Public bug reported:
[Impact]
NTPsec 1.1.0 changed the way it writes the drift file. The new drift
file is written to ntp.drift-tmp before being renamed to ntp.drift. The
apparmor policy does not allow writing to ntp.drift-tmp. As a result,
NTPsec is not able to write the drift file.
Failing to write the drift file means that every time ntpd starts up, it
has to recalculate the system's drift from scratch. This reduces clock
accuracy for some time.
The fix is to update the apparmor policy to allow writing to ntp.drift-
tmp at the same locations as ntp.drift.
Per the SRU rules, I waited to file this SRU until the fix made it into
cosmic. This is fixed in ntpsec 1.1.1+dfsg1-2, which has synced to
cosmic. It was originally fixed in exactly the way proposed here. (The
fix here is a cherry pick of that commit.) However, subsequent changes
restructured /var/lib/ntp to /var/lib/ntpsec, so the apparmor policy in
1.1.1+dfsg1-2 can't be directly copied.
[Test Case]
1. If the ntp (note: ntp, not ntpsec) package is installed, uninstall
it. Make sure there is no /var/lib/ntp/ntp.drift file left over from the
ntp package or previous testing.
2. Install ntpsec.
3. Wait a while (typically an hour or more) for ntpd to calculate the
drift.
4. Check syslog for messages like this:
2018-08-21T00:23:52.891966-05:00 ubuntu1804test ntpd[5392]: LOG: frequency file
/var/lib/ntp/ntp.drift-tmp: Permission denied
and the kernel log for messages like this:
[446384.822309] audit: type=1400 audit(1534825432.887:14): apparmor="DENIED"
operation="mknod" profile="/usr/sbin/ntpd" name="/var/lib/ntp/ntp.drift-tmp"
pid=5392 comm="ntpd" requested_mask="c" denied_mask="c" fsuid=110 ouid=110
5. Verify that there is no /var/lib/ntp/ntp.drift file.
6. Install the updated apparmor policy. Restart apparmor. Restart ntpd.
Wait for ntpd to calculate the drift. This time there should be a file
at: /var/lib/ntp/ntp.drift
[Regression Potential]
This change only adds entries to the apparmor profile. Barring a syntax
error, this shouldn't be able to break anything.
[Other Info]
I am the Debian maintainer of the ntpsec package.
** Affects: ntpsec (Ubuntu)
Importance: Undecided
Status: In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1788102
Title:
ntpsec's ntpd fails to write ntp.drift file because of apparmor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntpsec/+bug/1788102/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
