ntpd: permission denied writing to /var/log/ntpstats/ (statsdir directory)

ntp ubuntu statistics

I am running a NTP server on an Ubuntu 20.04 LTS. The server work fine and the client poll correctly the server. But i keep getting a permission error when i want to record statistics.

I tried to include the following lines in ntp.conf :

statistics rawstats
statsdir /var/log/ntpstats/
filegen rawstats file raw type day link enable

When looking at systemctl ntp status :

mars 05 09:08:48 RD-NTP ntpd[3534] : can't open /var/log/ntpstats/raw.20210305: Permission denied
mars 05 09:08:50 RD-NTP ntpd[3534] : can't open /var/log/ntpstats/raw.20210305: Permission denied
mars 05 09:08:52 RD-NTP ntpd[3534] : can't open /var/log/ntpstats/raw.20210305: Permission denied
mars 05 09:08:54 RD-NTP ntpd[3534] : can't open /var/log/ntpstats/raw.20210305: Permission denied

But for me, the directory have the correct permissions ls -al :

drwxr-xr-x 2 ntp ntp 4096 april 2 2020 .

Before choosing the default folder, i tried with one i created and adding ntp in the permission using this command : chmod ntp:ntp /home/ubuntu/ntpstats/, it wasnt working so i switched to this one, not working either.

Do you know why ntpd keep getting error even if ntp have the upper hand on the folder ?


Solution 1:

It's very likely that what is causing your permissions issue is not permissions bits, but AppArmor. The default AppArmor profile for ntpd on Ubuntu 20.04 (/etc/apparmor.d/usr.sbin.ntpd) contains:

...
/var/log/ntp w,
/var/log/ntp.log w,
/var/log/ntpd w,
/var/log/ntpstats/clockstats* rwl,
/var/log/ntpstats/loopstats*  rwl,
/var/log/ntpstats/peerstats*  rwl,
/var/log/ntpstats/protostats* rwl,
/var/log/ntpstats/rawstats*   rwl,
/var/log/ntpstats/sysstats*   rwl,
...

Note the mismatch in the filename it is expecting compared with the one ntpd is generating. If you change the AppArmor profile line referencing rawstats to be:

/var/log/ntpstats/raw*   rwl,

and reload AppArmor with systemctl reload apparmor, your stats logging will likely work.

Note also that loopstats and peerstats are more likely to be helpful in diagnosing NTP problems than rawstats. (See http://doc.ntp.org/current-stable/monopt.html#types for more on this.) Personally, I think if you're going to bother logging rawstats, you'd be better to just capture every NTP packet on the wire and process it with wireshark or a similar protocol analyser.

Related

Mailman "from" spoofing
w3wp.exe at 60% after 5 minutes right after App_Pool recycle
Cannot Remove Secondary Dynamic IP
HP Proliant DL80 Gen9 cannot connect to iLO
Postgresql performance seems capped, cannot work out why
Set up SES to receive to S3 bucket, not getting anything
Why does ssh login as an AD user with private key in nfs4 /home succeed on the second attempt?
Writing script runs to tmp file with hour_seconds file name
Idiomatic way to get IP addresses of group of containers in ECS?
apt: list required dependencies for deb package without installing it
change the hostname for a given service
Are SMTPS and IMAPS ports really deprecated?