Re: [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.

Re: [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.5.1

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.5.1
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Wed, 26 Aug 2020 20:02:13 +0200
Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1598464938; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tlAt5H7QMdQC6pA6RmD6pJ5OSV4TVBGUM4GXMPNt4X0=; b=V+xzfTgywHdChq8ghLaps/RcZyVQU3gg3F2m0KdELOExV2wDApEx4NFst1OaXx4CmG9PYv m+li0rsNe3KeISJITWQt7B0T73ueM9C1nGqF4uiwG0cfad/m+k03fc3xVLPY8NBjU81v3S ir6NoqZpKWHJ1GDen9gajdZuZuCLieU=

On Wed, Aug 26, 2020 at 03:42:17PM +0200, Vincent Blut wrote:
> True! But some admins/users may have overridden the default PID file
> location where the _chrony system user have write access. If so, let’s
> protect them from this vulnerability.

If they changed the pidfile, wouldn't they need to also override the
packaged systemd unit file? Maybe people do that. I don't know.

There are plenty of other ways how chronyd (or another service in
general) can be misconfigured and break the system, or cause a
security issue. It's not possible to prevent them all. If someone
changes a packaged setting to an undocumented value, I think there is
an expectation that they need to know what they are doing. I changed
the default, which broke an assumption about the unprivileged chrony
user on all systems following the recommended configuration. That was
an issue that had to be fixed.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.5.1
  - From: Vincent Blut

References:
- [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.5.1
  - From: git
- Re: [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.5.1
  - From: Vincent Blut
- Re: [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.5.1
  - From: Miroslav Lichvar
- Re: [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.5.1
  - From: Vincent Blut

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.5.1
Next by Date: Re: [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.5.1
Previous by thread: Re: [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.5.1
Next by thread: Re: [chrony-dev] [GIT] chrony/chrony.git annotated tag 3.5.1 created. 3.5.1

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/