Re: [chrony-dev] [Regression 3.5 -> 4.0-pre1]: Could not remove /run/chronyd.pid : Permission denied

[Miroslav Lichvar <mlichvar@xxxxxxxxxx>]

On Tue, May 05, 2020 at 09:58:54PM +0200, Vincent Blut wrote:
> Well, by bypassing discretionary access control with CAP_DAC_OVERRIDE, we
> probably give even more privileges to root until chronyd switches to the
> configured unprivileged system user while this could be avoided by setting
> the correct Unix permissions. There is a nice blog post¹ about this from an
> SELinux member.

Ok, I see how this helps with selinux. I'm not quite sure yet if it's
worth complications in the code. There are few things to consider:

- The umask of the process will need to be set to 0 or maybe 007, but
  only when it has the root privileges (e.g. not when a regular user
  uses the -Q option). I'm not sure if someone doesn't rely on chrony not
  changing the umask.

- We'll probably want to change this for all directories created by
  chrony.

- The check of /var/run/chrony that disables the cmdmon socket if
  an unexpected owner/permission is found will probably need to allow
  the chrony group in order to not break chronyd after upgrade (when
  the old directory is not removed).

- It doesn't seem to be a common practice. On my system I don't see
  any directory in /var/run, /var/lib, /var/log that would have an
  $UID:root owner. Most of the non-root directories there have
  $UID:$GID of the user, and some have root:$GID. Would it make sense
  to consider that instead of $UID:root?

Thoughts?

-- 
Miroslav Lichvar


--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.