[apparmor] [patch] Allow ntpd to read directory listings of $PATH
Christian Boltz
apparmor at cboltz.de
Mon Sep 14 11:02:27 UTC 2015
Hello,
Am Dienstag, 25. August 2015 schrieb intrigeri:
> Christian Boltz wrote (25 Aug 2015 12:16:14 GMT) :
> > Also, ntpd seems to work without those permissions, so we might want
> > to change the added rule to "deny".
>
> Sounds like a good idea, as long as it doesn't break anything (which
> is probably hard to assess, sure :)
I asked Reinhard Max, the SUSE ntp maintainer - see
https://bugzilla.opensuse.org/show_bug.cgi?id=945592
Here's his answer:
-----------------------------------------------------------------------
> Do you have an idea why ntpd wants/needs those directory listings?
>From some quick code digging, it looks like sntp tries to find the full
path of its own executable by scanning all directories in $PATH.
If you are interested in the details, see these files inside the ntp
source dir:
sntp/libopts/compat/pathfind.c
sntp/libopts/init.c
sntp/libopts/load.c
> Do you think I need to allow them in the AppArmor profile?
Yes, please, because I think AppArmor should not get into the way of a
service trying to do its thing. If you think the directory scanning is
unneeded, wrong or even dangerous, please discuss it with upstream.
-----------------------------------------------------------------------
Can someone who knows C better than I do have a quick look at the ntp
source, please? If you come up with something that we can/should tell
ntp upstream, that would even be better ;-)
Regards,
Christian Boltz
--
Übrigens gibt es jetzt eine Briefmarke von Bill Gates. Leider klebt
die nicht so richtig. Eine unabhängige Kommission hat inzwischen
festgestellt, daß die Leute immer auf die falsche Seite spucken.
More information about the AppArmor
mailing list