North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ntp config tech note

  • From: C. Jon Larsen
  • Date: Thu May 20 23:43:38 2004



On Fri, 21 May 2004, Adrian Chadd wrote:

> > Isn't that a lot safer anyway than running a daemon (ntpd) as root ?  I do 
> > this on my systems (run ntpdate from cron), even though the xntpd 
> > docs IIRC specifically advised against this hack. One less 
> > vulnerability waiting to be exploited ... is the way I see it.
> 
> Kind of. ntpdate just sets the time. ntpd will actually notice your clock
> running fast/slow and slowly step your kernel time to deal with your
> bad clock frequency.
> 
> man ntpd. Its quite fascinating.

I know what ntpd is supposed to do. Its what its *not* supposed to do that 
worries me - i.e. when someone finds that next flaw and exploits it. 

My personal feeling was that for most systems its better to not have the 
daemon running - i.e. the benefit of smaller more frequent clock 
adjustments does not outweigh the cost of another service running, 
especially as root or even as a jailed non-root user.

I checked and the cron job usually adjusts the clock by about 0.2 to 0.3 
sec every hour. Sure thats probably more than ntpd would adjust it in any 
one iteration were ntpd running ... 

according to:
http://www.eecis.udel.edu/~mills/ntp/html/ntpdate.html

its not too kooky or dangerous to use ntpdate + cron rather than ntpd;
0.5 sec is given as a cutoff for it being less disruptive when making 
clock adjustments.

Its interesting to hear what other folks are doing. I had assumed folks 
normally don't run ntpd on each and every server and that ntpdate + cron 
was much preferred; maybe I am off-base.