Hello Brian,
Wednesday, October 24, 2007, 3:28:36 PM, you wrote:
B> OpenNTPD runs as a 'daemon,' yes, but it does so using privilege
B> separation and other goodies. The network code runs as a normal user,
B> isolated from other users. This is superior to running rdate AS ROOT
B> from a cronjob. OpenNTPD does not open any TCP or UDP ports by default.
B> It is true that rdate has about 63% less lines of code than ntpd and is
B> older, and may have had more code audits performed; However, ntpd is new
B> code, written with security in mind, runs as a normal user (privilege
B> separated for the most part) and has superior time keeping ability.
B> Your advice about not running a daemon if it's possible to do the task
B> otherwise may be true with a (bloated) daemon such as ntp.org ntpd,
B> however, with OpenNTPD the tables are turned. It is far safer to run
B> the 'daemon' than to perform the task otherwise.
B> That being said, it is up to the individual users to decide what to do.
B> Hopefully this above explanation will help those who don't necessarily
B> understand the risks of running programs as root vice daemons which
B> execute code with proper separation of privileges.
Thank you very much for that (valuable) reply!
BTW, this is an argument for making an OpenNTPD ntpdate tool or adding
one_time_synchronization functionality into ntpd. :)
--
Best regards,
Boris mailto:boris@twopoint.com
