| Re: [chrony-users] Run chronyd as unprivileged user |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
On Thu, Sep 13, 2018 at 08:28:42AM +0000, Daniel Bechter wrote:
> Hey guys
>
> My original plan was to run chronyd as an unprivileged user, manually assigning the required capabilities (CAP_SYS_TIME as I only run it as client) via setcap command. Chronyd however complained about not being executed as superuser. Is there any way to run chronyd as unprivileged user from the beginning or are there any ambitions to change the behaviour?
There was a discussion related to this some time ago:
https://www.mail-archive.com/chrony-dev@xxxxxxxxxxxxxxxxxxxx/msg01731.html
Even when running as a client only, chronyd may need root permissions
to open some devices (e.g. /dev/ptp*, /dev/rtc*), create directories
(/var/run/chrony), or enable HW timestamping.
> Next thing I tried was to run chronyd with the SUID bit set:
>
> chown root:time /usr/sbin/chronyd
> chmod 4770 /usr/sbin/chronyd
>
> Chronyd still complained about not being executed as superuser though. So I looked into the code and made a change to check for the effective UID rather than the real one, see attached patch (on top of 3.3). Everything was fine afterwards. Any chance to get that mainline?
No, chronyd doesn't support SUID. It wouldn't be secure. Users could
remove any file on the filesystem using the 'refclock SOCK /file'
directive and probably do other bad things.
It might be better to configure sudo to allow trusted users to start
chronyd. If that's not possible, I guess you could get around that UID
check with the fakeroot utility.
If you describe your use case, someone may have a better suggestion.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.