Is there any reason the drift file should be mode 600?

Richard Laager rlaager at
Thu Dec 14 05:02:45 UTC 2017

On 12/13/2017 06:23 PM, Hal Murray via devel wrote:
> If you are using apparmor, ntpd can't read the drift file at startup because 
> it is still root while the drift file is user ntp.

There are a couple other possible fixes for this:

1) Fix the apparmor policy. That's what I've done. The downside here is
that I'm granting a significant capability to the entire daemon, when
the problem is specific to one read of one file one time. However, that
should be mitigated in the future, as apparmor 3 is supposed to support
limiting dac_override to specific files and/or owners.

2) Read the drift file after dropping privileges, rather than before.

Is #2 feasible?


More information about the devel mailing list