[Bug 945592] New: ntpd wants to read directories in $PATH
http://bugzilla.opensuse.org/show_bug.cgi?id=945592 Bug ID: 945592 Summary: ntpd wants to read directories in $PATH Classification: openSUSE Product: openSUSE Factory Version: 201505* Hardware: Other OS: openSUSE 13.2 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: max@suse.com Reporter: suse-beta@cboltz.de QA Contact: qa-bugs@suse.de Found By: Beta-Customer Blocker: --- You probably know that AppArmor contains a profile for ntpd. I noticed in the audit.log that ntpd wants to read the directory listing (basically "ls") of all directories in $PATH (/bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin and /usr/local/sbin). Do you have an idea why ntpd wants/needs those directory listings? (I didn't notice any problems when denying those permissions, but maybe my config is too simple ;-) Do you think I need to allow them in the AppArmor profile? Or should I deny them (to silence the logging)? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=945592
http://bugzilla.opensuse.org/show_bug.cgi?id=945592#c1
Reinhard Max
Do you have an idea why ntpd wants/needs those directory listings?
From some quick code digging, it looks like sntp tries to find the full path of its own executable by scanning all directories in $PATH.
If you are interested in the details, see these files inside the ntp source dir: sntp/libopts/compat/pathfind.c sntp/libopts/init.c sntp/libopts/load.c
Do you think I need to allow them in the AppArmor profile?
Yes, please, because I think AppArmor should not get into the way of a service trying to do its thing. If you think the directory scanning is unneeded, wrong or even dangerous, please discuss it with upstream. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=945592
http://bugzilla.opensuse.org/show_bug.cgi?id=945592#c2
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=945592
http://bugzilla.opensuse.org/show_bug.cgi?id=945592#c3
Christian Boltz
participants (1)
-
bugzilla_noreply@novell.com