[chrony-dev] cmdmon authentication is gone

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


As per the discussion we had on this list couple months ago, the
cmdmon authentication has been replaced by communication over Unix
domain sockets and configuration commands are now allowed by the
permissions on the file system.

If you would like to test it, please make sure that:

- when /var/run/chrony doesn't exist, it's created with root or chrony
  (when dropping privileges) owner and it's not accessible by others
- when /var/run/chrony does exists and doesn't have correct
  permissions or owner, chronyd will refuse to create the Unix socket
- chronyd doesn't allow any remote configuration commands
- attempts to authenticate with an older chronyc result in a failure
- chronyc selects the Unix/IPv4/IPv6 socket correctly depending on
  what permissions it has and chronyd created (e.g. with -4/-6 option)
  
BTW, chronyc now has -d option to print what socket it's connecting to
when compiled with the --enable-debug option.

Thanks,

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/