| Re: [chrony-dev] cmdmon authentication is gone |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-dev] cmdmon authentication is gone
- From: Bryan Christianson <bryan@xxxxxxxxxxxxx>
- Date: Sat, 22 Aug 2015 01:53:37 +1200
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smtpcorp.com; s=a0-2; h=Feedback-ID:X-Smtpcorp-Track:To:Message-Id:Date: From:Subject; bh=QY1S6OVQqudC74h57QyLkKLyL3BXAwuvP5u7RQ2EgSc=; b=GsSt6ec9YiSY D3KWZxrA9wcfSx1pBXc0v5TfAVbFmLq7mpV3AoqKAvZXwfYGl5ZLVW8ql6Ec2iC+Se2thTQ91OiCD yOUPuvFwk+apxPxMcBrQaiN1+UbQw51ds6BYyE908bUlwWcJPO3b4CjlFaJKh4zJBGPmoSH2ybr6L RnlGQ3qUEodYv/++bwYmO50HV/yWPLe0yF48PMwZ/8Suv++Sq4rgdBrcDXPak/o3fEt3LH5mMEtFC b2Iu43OlER4xZ8qOZtMwbIu6/JX0/dcpddkpOjLlCMLZd6LGlk8xxtdiRx5B4Uuy1IrG8VWw/UVIL XgFEBXCrXGvgeu3zJgsQ/A==;
- Feedback-id: 149811m:149811acx33YQ:149811s381j8FmHf:SMTPCORP
> On 22/08/2015, at 12:22 am, Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
>
> As per the discussion we had on this list couple months ago, the
> cmdmon authentication has been replaced by communication over Unix
> domain sockets and configuration commands are now allowed by the
> permissions on the file system.
>
> If you would like to test it, please make sure that:
>
> - when /var/run/chrony doesn't exist, it's created with root or chrony
> (when dropping privileges) owner and it's not accessible by others
> - when /var/run/chrony does exists and doesn't have correct
> permissions or owner, chronyd will refuse to create the Unix socket
> - chronyd doesn't allow any remote configuration commands
> - attempts to authenticate with an older chronyc result in a failure
> - chronyc selects the Unix/IPv4/IPv6 socket correctly depending on
> what permissions it has and chronyd created (e.g. with -4/-6 option)
It looks good on MacOS - user permissions choose local host and root permissions choose unix socket. I also saw expected failure with older client.
number9:~ bryan$ chronyc -d tracking
Resolved 127.0.0.1 to 127.0.0.1
Resolved ::1 to ::1
Opening connection to /var/run/chrony/chronyd.sock
Could not connect socket : Permission denied
Opening connection to 127.0.0.1:323
Sent 104 bytes
Received 104 bytes
Reply cmd=33 reply=5 stat=0 seq=0
Reference ID : 10.64.1.25 (fleur.lan.seaviewsound.co.nz)
Stratum : 2
Ref time (UTC) : Fri Aug 21 13:45:59 2015
System time : 0.000001598 seconds slow of NTP time
Last offset : +0.000001509 seconds
RMS offset : 0.000007692 seconds
Frequency : 17.337 ppm fast
Residual freq : +0.002 ppm
Skew : 0.303 ppm
Root delay : 0.000362 seconds
Root dispersion : 0.000093 seconds
Update interval : 8.1 seconds
Leap status : Normal
number9:~ bryan$ sudo chronyc -d tracking
Password:
Resolved 127.0.0.1 to 127.0.0.1
Resolved ::1 to ::1
Opening connection to /var/run/chrony/chronyd.sock
Sent 104 bytes
Received 104 bytes
Reply cmd=33 reply=5 stat=0 seq=0
Reference ID : 10.64.1.25 (fleur.lan.seaviewsound.co.nz)
Stratum : 2
Ref time (UTC) : Fri Aug 21 13:46:15 2015
System time : 0.000005477 seconds fast of NTP time
Last offset : -0.000000342 seconds
RMS offset : 0.000007694 seconds
Frequency : 17.203 ppm fast
Residual freq : -0.004 ppm
Skew : 0.277 ppm
Root delay : 0.000308 seconds
Root dispersion : 0.000091 seconds
Update interval : 8.2 seconds
Leap status : Normal
--
Bryan Christianson
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.