:: [DNG] NTP oddities
Top Page
Delete this message
Reply to this message
Author: Ken Dibble
Date:  
To: dng
Subject: [DNG] NTP oddities
I have no idea what the problem is with ntp, it's permissions, logging
and it's apparmor profile

OR ntpsec.


$ ps -ef | grep ntp
ntp       1546     1  0 10:35 ?        00:00:00 /usr/sbin/ntpd -p
/var/run/ntpd.pid -g -c /run/ntp.conf.dhcp -u 101:106


2024-07-16T10:35:33.899670-04:00 anna kernel: [   13.523936] audit:
type=1400 audit(1721140533.892:18): apparmor="DENIED" operation="open"
profile="/usr/sbin/ntpd" name="/run/ntp.conf.dhcp" pid=1546 comm="ntpd"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

And yet....

$ grep "/run/" usr.sbin.ntpd
  /run/ntpsec/ntp.conf.dhcp r,
/run/lock/ntpsec-ntpdate wk,

So, apparmor won't let ntpd open a file "/run/ntp.conf.dhcp" for reading

yet it would apparently let it open

/run/ntpsec/ntp.conf.dhcp

And yet the ntp run file does exist

$ ls -l /run/ntp.conf.dhcp
-rw-r--r-- 1 root root 2323 Jul 16 10:35 /run/ntp.conf.dhcp


AND

a run file exists for a ntpsec process that doesn't or 2 run files exist
for one process and we can

just put them wherever we want, since we can create however many we want.

$ ls -l /run/ntpsec/ntp.conf.dhcp
-rw-r--r-- 1 root root 2056 Jul 16 10:35 /run/ntpsec/ntp.conf.dhcp


AS WELL...


2024-07-16T10:35:33.929237-04:00 anna ntpd[1546]: statistics directory
/var/log/ntpsec/ does not exist or is unwriteable, error Permission denied

But....


/var/log/ntpsec did not exist so I created it, to no avail.  Same
result, probably a ownership

thing, but which owner?


$ ls -ld /var/log/ntpsec/
drwxr-xr-x 2 root root 4096 Jul 10 14:55 /var/log/ntpsec/


grep "/var/log/ntpsec"  usr.sbin.ntpd
  /var/log/ntpsec/clockstats* rwl,
  /var/log/ntpsec/loopstats*  rwl,
  /var/log/ntpsec/peerstats*  rwl,
  /var/log/ntpsec/protostats* rwl,
  /var/log/ntpsec/rawstats*   rwl,
  /var/log/ntpsec/sysstats*   rwl,

And on top of that..

$ grep ntp /etc/group
ntp:x:106:
ntpsec:x:131:

grep ntp /etc/passwd
ntp:x:101:106::/nonexistent:/usr/sbin/nologin
ntpsec:x:124:131::/nonexistent:/usr/sbin/nologin

And just for completeness.

$ ls -l /run/lock/ntp*
-rw-r--r-- 1 root root 0 Jul 16 10:35 /run/lock/ntpsec-ntpdate

Apparently ntpsec is a secure implementation of ntp.

So why is ntpd trying to write to a directory belonging to a supposedly
secure implementation that is apparently not running?

Why does the ntp apparmor profile show ntp supposedly being able to
write to ntpsec's directory?  If this was really suppose to be okay, why
wouldn't they share a group so permissions could be stated (or even work)?

It may just be me, but none of this makes any sense.

for the record.. $cat /etc/issue
Devuan GNU/Linux daedalus

Regards,

Ken