[Bug 1788102] Re: ntpsec's ntpd fails to write ntp.drift file because of apparmor

Ubuntu Foundations Team Bug Bot 1788102 at bugs.launchpad.net
Tue Aug 21 08:21:12 UTC 2018

The attachment "ntpsec_1.1.0+dfsg1-1ubuntu1.debdiff" seems to be a
debdiff.  The ubuntu-sponsors team has been subscribed to the bug report
so that they can review and hopefully sponsor the debdiff.  If the
attachment isn't a patch, please remove the "patch" flag from the
attachment, remove the "patch" tag, and if you are member of the
~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch

You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.

  ntpsec's ntpd fails to write ntp.drift file because of apparmor

Status in ntpsec package in Ubuntu:
  In Progress

Bug description:

  NTPsec 1.1.0 changed the way it writes the drift file. The new drift
  file is written to ntp.drift-tmp before being renamed to ntp.drift.
  The apparmor policy does not allow writing to ntp.drift-tmp. As a
  result, NTPsec is not able to write the drift file.

  Failing to write the drift file means that every time ntpd starts up,
  it has to recalculate the system's drift from scratch. This reduces
  clock accuracy for some time.

  The fix is to update the apparmor policy to allow writing to ntp
  .drift-tmp at the same locations as ntp.drift.

  Per the SRU rules, I waited to file this SRU until the fix made it
  into cosmic. This is fixed in ntpsec 1.1.1+dfsg1-2, which has synced
  to cosmic. It was originally fixed in exactly the way proposed here.
  (The fix here is a cherry pick of that commit.) However, subsequent
  changes restructured /var/lib/ntp to /var/lib/ntpsec, so the apparmor
  policy in 1.1.1+dfsg1-2 can't be directly copied.

  [Test Case]

  1. If the ntp (note: ntp, not ntpsec) package is installed, uninstall
  it. Make sure there is no /var/lib/ntp/ntp.drift file left over from
  the ntp package or previous testing.

  2. Install ntpsec.

  3. Wait a while (typically an hour or more) for ntpd to calculate the

  4. Check syslog for messages like this:
  2018-08-21T00:23:52.891966-05:00 ubuntu1804test ntpd[5392]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: Permission denied
  and the kernel log for messages like this:
  [446384.822309] audit: type=1400 audit(1534825432.887:14): apparmor="DENIED" operation="mknod" profile="/usr/sbin/ntpd" name="/var/lib/ntp/ntp.drift-tmp" pid=5392 comm="ntpd" requested_mask="c" denied_mask="c" fsuid=110 ouid=110

  5. Verify that there is no /var/lib/ntp/ntp.drift file.

  6. Install the updated apparmor policy. Restart apparmor. Restart
  ntpd. Wait for ntpd to calculate the drift. This time there should be
  a file at: /var/lib/ntp/ntp.drift

  [Regression Potential]

  This change only adds entries to the apparmor profile. Barring a
  syntax error, this shouldn't be able to break anything.

  [Other Info]

  I am the Debian maintainer of the ntpsec package.

To manage notifications about this bug go to:

More information about the Ubuntu-sponsors mailing list