| Re: [chrony-dev] chronyd systemd ehancement patch submition |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-dev] chronyd systemd ehancement patch submition
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Mon, 24 Feb 2020 09:37:17 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1582533445; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bRnYedWxPWnHGcNewQDNxHX/8sB5/P6qlxBCJuHnljk=; b=Z0a5GnocGn/gKjjgnDYdi8Scb5cTTZsmygGGQU7euyKSjh8TDz6SDTRnkQurTaV6dF2IBJ CHSfvyi3x+w322fQZBWF6fbqVaHPRQ8V7Rk8yVQhkubeVsAhItXlNu3XiCH155Kinhvl86 bBLw401W5//5kuOqJsRKL46Xkhj/Uf8=
On Mon, Feb 24, 2020 at 09:17:46AM +0100, Nicolas Bouchinet wrote:
> Linux distributions that use systemd can delegate those security tasks to
> systemd unit configuration rules.
>
> ```
> User=chrony
>
> AmbientCapabilities=CAP_SYS_TIME
> CapabilityBoundingSet=CAP_SYS_TIME
> ```
>
> Those indicative and non exhaustive configuration options ensure chrony is
> directly executed as unprivileged user, therefore reducing the attack
> surface.
The trouble with that approach is that it works only with some
specific configurations. chronyd needs the root privileges for other
things than just adjusting the clock, which cannot be done by systemd.
Please see a previous discussion:
https://www.mail-archive.com/chrony-dev@xxxxxxxxxxxxxxxxxxxx/msg01731.html
--
Miroslav Lichvar
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.