Re: [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.5.1

[Vincent Blut <vincent.debian@xxxxxxx>]

On 2020-08-26T20:02+0200, Miroslav Lichvar wrote:
> On Wed, Aug 26, 2020 at 03:42:17PM +0200, Vincent Blut wrote:
> > True! But some admins/users may have overridden the default PID file
> > location where the _chrony system user have write access. If so, let’s
> > protect them from this vulnerability.
>
> If they changed the pidfile, wouldn't they need to also override the
> packaged systemd unit file? Maybe people do that. I don't know.

We still support SysVinit (and more), which do not benefit from the 
hardening features proposed by systemd.

> There are plenty of other ways how chronyd (or another service in
> general) can be misconfigured and break the system, or cause a
> security issue. It's not possible to prevent them all. If someone
> changes a packaged setting to an undocumented value, I think there is
> an expectation that they need to know what they are doing. I changed
> the default, which broke an assumption about the unprivileged chrony
> user on all systems following the recommended configuration. That was
> an issue that had to be fixed.

I can’t agree more. But hey, the effort to backport this one was pretty 
low.

Attachment: signature.asc
Description: PGP signature