Implementation: Privilege Separation


two processes
parent, runs as root
ntp engine, runs as _ntp:_ntp and chroots to /var/empty

socketpair in between
use the buffer- and imsg-framework I wrote for bgpd

three message types: IMSG_ADJTIME, IMSG_SETTIME, and IMSG_HOST_DNS