Re: [chrony-dev] [Regression 3.5 -> 4.0-pre1]: Could not remove /run/chronyd.pid : Permission denied |
[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]
Hi Miroslav, On 2020-04-07T16:37+0200, Miroslav Lichvar wrote:
On Tue, Apr 07, 2020 at 04:26:20PM +0200, Vincent Blut wrote:Hi, While preparing chrony 4.0-pre1 for Debian experimental, I observed that stopping chronyd throws the following error: chronyd[118401]: Could not remove /run/chronyd.pid : Permission denied I have yet to look for where the issue lies but as I’m unable to reproduce this with chrony 3.5, we probably have a regression here.There might be two separate issues. Does the Debian package override the default location of the pidfile? Since 3.4 it should be in /var/run/chrony (or /run/chrony). When chronyd dropped the root privileges, it couldn't remove a file in /var/run (or /run). Previously the failure to remove the file produced only a debug message. Now it's an error syslog message.
I’m working on this, so starting from chrony 4.0 we will use /run/chrony as the default PID file location. This change requires an update of our AppArmor profile to allow the “dac_override” and “dac_read_search” capabilities; considering the following access control lists, it’s not surprising since “root” must write the PID file:
$ getfacl /run/chrony 2>/dev/null # file: run/chrony # owner: _chrony # group: _chrony user::rwx group::r-x other::---Nonetheless, from a security point of view, would it not be better to change the group ownership to root and set the permissions to 770?
Cheers, Vincent
Attachment:
signature.asc
Description: PGP signature
Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |