# ntp issue ?? ntp.drift.TEMP: Permission denied

## hanj

Hello all

I'm starting get these in my logs. I just recently updated the kernel, so I think it may be related.

```
Feb  2 12:12:27 comp ntpd[11268]: frequency initialized 75.149 PPM from /var/lib/ntp/ntp.drift

Feb  2 12:16:44 comp ntpd[11268]: synchronized to 66.250.45.2, stratum 2

Feb  2 19:16:44 comp ntpd[11268]: kernel time sync status change 0001

Feb  2 20:12:27 comp ntpd[11268]: can't open /var/lib/ntp/ntp.drift.TEMP: Permission denied
```

The directly is definitely owned by ntp..

```
drwxr-xr-x  2 ntp  ntp  120 Feb  2 16:20 .

drwxr-xr-x 20 root root 560 Dec 30 09:04 ..

-rw-r--r--  1 ntp  ntp    7 Feb  1 08:23 ntp.drift

```

Here are my USE flags for ntp

```
[ebuild   R   ] net-misc/ntp-4.2.4_p6  USE="caps ssl -debug -ipv6 -openntpd -parse-clocks (-selinux) -zeroconf" 0 kB
```

Here is my kernel version:

```
Linux wcec 2.6.27-gentoo-r8 
```

I tried to touch ntp.drift.TEMP in the directory and chown it to ntp:ntp, but the error continues.

Thanks!

hanji

----------

## pgf

 *hanj wrote:*   

> Hello all
> 
> The directly is definitely owned by ntp..
> 
> 

 

Stupid question, but... are you sure NTP is running as user ntp?

----------

## hanj

Yep. The proess was owned by ntp. I think this is related to caps. I rebuilt ntp without caps, and things seem to be better, but the process is running as root. There must have been something that changed in the kernel from 2.26 to 2.27?

Thanks!

hanji

----------

## pgf

Hmmm.... I have never noticed that USE flag, but I see I have -caps (the default?). I upgraded to 2.27 a while ago and have never had a problem. You should probably update the title with [SOLVED].

----------

## hanj

I don't think it's quite solved yet. I want ntp to run as ntp.. not root, which caps does (if I'm not mistaken), so not sure what the issue is related to 2.6.27 kernel and ntp/caps. I've been running ntp with caps for a long, long time. 

Thanks!

hanji

----------

## pgf

Did you enable Default Linux Capabilities in the kernel:

```
Security options  --->

    [*] Enable different security models

    [*]   Default Linux Capabilities    ...

```

as per http://en.gentoo-wiki.com/wiki/NTP?

----------

## hanj

I think this is what's changed. Looking at my security options...

```
Security options  ---> 

   [ ] Enable access key retention support

   [*] Enable different security models

   [ ]   Socket and Networking Security Hooks

   [ ] File POSIX Capabilities

   (0) Low address space to protect from user allocation
```

Default Linux Capabilities is no longer an option.

hanji

----------

## pgf

Oops! My apologies. I didn't look at my config - just at the wiki. Looking at my .config I see a CONFIG_SECURITY_FILE_CAPABILITIES variable. Could that be the same thing?

----------

## hanj

 *pgf wrote:*   

> Oops! My apologies. I didn't look at my config - just at the wiki. Looking at my .config I see a CONFIG_SECURITY_FILE_CAPABILITIES variable. Could that be the same thing?

 

I think that is File POSIX Capabilities. Which might address the problem. I don't think it's the same thing as Default Linux Capabilities.

hanji

----------

## pgf

 *hanj wrote:*   

> I don't think it's the same thing as Default Linux Capabilities.
> 
> hanji

 

Look at http://www.linuxhq.com/kernel/v2.6/27/security/Kconfig. It looks like it replaced Default Linux Caps with POSIX caps, if I am reading it right.

----------

## hanj

Hmmmm.. I'll recompile the kernel and give it a shot. It's a production server, so I won't be able to reboot for a bit.

Thanks!

hanji

----------

## pgf

 *hanj wrote:*   

> Hmmmm.. I'll recompile the kernel and give it a shot. It's a production server, so I won't be able to reboot for a bit.

 

I am trying to recreate it on one of my test boxes for you. I have emerged ntp with USE=caps and now am waiting for the error. How often did it occur?

----------

## hanj

Error occurs once an hour.

Thanks!

hanji

----------

## pgf

 *hanj wrote:*   

> Error occurs once an hour.

 

I haven't been able to recreate it yet - 90 minutes since restarting ntp and no errors. I will keep watching.

----------

## hanj

Ok. I rebooted this morning, and I'm still seeing the errors. Now check this out. Here are some snips from my logs. This is after my reboot, re-emerging ntp with caps and restarting the ntpd server. Pay attention to the times in the logs

```
Feb  4 07:59:49 comp ntpd[29269]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled

Feb  4 07:59:49 comp ntpd[29269]: Listening on interface #1 lo, 127.0.0.1#123 Enabled

Feb  4 07:59:49 comp ntpd[29269]: Listening on interface #2 eth0, 192.168.1.1#123 Enabled

Feb  4 07:59:49 comp ntpd[29269]: Listening on interface #3 eth0:1, 192.168.1.25#123 Enabled

Feb  4 07:59:49 comp ntpd[29269]: Listening on interface #4 eth1, 192.168.0.2#123 Enabled

Feb  4 07:59:49 comp ntpd[29269]: kernel time sync status 0040

Feb  4 07:59:50 comp ntpd[29269]: frequency initialized 76.055 PPM from /var/lib/ntp/ntp.drift

Feb  4 07:59:55 comp ntpdate[29338]: step time server 204.152.189.171 offset -0.002710 sec

Feb  4 08:04:10 comp ntpd[29269]: synchronized to 204.152.189.171, stratum 2

Feb  4 15:04:10 comp ntpd[29269]: kernel time sync status change 0001

Feb  4 15:59:49 comp ntpd[29269]: can't open /var/lib/ntp/ntp.drift.TEMP: Permission denied
```

The error seems to be WAY in the future. Running `date` I see..

```
date

Wed Feb  4 09:08:21 MST 2009
```

I wonder if there is something else that is hosed giving it the wrong time. Syslog is still showing entries with the correct time?

Here are my contents of ntp.conf

```
server pool.ntp.org

driftfile       /var/lib/ntp/ntp.drift

restrict default nomodify nopeer

restrict 127.0.0.1
```

Thanks!

hanji

----------

## pgf

time zone issues? What do you have for:

/etc/conf.d/clock

/etc/timezone

your $TZ value

I don't see this has anything to do with the permissions problem (although you never know), but it is definitely not right.

----------

## hanj

/etc/conf.d/clock

```
CLOCK="UTC"

CLOCK_OPTS=""

CLOCK_SYSTOHC="no"

SRM="no"

ARC="no"
```

I don't have /etc/timezone. Maybe /etc/localtime?

```
localtime -> /usr/share/zoneinfo/US/Mountain
```

Thanks!

hanji

----------

## pgf

 *hanj wrote:*   

> 
> 
> I don't have /etc/timezone. Maybe /etc/localtime?
> 
> ```
> ...

 

Hmmm... I have /etc/timezone, which contains "America/Toronto". I have never been completely clear on the difference, but:

 *Quote:*   

> Additionally, the TIMEZONE variable is no longer in this file. Its contents are instead found in the /etc/timezone file. If it doesn't exist, you will of course have to create it with your timezone. Please review both of these files to ensure their correctness. 

 

from the Gentoo Baselayout and OpenRC Migration Guide (http://www.gentoo.org/doc/en/openrc-migration.xml?style=printable)

I do have an /etc/localtime as well.

----------

## MMMMM

Hi,

I have two gentoo boxes, one with and one without this problem.

Difference is that /var/lib/ntp/ntp.drift belongs to root:root on the box with this problem.

```
chown ntp:ntp /var/lib/ntp/ntp.drift
```

... did not help  :Sad: 

----------

