Re: [chrony-dev] Using Linux Capabilities

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-dev] Using Linux Capabilities
From: Bill Unruh <unruh@xxxxxxxxxxxxxx>
Date: Fri, 27 Oct 2017 09:42:34 -0700 (PDT)

I guess I am confused about your intial situation. chronyd is designed so as
to be running continually, not for starting or stopping. Thus it is started in
the Linux startup by initd or its equivalent and runs forever thereafter. It
does have the offline and online commands which can be implimented by chronyc
in case the sources being used are not available for a time (eg network
connection being sporadic). It certainly is not designed to be started up and

stopped at sporadically--- one problem being exactly the need for root.So, it is unclear to me why you would be having some parent process forking

chronyd, instead of just controlling via offline and online through chronyc
(which does not need root).
Perhaps if you told us more what and why you are trying to do we could be more
helpful.


On Fri, 27 Oct 2017, Michael Cashwell wrote:

Greetings,

Perhaps I’m confused so I wanted to raise this issue/question before sending a patch.

On linux, I need a parent process to fork/execv chronyd and I have that parent managing the needed Linux capabilities so chronyd can set the local time and access reserved ports. That parent process has already dropped to a non-privileged user which prevents chronyd from starting as the superuser or making use of the -u option.

But with capabilities in place it shouldn’t need those things and chronyd’s LOG_FATAL("Not superuser”) euid 0 test early in main() should not apply.

I understand that eliminating that test outright would change the behavior other platforms (those without capabilities where a non-euid 0 invocation is certain to fail later) so I didn’t want to do that.

Instead, I added a ‘-U’ option that just skips the euid 0 requirement. I’ll need to rebase my patch before posting but wanted to discuss this first.

Does this make sense or is there another way to do it?

-Mike


--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

References:
- [chrony-dev] Using Linux Capabilities
  - From: Michael Cashwell

Messages sorted by: [ date | thread ]
Prev by Date: [chrony-dev] new feature request: add "fast" and "slow" to "clock wrong" and "clock stepped" log messages
Next by Date: Re: [chrony-dev] new feature request: add "fast" and "slow" to "clock wrong" and "clock stepped" log messages
Previous by thread: Re: [chrony-dev] Using Linux Capabilities
Next by thread: [chrony-dev] new feature request: add "fast" and "slow" to "clock wrong" and "clock stepped" log messages

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/