2

I am running a NTP server on an Ubuntu 20.04 LTS. The server work fine and the client poll correctly the server. But i keep getting a permission error when i want to record statistics.

I tried to include the following lines in ntp.conf :

statistics rawstats
statsdir /var/log/ntpstats/
filegen rawstats file raw type day link enable

When looking at systemctl ntp status :

mars 05 09:08:48 RD-NTP ntpd[3534] : can't open /var/log/ntpstats/raw.20210305: Permission denied
mars 05 09:08:50 RD-NTP ntpd[3534] : can't open /var/log/ntpstats/raw.20210305: Permission denied
mars 05 09:08:52 RD-NTP ntpd[3534] : can't open /var/log/ntpstats/raw.20210305: Permission denied
mars 05 09:08:54 RD-NTP ntpd[3534] : can't open /var/log/ntpstats/raw.20210305: Permission denied

But for me, the directory have the correct permissions ls -al :

drwxr-xr-x 2 ntp ntp 4096 april 2 2020 .

Before choosing the default folder, i tried with one i created and adding ntp in the permission using this command : chmod ntp:ntp /home/ubuntu/ntpstats/, it wasnt working so i switched to this one, not working either.

Do you know why ntpd keep getting error even if ntp have the upper hand on the folder ?

Paul Gear
  • 3,938
  • 15
  • 36
molik
  • 69
  • 1
  • 9

2 Answers2

2

It's very likely that what is causing your permissions issue is not permissions bits, but AppArmor. The default AppArmor profile for ntpd on Ubuntu 20.04 (/etc/apparmor.d/usr.sbin.ntpd) contains:

...
/var/log/ntp w,
/var/log/ntp.log w,
/var/log/ntpd w,
/var/log/ntpstats/clockstats* rwl,
/var/log/ntpstats/loopstats*  rwl,
/var/log/ntpstats/peerstats*  rwl,
/var/log/ntpstats/protostats* rwl,
/var/log/ntpstats/rawstats*   rwl,
/var/log/ntpstats/sysstats*   rwl,
...

Note the mismatch in the filename it is expecting compared with the one ntpd is generating. If you change the AppArmor profile line referencing rawstats to be:

/var/log/ntpstats/raw*   rwl,

and reload AppArmor with systemctl reload apparmor, your stats logging will likely work.

Note also that loopstats and peerstats are more likely to be helpful in diagnosing NTP problems than rawstats. (See http://doc.ntp.org/current-stable/monopt.html#types for more on this.) Personally, I think if you're going to bother logging rawstats, you'd be better to just capture every NTP packet on the wire and process it with wireshark or a similar protocol analyser.

Paul Gear
  • 3,938
  • 15
  • 36
  • 1
    thanks a lot ! I just want to add, the ntpd profile of apparmor is : `/etc/apparmor.d/usr.sbin.ntpd` – molik Mar 03 '21 at 10:39
  • I realised afterwards that I hadn't mentioned that - I've edited the answer to include it. – Paul Gear Mar 04 '21 at 20:25
0

What about the file itself? Does that exist already?

Try these:

ls -ld /var/log/ntpstats
ls -ld /var/log/ntpstats/raw.20210305

chmod ntp:ntp /home/ubuntu/ntpstats/

Careful!
chown changes ownerships, not permissions.
chmod changes permissions.

I would suggest that you need a good grasp of these two concepts or you can make a complete mess of your Linux machines.

Paul Gear
  • 3,938
  • 15
  • 36
Phill W.
  • 1,336
  • 7
  • 7
  • `ls -ld /var/log/ntpstats`is returning : `drwxr-x-r-x 2 ntp ntp 4096 april 2 2020 /var/log/ntpstats` for the command on the raw file, it doesn't exist. For your careful statement, did you made an error typing chmod 2 times ? I don't get it sorry – molik Mar 03 '21 at 09:46
  • I've fixed the chmod/chown typo – Paul Gear Mar 03 '21 at 09:59