[chrony-dev] cmdmon authentication is gone

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-dev] cmdmon authentication is gone
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Fri, 21 Aug 2015 14:22:13 +0200

As per the discussion we had on this list couple months ago, the
cmdmon authentication has been replaced by communication over Unix
domain sockets and configuration commands are now allowed by the
permissions on the file system.

If you would like to test it, please make sure that:

- when /var/run/chrony doesn't exist, it's created with root or chrony
  (when dropping privileges) owner and it's not accessible by others
- when /var/run/chrony does exists and doesn't have correct
  permissions or owner, chronyd will refuse to create the Unix socket
- chronyd doesn't allow any remote configuration commands
- attempts to authenticate with an older chronyc result in a failure
- chronyc selects the Unix/IPv4/IPv6 socket correctly depending on
  what permissions it has and chronyd created (e.g. with -4/-6 option)
  
BTW, chronyc now has -d option to print what socket it's connecting to
when compiled with the --enable-debug option.

Thanks,

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-dev] cmdmon authentication is gone
  - From: Bryan Christianson

Messages sorted by: [ date | thread ]
Prev by Date: [chrony-dev] [GIT] chrony/chrony.git branch, master, updated. 2.1.1-49-ge5784c1
Next by Date: Re: [chrony-dev] cmdmon authentication is gone
Previous by thread: [chrony-dev] [GIT] chrony/chrony.git branch, master, updated. 2.1.1-49-ge5784c1
Next by thread: Re: [chrony-dev] cmdmon authentication is gone

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/