Bug#928170: chrony: Apparmor profile contains wrong path for samba sntp
Hai Vincent, Yes, that is correct. /var/lib/samba/ntp_signd/socket rw, Is sufficient. Greetz, Louis > -Oorspronkelijk bericht- > Van: Vincent Blut [mailto:vincent.deb...@free.fr] > Verzonden: dinsdag 14 mei 2019 15:54 > Aan: Louis van Belle; 928...@bugs.debian.org > CC: Debian Bug Tracking System > Onderwerp: Re: Bug#928170: chrony: Apparmor profile contains > wrong path for samba sntp > > Hi Louis, > > So According to the information gleaned in #928168¹, adding a rule to > allow read access to winbindd pipe doesn’t seem necessary‽ > As far as I can see from my local tests, only read/write access to > /var/lib/samba/ntp_signd/socket is needed. Could you please confirm? > > If so, chronyd’s Apparmor profile should just include (for samba ofc): > /var/lib/samba/ntp_signd/socket rw, > > Cheers, > Vincent > > > ¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928168 >
Bug#928170: chrony: Apparmor profile contains wrong path for samba sntp
Hi Louis, So According to the information gleaned in #928168¹, adding a rule to allow read access to winbindd pipe doesn’t seem necessary‽ As far as I can see from my local tests, only read/write access to /var/lib/samba/ntp_signd/socket is needed. Could you please confirm? If so, chronyd’s Apparmor profile should just include (for samba ofc): /var/lib/samba/ntp_signd/socket rw, Cheers, Vincent ¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928168 signature.asc Description: PGP signature
Bug#928170: chrony: Apparmor profile contains wrong path for samba sntp
Control: tags -1 moreinfo Hi Louis, On Mon, Apr 29, 2019 at 11:20:51AM +0200, Louis van Belle wrote: Package: chrony Severity: important Hello, after a few messages on the samba list we discovered a wrong path in the apparmor profiles of chrony. File : /etc/apparmor.d/usr.sbin.chrony Wrong: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, We don’t have this rule in our AppArmor profile. I think that one is from ntpd, right? Correct: # To sign replies to MS-SNTP clients by the smbd daemon in /var/lib/samba /var/lib/samba/ntp_signd r, /var/lib/samba/ntp_signd/{,*} rw, These rules are already in the chronyd AppArmor profile. # samba4 winbindd pipe /{,var/}run/samba/winbindd r, /{,var/}run/samba/winbindd/pipe r, # samba4 winbindd_privileged pipe ? Needed, not sure here. /var/lib/samba/winbindd_privileged r, /var/lib/samba/winbindd/pipe r, Ok, so before addding these changes to the profile, I would be more comfortable if someone could show me what access is currently denied on this kind of environment. Having the output of something like `grep -s 'DENIED' /var/log/syslog /var/log/auditd/audit.log' would be great. From what I can see, ntp’s Apparmor profile include: # samba4 winbindd pipe /run/samba/winbindd/pipe rw, please verify the last one, im not a coder, sorry. Now, above changes are important to have before the buster release, because it could stop the timesync of domain joined pc's. Indeed, I think it is important to have this issue sorted out prior our next stable release. Best regards, Louis Thanks for your report, Vincent signature.asc Description: PGP signature
Bug#928170: chrony: Apparmor profile contains wrong path for samba sntp
Package: chrony Severity: important Hello, after a few messages on the samba list we discovered a wrong path in the apparmor profiles of chrony. File : /etc/apparmor.d/usr.sbin.chrony Wrong: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, Correct: # To sign replies to MS-SNTP clients by the smbd daemon in /var/lib/samba /var/lib/samba/ntp_signd r, /var/lib/samba/ntp_signd/{,*} rw, # samba4 winbindd pipe /{,var/}run/samba/winbindd r, /{,var/}run/samba/winbindd/pipe r, # samba4 winbindd_privileged pipe ? Needed, not sure here. /var/lib/samba/winbindd_privileged r, /var/lib/samba/winbindd/pipe r, please verify the last one, im not a coder, sorry. Now, above changes are important to have before the buster release, because it could stop the timesync of domain joined pc's. Best regards, Louis -- System Information: Debian Release: 9.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages chrony depends on: ii adduser 3.115 ii init-system-helpers 1.48 ii iproute2 4.9.0-1+deb9u1 ii libc62.24-11+deb9u4 ii libcap2 1:2.25-1 ii libedit2 3.1-20160903-3 ii libseccomp2 2.3.1-2.1+deb9u1 pn libtomcrypt0 ii lsb-base 9.20161125 ii ucf 3.0036 ii util-linux 2.29.2-1+deb9u1 chrony recommends no packages. chrony suggests no packages.