ntpsec's ntpd fails to write ntp.drift file because of apparmor

Bug #1788102 reported by Richard Laager
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ntpsec (Ubuntu)

Bug Description


NTPsec 1.1.0 changed the way it writes the drift file. The new drift file is written to ntp.drift-tmp before being renamed to ntp.drift. The apparmor policy does not allow writing to ntp.drift-tmp. As a result, NTPsec is not able to write the drift file.

Failing to write the drift file means that every time ntpd starts up, it has to recalculate the system's drift from scratch. This reduces clock accuracy for some time.

The fix is to update the apparmor policy to allow writing to ntp.drift-tmp at the same locations as ntp.drift.

Per the SRU rules, I waited to file this SRU until the fix made it into cosmic. This is fixed in ntpsec 1.1.1+dfsg1-2, which has synced to cosmic. It was originally fixed in exactly the way proposed here. (The fix here is a cherry pick of that commit.) However, subsequent changes restructured /var/lib/ntp to /var/lib/ntpsec, so the apparmor policy in 1.1.1+dfsg1-2 can't be directly copied.

[Test Case]

1. If the ntp (note: ntp, not ntpsec) package is installed, uninstall it. Make sure there is no /var/lib/ntp/ntp.drift file left over from the ntp package or previous testing.

2. Install ntpsec.

3. Wait a while (typically an hour or more) for ntpd to calculate the drift.

4. Check syslog for messages like this:
2018-08-21T00:23:52.891966-05:00 ubuntu1804test ntpd[5392]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: Permission denied
and the kernel log for messages like this:
[446384.822309] audit: type=1400 audit(1534825432.887:14): apparmor="DENIED" operation="mknod" profile="/usr/sbin/ntpd" name="/var/lib/ntp/ntp.drift-tmp" pid=5392 comm="ntpd" requested_mask="c" denied_mask="c" fsuid=110 ouid=110

5. Verify that there is no /var/lib/ntp/ntp.drift file.

6. Install the updated apparmor policy. Restart apparmor. Restart ntpd. Wait for ntpd to calculate the drift. This time there should be a file at: /var/lib/ntp/ntp.drift

[Regression Potential]

This change only adds entries to the apparmor profile. Barring a syntax error, this shouldn't be able to break anything.

[Other Info]

I am the Debian maintainer of the ntpsec package.

Revision history for this message
Richard Laager (rlaager) wrote :
description: updated
Changed in ntpsec (Ubuntu):
status: New → Fix Released
status: Fix Released → In Progress
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "ntpsec_1.1.0+dfsg1-1ubuntu1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Richard Laager (rlaager) wrote :

It looks like I set this to the wrong status, as the StableReleaseUpdates talks about setting the bug to In Progress after it has been uploaded.

Changed in ntpsec (Ubuntu):
status: In Progress → Confirmed
Revision history for this message
Simon Quigley (tsimonq2) wrote :

I made some minor stylistic/policy-based changes but your change is now in the Bionic queue.

Thank you for your contribution to Ubuntu!

Revision history for this message
Richard Laager (rlaager) wrote :

Should it be showing up here? I'm not seeing it.

Revision history for this message
Robie Basak (racb) wrote :

The upload needs to be reviewed and accepted by a member of the SRU team before you see it there. I'll review it now.

Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello Richard, or anyone else affected,

Accepted ntpsec into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntpsec/1.1.0+dfsg1-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ntpsec (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Changed in ntpsec (Ubuntu):
status: Confirmed → Fix Released
Richard Laager (rlaager)
tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Richard Laager (rlaager) wrote :

I tested the version in proposed as follows and it works:

1) I purged all existing ntp packages.
2) I verified everything was cleaned up with: find /etc /var -iname "*ntp*"
3) I installed ntpsec_1.1.0+dfsg1-1ubuntu0.1_amd64.deb and python3-ntp_1.1.0+dfsg1-1ubuntu0.1_amd64.deb.
4) I verified there was still no ntp.drift (as expected immediately after startup) with: find /etc /var -iname "*ntp*"
5) I waited an hour and a half.
6) I verified an ntp.drift file was created: ls -la /var/lib/ntp/ntp.drift
7) I also verified it has legitimate contents.

Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for ntpsec has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntpsec - 1.1.0+dfsg1-1ubuntu0.1

ntpsec (1.1.0+dfsg1-1ubuntu0.1) bionic; urgency=medium

  * Update apparmor for new drift temp file (LP: #1788102)

 -- Richard Laager <email address hidden> Tue, 21 Aug 2018 00:27:21 -0500

Changed in ntpsec (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers