North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: ntp config tech note
On Fri, 21 May 2004, Adrian Chadd wrote: > > Isn't that a lot safer anyway than running a daemon (ntpd) as root ? I do > > this on my systems (run ntpdate from cron), even though the xntpd > > docs IIRC specifically advised against this hack. One less > > vulnerability waiting to be exploited ... is the way I see it. > > Kind of. ntpdate just sets the time. ntpd will actually notice your clock > running fast/slow and slowly step your kernel time to deal with your > bad clock frequency. > > man ntpd. Its quite fascinating. I know what ntpd is supposed to do. Its what its *not* supposed to do that worries me - i.e. when someone finds that next flaw and exploits it. My personal feeling was that for most systems its better to not have the daemon running - i.e. the benefit of smaller more frequent clock adjustments does not outweigh the cost of another service running, especially as root or even as a jailed non-root user. I checked and the cron job usually adjusts the clock by about 0.2 to 0.3 sec every hour. Sure thats probably more than ntpd would adjust it in any one iteration were ntpd running ... according to: http://www.eecis.udel.edu/~mills/ntp/html/ntpdate.html its not too kooky or dangerous to use ntpdate + cron rather than ntpd; 0.5 sec is given as a cutoff for it being less disruptive when making clock adjustments. Its interesting to hear what other folks are doing. I had assumed folks normally don't run ntpd on each and every server and that ntpdate + cron was much preferred; maybe I am off-base.