Ubuntu
ntp package

apparmor.d profile for usr.sbin.ntpd -- access to samba gencache and capability block_suspend

Bug #1205875 reported by J G Miller
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ntp (Ubuntu)
Expired
Low
Unassigned

Bug Description

PRETTY_NAME="Ubuntu quantal (12.10)"
VERSION="12.10, Quantal Quetzal"

Package: ntp
Priority: optional
Section: net
Installed-Size: 1384
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Architecture: i386
Version: 1:4.2.6.p3+dfsg-1ubuntu5

In the system auth log files and dmesg the following apparmor messages are seen --

type=1400 audit(1375004313.012:40): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/ntpd" name="/run/samba/gencache.tdb" pid=2540 comm="ntpd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0

type=1400 audit(1375004313.016:41): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/ntpd" pid=2540 comm="ntpd" pid=2540 comm="ntpd" capability=36 capname="block_suspend"

type=1400 audit(1375004322.652:42): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/ntpd" pid=2540 comm="ntpd" pid=2540 comm="ntpd" capability=36 capname="block_suspend"

Does ntpd really need WRITE privileges on /run/samba/gencache.tdb ? Should not READ be sufficient?

Also why does ntpd need block_suspend capability?

At a minimum read access to the gencache should be enabled for ntp in its profile, and probably read+write in the samba profile which is also missing for usr.sbin.smbd in the samba 2:3.6.6-3ubuntu5 package.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for reporting this bug.

Can you show your ntp configuration?

Changed in ntp (Ubuntu):
status: New → Incomplete
Revision history for this message
J G Miller (jgmiller) wrote :

Serge Hallyn asked "Can you show your ntp configuration?"

Here is the /etc/ntp.conf file

#/*****************************************************************************#
#|
#| file : /etc/ntp.conf.net
#|
#*---------------------------------------------------------------------------*#
#
restrict 192.168.11.0 mask 255.255.255.0 nomodify notrap
#
restrict 192.168.11.12
#
restrict 127.0.0.1
#
#.............................................................................#
#
logconfig =clockall +peerall +syncall +sysall
#
#.............................................................................#
#
driftfile /var/log/ntpd/ntpstats/ntp.drift
#
logfile /var/log/ntpd/ntpd.log
#
statsdir /var/log/ntpd/ntpstats/
#
#.............................................................................#
#
statistics clockstats loopstats peerstats
#
filegen clockstats file clockstats type day enable
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
#
#.............................................................................#
#
server another_host.my_local_domain
#
server 127.127.1.0
fudge 127.127.1.0 stratum 10
#
#*****************************************************************************#

where another_host.my_local_domain is the FQDN of my ntp server on another machine on my internal network 192.168.11.0 so there are no overt references to SAMBA hosts, BUT nsswitch.conf has

#*****************************************************************************#
#|
#| file : /etc/nsswitch.conf
#|
#*---------------------------------------------------------------------------*#
#
group: compat
passwd: compat
shadow: compat
#
#.............................................................................#
#
hosts: files mdns4_minimal [NOTFOUND=return] wins nis
dns mdns4
#
networks: nis files
#
#.............................................................................#
.#
files ... etc

which may explain why CIFS/SAMBA becomes involved.

Also, as a footnote, gencache.tdb is present and world readable, but obviously not world writeable

 ll /run/samba/gencache.tdb

416 -rw-r--r-- 1 root root 425984 2013-09-22 10:37 /run/samba/gencache.tdb

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for ntp (Ubuntu) because there has been no activity for 60 days.]

Changed in ntp (Ubuntu):
status: Incomplete → Expired
C de-Avillez (hggdh2)
Changed in ntp (Ubuntu):
importance: Undecided → Low
status: Expired → New
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Sorry - I know it's a long time, but I'm cleaning up old NTP bugs atm.

It sounds as it is of low priority (according to the reports it works other than annoying messages).
Also a long time has passed and we haven't seen any similar bug or people chiming in here.

Since things surely have changed a lot all around in all the time I'd set the bug incomplete to check if it is still reproducible and also "if anybody still cares". The effort to recreate if nobody cares is too high to "just do it".

That said, setting invalid - please reset to new if this still bothers your system son one can take a second look at it.

Changed in ntp (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for ntp (Ubuntu) because there has been no activity for 60 days.]

Changed in ntp (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.