| [chrony-dev] Drop cmdmon authentication? |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
While I was dealing with the latest security bugs I wondered how
useful these days it really is to have support for remote
administration via authenticated cmdmon and if it's not just
increasing the chronyd attack surface unnecessarily.
Does anyone here use chronyc remotely with a password for
administration and how important this feature is for you? I personally
don't use it and don't know anyone who does. For me, it's easier to go
through ssh, su to root and run "chronyc -a" locally.
I'm thinking about removing the cmdmon authentication from chrony and
use a UNIX domain socket with root permissions for local authorized
commands instead. chronyc would use this socket automatically, no need
to specify the -a option or the password command any more.
Pros:
- future bugs in the handling of the authorized commands will be
treated as ordinary bugs and not security bugs
- significantly reduced attack surface, only selected monitoring
commands will be allowed remotely
- simplified cmdmon code, saving about 500 lines
- simplified configuration, no more command keys
- incompatible changes in the authorized part of the cmdmon protocol
will be local and it will not be necessary to bump the protocol
version (which requires chronyc/chronyd to be updated on both sides
at the same time)
Cons:
- inconvenience to users that now use authenticated commands remotely
or locally under a non-root account, they will need to switch to ssh
and/or sudo or similar
What do you think? Is this worth it?
--
Miroslav Lichvar
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.