Re: [chrony-dev] Using Linux Capabilities

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On Fri, Oct 27, 2017 at 09:00:24AM -0400, Michael Cashwell wrote:
> Greetings,
> 
> Perhaps I’m confused so I wanted to raise this issue/question before sending a patch.
> 
> On linux, I need a parent process to fork/execv chronyd and I have that parent managing the needed Linux capabilities so chronyd can set the local time and access reserved ports. That parent process has already dropped to a non-privileged user which prevents chronyd from starting as the superuser or making use of the -u option.
> 
> But with capabilities in place it shouldn’t need those things and chronyd’s LOG_FATAL("Not superuser”) euid 0 test early in main() should not apply.

Will that work with all features supported by chronyd?

Capabilities are needed to bind to a privileged port and adjust the
system clock, but chronyd does other things on start that require root
privileges, e.g. create /var/{run,lib,log}/chrony, open /dev/pps*,
/dev/ptp*, /dev/rtc and possibly other devices.

As I understand it, the option you propose would change the behavior
of the program.

Maybe it would help if you could explain in what cases it's useful to
start chronyd without root privileges?

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/