Implementation: Privilege Separation


two processes
parent, runs as root
ntp engine, runs as _ntp:_ntp and chroots to /var/empty

socketpair in between
use the buffer- and imsg-framework I wrote for bgpd

two message types: IMSG_ADJTIME and IMSG_HOST_DNS
ntp engine asks the parent to do the adjtime() - requires root
ntp engine asks the parent to resolve hostnames - requires access to /etc
very strict validity checking, of course