Hello, Am Dienstag, 25. August 2015 schrieb intrigeri: > Christian Boltz wrote (25 Aug 2015 12:16:14 GMT) : > > Also, ntpd seems to work without those permissions, so we might want > > to change the added rule to "deny". > > Sounds like a good idea, as long as it doesn't break anything (which > is probably hard to assess, sure :)
I asked Reinhard Max, the SUSE ntp maintainer - see https://bugzilla.opensuse.org/show_bug.cgi?id=945592 Here's his answer: ----------------------------------------------------------------------- > Do you have an idea why ntpd wants/needs those directory listings? >From some quick code digging, it looks like sntp tries to find the full path of its own executable by scanning all directories in $PATH. If you are interested in the details, see these files inside the ntp source dir: sntp/libopts/compat/pathfind.c sntp/libopts/init.c sntp/libopts/load.c > Do you think I need to allow them in the AppArmor profile? Yes, please, because I think AppArmor should not get into the way of a service trying to do its thing. If you think the directory scanning is unneeded, wrong or even dangerous, please discuss it with upstream. ----------------------------------------------------------------------- Can someone who knows C better than I do have a quick look at the ntp source, please? If you come up with something that we can/should tell ntp upstream, that would even be better ;-) Regards, Christian Boltz -- Übrigens gibt es jetzt eine Briefmarke von Bill Gates. Leider klebt die nicht so richtig. Eine unabhängige Kommission hat inzwischen festgestellt, daß die Leute immer auf die falsche Seite spucken. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
