Re: [chrony-users] File permissions issues using SOCK protocol |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
On Tue, Feb 20, 2018 at 12:46:38PM -0800, Stuart Maclean wrote:
> I have a client program which uses the two sockets above. It needs
> write permissions I think, in order to write data to chronyd.
>
> I would like to run my client as a regular user, since it has no need
> for root privs other than to write to this socket.
>
> Is there any way to do this? Can chronyd create/open the socket paths
> with a more liberal write access?
There is no support for that in chrony.
You could start the daemon with a umask of 0000 (e.g. set it in the
init script or the systemd unit file), so it would create all files
and sockets with full permissions, but I'm not sure if that is a good
idea from the security point of view.
A better approach would be to modify the init script/unit file to
change the ownership of the sockets using chown after chronyd is
started.
And another approach would be to start the client under root, open the
socket and then drop the root privileges. This is how gpsd and
ntp-refclock work. An advantage is that the devices in /dev that the
client needs to open don't have to have write permissions for everyone
or be owned by the user.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.