd -n -c ${config}
+respawn ${ntp}/bin/ntpd -n ${ntpFlags}
  ";
  
 }