著者: Ken Dibble日付: 2024-07-16 18:38 UTC To: dng題目: [DNG] NTP oddities
I have no idea what the problem is with ntp, it's permissions, logging
and it's apparmor profile
OR ntpsec.
$ ps -ef | grep ntp
ntp 1546 1 0 10:35 ? 00:00:00 /usr/sbin/ntpd -p
/var/run/ntpd.pid -g -c /run/ntp.conf.dhcp -u 101:106
2024-07-16T10:35:33.899670-04:00 anna kernel: [ 13.523936] audit:
type=1400 audit(1721140533.892:18): apparmor="DENIED" operation="open"
profile="/usr/sbin/ntpd" name="/run/ntp.conf.dhcp" pid=1546 comm="ntpd"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
And yet....
$ grep "/run/" usr.sbin.ntpd
/run/ntpsec/ntp.conf.dhcp r,
/run/lock/ntpsec-ntpdate wk,
So, apparmor won't let ntpd open a file "/run/ntp.conf.dhcp" for reading
yet it would apparently let it open
/run/ntpsec/ntp.conf.dhcp
And yet the ntp run file does exist
$ ls -l /run/ntp.conf.dhcp
-rw-r--r-- 1 root root 2323 Jul 16 10:35 /run/ntp.conf.dhcp
AND
a run file exists for a ntpsec process that doesn't or 2 run files exist
for one process and we can
just put them wherever we want, since we can create however many we want.
$ ls -l /run/ntpsec/ntp.conf.dhcp
-rw-r--r-- 1 root root 2056 Jul 16 10:35 /run/ntpsec/ntp.conf.dhcp
AS WELL...
2024-07-16T10:35:33.929237-04:00 anna ntpd[1546]: statistics directory
/var/log/ntpsec/ does not exist or is unwriteable, error Permission denied
But....
/var/log/ntpsec did not exist so I created it, to no avail. Same
result, probably a ownership
thing, but which owner?
$ ls -ld /var/log/ntpsec/
drwxr-xr-x 2 root root 4096 Jul 10 14:55 /var/log/ntpsec/
grep "/var/log/ntpsec" usr.sbin.ntpd
/var/log/ntpsec/clockstats* rwl,
/var/log/ntpsec/loopstats* rwl,
/var/log/ntpsec/peerstats* rwl,
/var/log/ntpsec/protostats* rwl,
/var/log/ntpsec/rawstats* rwl,
/var/log/ntpsec/sysstats* rwl,
And on top of that..
$ grep ntp /etc/group
ntp:x:106:
ntpsec:x:131:
grep ntp /etc/passwd
ntp:x:101:106::/nonexistent:/usr/sbin/nologin
ntpsec:x:124:131::/nonexistent:/usr/sbin/nologin
And just for completeness.
$ ls -l /run/lock/ntp*
-rw-r--r-- 1 root root 0 Jul 16 10:35 /run/lock/ntpsec-ntpdate
Apparently ntpsec is a secure implementation of ntp.
So why is ntpd trying to write to a directory belonging to a supposedly
secure implementation that is apparently not running?
Why does the ntp apparmor profile show ntp supposedly being able to
write to ntpsec's directory? If this was really suppose to be okay, why
wouldn't they share a group so permissions could be stated (or even work)?
It may just be me, but none of this makes any sense.
for the record.. $cat /etc/issue
Devuan GNU/Linux daedalus
Regards,
Ken