Re: [chrony-dev] [Regression 3.5 -> 4.0-pre1]: Could not remove /run/chronyd.pid : Permission denied

[Vincent Blut <vincent.debian@xxxxxxx>]

On 2020-05-06T14:12+0200, Miroslav Lichvar wrote:
> On Tue, May 05, 2020 at 09:58:54PM +0200, Vincent Blut wrote:
> > Well, by bypassing discretionary access control with CAP_DAC_OVERRIDE, we
> > probably give even more privileges to root until chronyd switches to the
> > configured unprivileged system user while this could be avoided by setting
> > the correct Unix permissions. There is a nice blog post¹ about this from an
> > SELinux member.
>
> Ok, I see how this helps with selinux. I'm not quite sure yet if it's
> worth complications in the code. There are few things to consider:
>
> - It doesn't seem to be a common practice. On my system I don't see
>  any directory in /var/run, /var/lib, /var/log that would have an
>  $UID:root owner. Most of the non-root directories there have
>  $UID:$GID of the user, and some have root:$GID. Would it make sense
>  to consider that instead of $UID:root?

If we make sure $GID has the right permissions then root:$GID would be 
good too.

> Thoughts?

From a quick glance, the rest seems to make sense.

Cheers,
Vincent

Attachment: signature.asc
Description: PGP signature