Re: [chrony-dev] Using Linux Capabilities

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On Wed, Nov 08, 2017 at 05:17:03PM -0500, Michael Cashwell wrote:
> Since my parent process has the desired capabilities and long since dropped root there’s no way for it to fork/exec chronyd as root, hence the idea to use capabilities only.
> 
> It sounds like a “more standard” approach would be:
> 
> 1: chronyd is started by the OS at boot in local mode (eg: no upstream time sources) and in an inert state where it WILL NOT respond to NTP requests on the LAN because is has not been told that the system time is “good”.
> 
> 2: At some point after boot up my parent process invokes chronyc (again as non-root) to bless the system time as good and thus enable NTP requests to be answered.
> 
> If that’s possible without source code changes that’s fine with me.

That should be possible. If chronyd is started with all client access
disabled (that's the default), it can be enabled later when the local
clock is synchronized by running "chronyc allow". chronyc needs to be
started under the same user as chronyd, or the permissions/ownership
of /var/run/chrony{,/chronyd.sock} modified accordingly, after chronyd
has started.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/