Re: [chrony-dev] [Regression 3.5 -> 4.0-pre1]: Could not remove /run/chronyd.pid : Permission denied

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


Hi Miroslav,

On 2020-04-07T16:37+0200, Miroslav Lichvar wrote:
On Tue, Apr 07, 2020 at 04:26:20PM +0200, Vincent Blut wrote:
Hi,

While preparing chrony 4.0-pre1 for Debian experimental, I observed that
stopping chronyd throws the following error:

chronyd[118401]: Could not remove /run/chronyd.pid : Permission denied

I have yet to look for where the issue lies but as I’m unable to reproduce
this with chrony 3.5, we probably have a regression here.

There might be two separate issues.

Does the Debian package override the default location of the pidfile?
Since 3.4 it should be in /var/run/chrony (or /run/chrony). When
chronyd dropped the root privileges, it couldn't remove a file in
/var/run (or /run). Previously the failure to remove the file
produced only a debug message. Now it's an error syslog message.

I’m working on this, so starting from chrony 4.0 we will use /run/chrony as the default PID file location. This change requires an update of our AppArmor profile to allow the “dac_override” and “dac_read_search” capabilities; considering the following access control lists, it’s not surprising since “root” must write the PID file:

$ getfacl /run/chrony 2>/dev/null
# file: run/chrony
# owner: _chrony
# group: _chrony
user::rwx
group::r-x
other::---

Nonetheless, from a security point of view, would it not be better to change the group ownership to root and set the permissions to 770?

Cheers,
Vincent

Attachment: signature.asc
Description: PGP signature



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/