Re: [chrony-dev] permissions

[Miroslav Lichvar <mlichvar@xxxxxxxxxx>]

On Mon, Oct 11, 2021 at 04:30:53PM -0400, S Egbert wrote:
> Package changes needed (circa Debian 11 Update+Security):
> 
> chronyd          0755 root:root        -> 0750 _chrony:root
> chrony/conf.d    0755 root:root        -> 0750 _chrony:root
> chrony/sources.d 0755 root:root        -> 0750 _chrony:root
> chrony.keys      0640 root:root        -> 0600 _chrony:root

I'm not sure if it is a good idea to give the chronyd process
permissions to write to its own config files. The main point of using
a chrony-specific user/group is to limit the damage that an attacker
can do via compromised chronyd. It's not meant to be used by
administrators to edit config files. I think a different user/group
should be used for that if necessary.

The config files are read by chronyd when it still has root
privileges. Only the source files and key files need to be readable by
the chrony user/group.

> Code patches needed (low priority, protected by its directory)
> drift            0644 _chrony:_chrony  -> 0600 _chrony:_chrony

This can be done by setting the service umask. chronyd doesn't change
the umask.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.