Control: severity -1 important Control: tags -1 confirmed pending
Hi, On Thu, Feb 01, 2018 at 09:43:31AM +0100, Christian Ehrhardt wrote:
Package: chrony Version: 3.2-2 Hi, I recently took a spike of activity on Chrony in Ubuntu with some testing and checking older bugs on it. There are Ubuntu only changes (like custom time servers), but some might qualify to be considered for Debian as well. So I wanted to open bugs for each of them to be discussed. We currently have a merge proposal up for Ubuntu at [1], and I'll link the fixes that are currently in review for you directly per-topic.
That’s great, thank you.
In case we modify the fixes due tot he review I'll keep you updated. </header> Description: With the recent apparmor profile - when enforcing - I happened to find an issue. From logs: chronyd[3443]: Could not change ownership of /run/chrony : Operation not permitted chronyd[3443]: Could not access /run/chrony : No such file or directory chronyd[3443]: Disabled command socket /run/chrony/chronyd.sock After a few wrong assumptions :-) I found that this would be created/chowned by chrony itself
Indeed, the whole logic can be found in util.c.
, but the apparmor caps do not allow it yet. With that missing it won't be able to spawn the unix command socket for privileged commands.
As I told you privately, nice catch as that was quite subtle!I will release 3.2-3 with this fix included during the weekend hopefully.
Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1746444 Fix-in-Review: https://git.launchpad.net/~paelzer/ubuntu/+source/chrony/commit/?id=9d4873cc7296607a6e3696b5ffda0f2c431a5c80 [1]: https://code.launchpad.net/~paelzer/ubuntu/+source/chrony/+git/chrony/+merge/336844 -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd
Cheers, Vincent
signature.asc
Description: PGP signature