Re: [chrony-dev] chronyd systemd ehancement patch submition

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-dev] chronyd systemd ehancement patch submition
From: Nicolas Bouchinet <nicolas.bouchinet@xxxxxxxxxxx>
Date: Tue, 25 Feb 2020 08:48:07 +0100

I allow myself to answer the questions asked during the previousdiscussion.

> Capabilities are needed to bind to a privileged port and adjust thesystem> clock, but chronyd does other things on start that require rootprivileges,> e.g. create /var/{run,lib,log}/chrony, open /dev/pps*, /dev/ptp*,/dev/rtc

> and possibly other devices.

As I see it, access to devices can be set by the chrony distributionpackage maintainer using UNIX group permissions.Also the creation of /var/{run,lib,log}/chrony can be handled by systemdusing the {Runtime,State,Logs}Directory unit configuration options.

I can inquire other cases that needs root privileges.

> Maybe it would help if you could explain in what cases it's useful tostart

> chronyd without root privileges?

Starting chronyd without being root minimizes the actions performed bythis user this is a way to ensure the reduction of the attack surface.

I would be happy to modify the patch to best meet the needs of theupstream.


On 2/24/20 9:37 AM, Miroslav Lichvar wrote:

On Mon, Feb 24, 2020 at 09:17:46AM +0100, Nicolas Bouchinet wrote:

Linux distributions that use systemd can delegate those security tasks to
systemd unit configuration rules.

  ```
  User=chrony

  AmbientCapabilities=CAP_SYS_TIME
  CapabilityBoundingSet=CAP_SYS_TIME
  ```

Those indicative and non exhaustive configuration options ensure chrony is
directly executed as unprivileged user, therefore reducing the attack
surface.

The trouble with that approach is that it works only with some
specific configurations. chronyd needs the root privileges for other
things than just adjusting the clock, which cannot be done by systemd.
Please see a previous discussion:

https://www.mail-archive.com/chrony-dev@xxxxxxxxxxxxxxxxxxxx/msg01731.html


--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-dev] chronyd systemd ehancement patch submition
  - From: Miroslav Lichvar
- Re: [chrony-dev] chronyd systemd ehancement patch submition
  - From: Bill Unruh

References:
- [chrony-dev] chronyd systemd ehancement patch submition
  - From: Nicolas Bouchinet
- Re: [chrony-dev] chronyd systemd ehancement patch submition
  - From: Miroslav Lichvar

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-dev] chronyd systemd ehancement patch submition
Next by Date: Re: [chrony-dev] chronyd systemd ehancement patch submition
Previous by thread: Re: [chrony-dev] chronyd systemd ehancement patch submition
Next by thread: Re: [chrony-dev] chronyd systemd ehancement patch submition

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/