Is there any reason the drift file should be mode 600?
Richard Laager
rlaager at wiktel.com
Thu Dec 14 05:02:45 UTC 2017
On 12/13/2017 06:23 PM, Hal Murray via devel wrote:
> If you are using apparmor, ntpd can't read the drift file at startup because
> it is still root while the drift file is user ntp.
There are a couple other possible fixes for this:
1) Fix the apparmor policy. That's what I've done. The downside here is
that I'm granting a significant capability to the entire daemon, when
the problem is specific to one read of one file one time. However, that
should be mitigated in the future, as apparmor 3 is supposed to support
limiting dac_override to specific files and/or owners.
2) Read the drift file after dropping privileges, rather than before.
Is #2 feasible?
--
Richard
More information about the devel
mailing list