On 12/13/2017 06:23 PM, Hal Murray via devel wrote: > If you are using apparmor, ntpd can't read the drift file at startup because > it is still root while the drift file is user ntp.
There are a couple other possible fixes for this: 1) Fix the apparmor policy. That's what I've done. The downside here is that I'm granting a significant capability to the entire daemon, when the problem is specific to one read of one file one time. However, that should be mitigated in the future, as apparmor 3 is supposed to support limiting dac_override to specific files and/or owners. 2) Read the drift file after dropping privileges, rather than before. Is #2 feasible? -- Richard _______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
