Is there any reason the drift file should be mode 600?

[Hal Murray]

> 1) Fix the apparmor policy.  ...

Is it easy to hack the startup scripts to change the mode so root can read it?

That sort of stuff used to be easy before systemd.  It actually executed 
/etc/sysconfig/ntpd

We have similar problems of needing to run ldattach for PPS.  I haven't 
figured out how to do that cleanly with systemd.  I disabled ntpd and started 
it from rc.local


> 2) Read the drift file after dropping privileges, rather than before.
> Is #2 feasible? 

Maybe, but I'm pretty sure there is no reason for mode 600 and I've written 
hacks that read it.  You can get the same info from the kernel without fancy 
permissions via ntp_adjtime.  We even ship a program to do it: ntptime.

We have similar problems with log files.  I'm not familiar with apparmor.  We 
should document what is necessary.

I'm pretty sure we don't write any of the stats files until long after dropping root.  So they work if the directory (/var/log/ntpstats/) is owned by ntp.

ntpd.log is a bit trickier.  It gets opened as root, and reopened as ntp if you send it SIGHUP after log rotate.  ntpd can make new versions if you put them in /var/log/ntpstats/.   Without apparmor, root can open them the next time ntpd is (re)started. 

Have you tried refclocks with apparmor?  I think the current code opens them before dropping root.


-- 
These are my opinions.  I hate spam.