Is there any reason the drift file should be mode 600?

Richard Laager rlaager at
Thu Dec 14 06:45:23 UTC 2017

On 12/14/2017 12:01 AM, Hal Murray wrote:
> Is it easy to hack the startup scripts to change the mode so root can read it?

Yes, that could be done. I'm not sure I like that as a solution. It
seems weird to have something that only works correctly when run through
the init system, and subtly misbehaves if started by hand.

> That sort of stuff used to be easy before systemd

It's still easy. Add this to ntpd.service:
ExecStartPre=-/bin/chmod -f 664 /var/lib/ntp/ntp.drift

In sysvinit, you'd want:
chmod -f 664 /var/lib/ntp/ntp.drift || true

> Have you tried refclocks with apparmor?

Yes. I have one system that uses the spectracom driver.

With the Debian/Ubuntu apparmor policy, you have to add the serial
device to /etc/apparmor.d/tunables/ntpd. For example, I am using
/dev/ttyS0. ntpd is not allowed to access a serial port by default. It
*is* allowed to access /dev/pps* by default.

I've inherited this apparmor policy from the ntp package. I have made a
few changes, but this seems reasonable. I don't think the distro needs
to allow  ntpd to access serial ports by default.

> I think the current code opens them before dropping root.

I assume it does. My /dev/ttyS0 is 660 root dialout, ntpd is running as
ntp:ntp, and the ntp user is not a member of dialout.


More information about the devel mailing list