Re: [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.5.1

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On 2020-08-26T20:02+0200, Miroslav Lichvar wrote:
On Wed, Aug 26, 2020 at 03:42:17PM +0200, Vincent Blut wrote:
True! But some admins/users may have overridden the default PID file
location where the _chrony system user have write access. If so, let’s
protect them from this vulnerability.

If they changed the pidfile, wouldn't they need to also override the
packaged systemd unit file? Maybe people do that. I don't know.

We still support SysVinit (and more), which do not benefit from the hardening features proposed by systemd.

There are plenty of other ways how chronyd (or another service in
general) can be misconfigured and break the system, or cause a
security issue. It's not possible to prevent them all. If someone
changes a packaged setting to an undocumented value, I think there is
an expectation that they need to know what they are doing. I changed
the default, which broke an assumption about the unprivileged chrony
user on all systems following the recommended configuration. That was
an issue that had to be fixed.

I can’t agree more. But hey, the effort to backport this one was pretty low.

Attachment: signature.asc
Description: PGP signature



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/