Ubuntu
ntp package

ntpq: write to localhost failed: Operation not permitted with no firewall enabled

Bug #596492 reported by Bas van den Dikkenberg

This bug report was converted into a question: question #115239: ntpq: write to localhost failed: Operation not permitted with no firewall enabled.

6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ntp (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: ntp

After install of ntp an i do ntpq -p i get the error

ntpq: write to localhost failed: Operation not permitted

After searching the internet a saw i could be a firewall isue i check that flushing my iptables and ip6table so disabling the firewall but problem stil excists.

After that i did a compleet remove of ntp and ntpdate with apt-get remove --purge ntpdate ntp and remove de ntp user and group

then did fresh install of ntp, but still the same problem

WIth kind regards,

Bas van den Dikkenberg

Revision history for this message
RoyK (roysk) wrote :

just tested on 8.04 and 10.04, both with ufw enabled, and it works fine. Please detail your setup. Can it be ntp.conf has some new and interesting parts?

Revision history for this message
Bas van den Dikkenberg (bas-dikkenberg) wrote :

i am running 9.10

the ntp conf

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift

# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).
server ntp1.bit.nl
server ntp2.bit.nl
server 172.31.1.254

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Bas,

Can you look in /var/log/kern.log and see if you have an AppArmor debied errors after running your ntpq command? If so, please post them here. Thanks.

Changed in ntp (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Revision history for this message
Bas van den Dikkenberg (bas-dikkenberg) wrote :

Jamie,

no apparmor messages

if you wish i can grand you ssh access to the system ?

Bas

Revision history for this message
Bas van den Dikkenberg (bas-dikkenberg) wrote :

the seems to be a firewall isue any way sorry for the inconfinience

these 2 line 's where the bad guys in the firewall

       $IP6TABLES -A OUTPUT -s ::0.0.0.0/104 -j DROP
       $IP6TABLES -A OUTPUT -d ::0.0.0.0/104 -j DROP
       $IP6TABLES -A OUTPUT -s ::0.0.0.0/96 -j DROP
       $IP6TABLES -A OUTPUT -d ::0.0.0.0/96 -j DROP

sorry for the inconfiniens

Revision history for this message
Bas van den Dikkenberg (bas-dikkenberg) wrote :

It was not a bug, but a config error in FW script

these rules where excuted af te start

       $IP6TABLES -A OUTPUT -s ::0.0.0.0/104 -j DROP
       $IP6TABLES -A OUTPUT -d ::0.0.0.0/104 -j DROP
       $IP6TABLES -A OUTPUT -s ::0.0.0.0/96 -j DROP
       $IP6TABLES -A OUTPUT -d ::0.0.0.0/96 -j DROP

Changed in ntp (Ubuntu):
status: Incomplete → Invalid
Jamie Strandboge (jdstrand)
Changed in ntp (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.