From dbb71e266a31d152056153a2d2046bc66803137b Mon Sep 17 00:00:00 2001 From: Stefan Frijters Date: Sat, 21 Dec 2024 11:17:28 +0100 Subject: [PATCH] nixos/ntpd: fix permissions error when creating drift file This fixes "frequency file /var/lib/ntp/ntp.drift.TEMP: Permission denied". Creating a directory via StateDirectory makes that directory /var/lib/ntp owned by root:root. However, when running ntpd we change to user ntp (see ntpFlags), so the process cannot actually use that directory. Actually creating a home directory for the user at that location solves that problem. (cherry picked from commit 31942f20f4625ec1c7371a338527e75d3ab0c926) --- nixos/modules/services/networking/ntp/ntpd.nix | 2 +- nixos/tests/ntpd.nix | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/ntp/ntpd.nix b/nixos/modules/services/networking/ntp/ntpd.nix index bdc5adb394c2b..84f79df52b0e9 100644 --- a/nixos/modules/services/networking/ntp/ntpd.nix +++ b/nixos/modules/services/networking/ntp/ntpd.nix @@ -142,6 +142,7 @@ in group = "ntp"; description = "NTP daemon user"; home = "/var/lib/ntp"; + createHome = true; }; users.groups.ntp = { }; @@ -155,7 +156,6 @@ in serviceConfig = { ExecStart = "@${ntp}/bin/ntpd ntpd -g ${builtins.toString ntpFlags}"; Type = "forking"; - StateDirectory = "ntp"; # Hardening options PrivateDevices = true; diff --git a/nixos/tests/ntpd.nix b/nixos/tests/ntpd.nix index 1864044b64d4c..67a5a95e6fe59 100644 --- a/nixos/tests/ntpd.nix +++ b/nixos/tests/ntpd.nix @@ -20,6 +20,8 @@ import ./make-test-python.nix ( machine.wait_for_console_text('Listen normally on 10 eth*') machine.succeed('systemctl is-active ntpd.service') machine.succeed('ntpq -p') + # ntp user must be able to create drift files + machine.succeed('su -s /bin/sh -c "touch /var/lib/ntp/ntp.drift" ntp') ''; } )