Package Details: ntpsec 1.0.0-1

Git Clone URL: https://aur.archlinux.org/ntpsec.git (read-only)
Package Base: ntpsec
Description: Security-hardened Network Time Protocol implementation
Upstream URL: https://www.ntpsec.org/
Licenses: custom
Conflicts: ntp
Provides: ntp
Submitter: chungy
Maintainer: chungy
Last Packager: chungy
Votes: 3
Popularity: 0.001829
First Submitted: 2016-12-01 10:10
Last Updated: 2017-10-13 23:06

Dependencies (11)

Required by (9)

Sources (3)

Latest Comments

akrieger commented on 2017-05-01 00:17

I also ran into trouble running ntpsec (possibly the same error as Eremiell). There seems to be an issue with seccomp blocking syscalls in ntpd. seccomp is meant as an extra defense measure that forbids the use of arbitrary syscalls, but it requires a list of every syscall used (legitimately) by ntpd. Of course, different versions of libc use different syscalls (or even the same version of libc on different platforms), and apparently Arch's version of glibc uses "extra" syscalls.

There's an upstream issue here: <https://gitlab.com/NTPsec/ntpsec/issues/275>

In the meantime, editing PKGBUILD to remove '--enable-seccomp' on line 42 will build ntpd without seccomp as a temporary workaround (although this does weaken security against an attacker who gains the ability to execute arbitrary code in ntpd's process).

The alternative is to patch ntpsec sources to add the "extra" syscalls to the seccomp whitelist. I'm holding off on that since it seems like a really messy fix (it's too platform- and library-dependent), but the upstream issue has details for anyone wanting to go that route.

Eremiell commented on 2017-04-10 22:29

It looks like this package doesn't bring in any default ntp.conf.

While I always edit it in hand, I prefer to have some skeleton available, so I check if the defaults are sane, switch servers for local pool and few proven static ones, more like do minor edits and not write the whole thing anew.

You should be able to grab one from the ntp package, possibly editing it a bit if you don't find it sane enough.

Edit: OK, looking at it, the default one in ntp package is quite brief compared to what I'm used to. Guess I nicked my previous skeleton elsewhere. Still, it's at least there. ;)

More edit: ntpsec for some reason doesn't work at all for me. It starts to listen and then just flops and get killed by systemd. Rollbacked to ntp for now. While it is certainly suboptimal, I lived with it for years and it still "just works".

Apr 11 01:05:57 taurus sudo[14208]: eremiell : TTY=pts/1 ; PWD=/home/eremiell/builds/ntpsec ; USER=root ; COMMAND=/usr/bin/systemctl start ntpd.service
Apr 11 01:05:57 taurus sudo[14208]: pam_unix(sudo:session): session opened for user root by eremiell(uid=0)
Apr 11 01:05:57 taurus systemd[1]: Starting Network Time Service...
-- Subject: Unit ntpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit ntpd.service has begun starting up.
Apr 11 01:05:57 taurus ntpd[14211]: ntpd ntpsec-0.9.7+7 2017-03-23T07:41:51Z: Starting
Apr 11 01:05:57 taurus ntpd[14211]: Command line: /usr/bin/ntpd -g -u ntp:ntp
Apr 11 01:05:57 taurus systemd[1]: Started Network Time Service.
-- Subject: Unit ntpd.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit ntpd.service has finished starting up.
--
-- The start-up result is done.
Apr 11 01:05:57 taurus ntpd[14212]: proto: precision = 0.099 usec (-23)
Apr 11 01:05:57 taurus systemd[1]: ntpd.service: Main process exited, code=killed, status=31/SYS
Apr 11 01:05:57 taurus ntpd[14212]: successfully locked into RAM
Apr 11 01:05:57 taurus ntpd[14212]: restrict default: notrap keyword is ignored.
Apr 11 01:05:57 taurus ntpd[14212]: Listen and drop on 0 v6wildcard [::]:123
Apr 11 01:05:57 taurus ntpd[14212]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Apr 11 01:05:57 taurus ntpd[14212]: Listen normally on 2 lo 127.0.0.1:123
Apr 11 01:05:57 taurus ntpd[14212]: Listen normally on 3 wlp13s0 192.168.13.24:123
Apr 11 01:05:57 taurus ntpd[14212]: Listen normally on 4 enp14s0 192.168.13.1:123
Apr 11 01:05:57 taurus ntpd[14212]: Listen normally on 5 lo [::1]:123
Apr 11 01:05:57 taurus ntpd[14212]: Listen normally on 6 wlp13s0 [fe80::1acf:5eff:fe91:42eb%2]:123
Apr 11 01:05:57 taurus ntpd[14212]: Listen normally on 7 enp14s0 [fe80::6202:92ff:fe3f:c29f%3]:123
Apr 11 01:05:57 taurus ntpd[14212]: Listening on routing socket on fd #24 for interface updates
Apr 11 01:05:57 taurus ntpd[14212]: sandbox: seccomp_init() succeeded
Apr 11 01:05:57 taurus sudo[14208]: pam_unix(sudo:session): session closed for user root

glitsj16 commented on 2016-12-02 17:23

As there's quite some active development on ntpsec, you might want to offer a git version too. I took the liberty to copy your ntpsec PKGBUILD and make some very minor changes in case you're considering it.
https://gist.github.com/eee62d6853708d23765f687b74fae18d

glitsj16 commented on 2016-12-01 20:02

Hi, looks like w3m needs to be added to makedepends array:
a2x: ERROR: "w3m" -cols 70 -dump -T text/html -no-graph "/home/glitsj16/ntpsec/src/ntpsec-0.9.5/docs/copyright.text.html" > "/home/glitsj16/ntpsec/src/ntpsec-0.9.5/docs/copyright.text" returned non-zero exit status 127
==> ERROR: A failure occurred in build().
Aborting...