Hello,

Am Dienstag, 25. August 2015 schrieb intrigeri:
> Christian Boltz wrote (25 Aug 2015 12:16:14 GMT) :
> > Also, ntpd seems to work without those permissions, so we might want
> > to change the added rule to "deny".
> 
> Sounds like a good idea, as long as it doesn't break anything (which
> is probably hard to assess, sure :)

I asked Reinhard Max, the SUSE ntp maintainer - see 
https://bugzilla.opensuse.org/show_bug.cgi?id=945592

Here's his answer:

-----------------------------------------------------------------------

> Do you have an idea why ntpd wants/needs those directory listings?

>From some quick code digging, it looks like sntp tries to find the full 
path of its own executable by scanning all directories in $PATH.

If you are interested in the details, see these files inside the ntp 
source dir:

sntp/libopts/compat/pathfind.c
sntp/libopts/init.c
sntp/libopts/load.c

> Do you think I need to allow them in the AppArmor profile?

Yes, please, because I think AppArmor should not get into the way of a 
service trying to do its thing. If you think the directory scanning is 
unneeded, wrong or even dangerous, please discuss it with upstream.

-----------------------------------------------------------------------

Can someone who knows C better than I do have a quick look at the ntp 
source, please? If you come up with something that we can/should tell 
ntp upstream, that would even be better ;-)


Regards,

Christian Boltz
-- 
Übrigens gibt es jetzt eine Briefmarke von Bill Gates. Leider klebt
die nicht so richtig. Eine unabhängige Kommission hat inzwischen
festgestellt, daß die Leute immer auf die falsche Seite spucken.


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to