Ubuntu
openntpd package

ntp package does not remove appamor profile when being removed

Bug #1562134 reported by Mike Damm
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openntpd (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Description: Ubuntu 14.04.4 LTS
Release: 14.04

ntp:
  Installed: (none)
  Candidate: 1:4.2.6.p5+dfsg-3ubuntu2.14.04.8
  Version table:
     1:4.2.6.p5+dfsg-3ubuntu2.14.04.8 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1:4.2.6.p5+dfsg-3ubuntu2.14.04.5 0
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     1:4.2.6.p5+dfsg-3ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Steps to reproduce:
1. apt-get install apparmor
2. apt-get install ntpd
3. apt-get install openntpd

Results:
# aptitude install openntpd
The following partially installed packages will be configured:
  openntpd
No packages will be installed, upgraded, or removed.
0 packages upgraded, 0 newly installed, 0 to remove and 8 not upgraded.
Need to get 0 B of archives. After unpacking 0 B will be used.
Setting up openntpd (20080406p-7) ...
Starting openntpd: /etc/openntpd/ntpd.conf: Permission denied
invoke-rc.d: initscript openntpd, action "start" failed.
dpkg: error processing package openntpd (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 openntpd
E: Sub-process /usr/bin/dpkg returned an error code (1)
A package failed to install. Trying to recover:
Setting up openntpd (20080406p-7) ...
Starting openntpd: /etc/openntpd/ntpd.conf: Permission denied
invoke-rc.d: initscript openntpd, action "start" failed.
dpkg: error processing package openntpd (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 openntpd

Details:
ntp leaves behind an apparmor profile that is specific to the ntpd binary. As a result no alternative ntp implementations can be installed on the system.

Solution:
The ntp package needs to remove the installed profile and restart apparmor.

Workaround:
It is possible to manually remove the profile, restart apparmor, and then continue with installation of other packages (as mentioned in bugs 458061 and others). However this solution is not compatible with configuration management systems, as it effectively requires you to exec out to a shell script to fix the installation.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openntpd (Ubuntu):
status: New → Confirmed
Revision history for this message
Joi Owen (jlellis) wrote :

I opened a bug about this ntp package several years ago, about its purge script failing to remove its app-armor profile. The response I got from that package maintainer was excessively snotty. I resort to salt/ansible to forcibly remove ntp from any servers I encounter using it. The ntp package has been a non-stop source of security issues and I refuse to use it. Comments I've seen here lately, claiming this openntpd package has no future really concern me.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.