Re: [chrony-dev] [Regression 3.5 -> 4.0-pre1]: Could not remove /run/chr

Re: [chrony-dev] [Regression 3.5 -> 4.0-pre1]: Could not remove /run/chronyd.pid : Permission denied

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-dev] [Regression 3.5 -> 4.0-pre1]: Could not remove /run/chronyd.pid : Permission denied
From: Vincent Blut <vincent.debian@xxxxxxx>
Date: Tue, 5 May 2020 21:58:54 +0200

Hi,

On 2020-04-28T10:26+0200, Miroslav Lichvar wrote:

On Mon, Apr 27, 2020 at 10:12:59PM +0200, Vincent Blut wrote:

$ getfacl /run/chrony 2>/dev/null
# file: run/chrony
# owner: _chrony
# group: _chrony
user::rwx
group::r-x
other::---

Nonetheless, from a security point of view, would it not be better to change
the group ownership to root and set the permissions to 770?


Maybe. I don't know. I what case it would make a difference?


I'm sorry I didn't get back to you sooner.

Well, by bypassing discretionary access control with CAP_DAC_OVERRIDE,we probably give even more privileges to root until chronyd switches tothe configured unprivileged system user while this could be avoided bysetting the correct Unix permissions. There is a nice blog post¹ aboutthis from an SELinux member.


Cheers,
Vincent


¹ https://danwalsh.livejournal.com/79643.html

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: [chrony-dev] [Regression 3.5 -> 4.0-pre1]: Could not remove /run/chronyd.pid : Permission denied
  - From: Miroslav Lichvar

Messages sorted by: [ date | thread ]
Next by Date: Re: [chrony-dev] [Regression 3.5 -> 4.0-pre1]: Could not remove /run/chronyd.pid : Permission denied
Next by thread: Re: [chrony-dev] [Regression 3.5 -> 4.0-pre1]: Could not remove /run/chronyd.pid : Permission denied

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/