[chrony-users] cmd channel on localhost

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


Hello,

 I'm not sure to understand cmd channel access control. The
documentation states that bindcmdaddress pemits chrony to bind the cmd
channel on a specified IP (defaults to localhost which is fine for me)
There is also cmdallow that restricts cmd sources that I defined on
localhost too)

 Still, when I issue, as a normal user (not root nor chrony user) :
chronyc ntpdata I get "501 Not authorised" (with root or chrony users
it works fine)
 The server "debug" logs are very explicit :

2019-07-04T14:35:21Z cmdmon.c:1307:(read_from_cmd_socket) Received 32
bytes from 127.0.0.1:59526 fd 3
2019-07-04T14:35:21Z clientlog.c:503:(CLG_LogCommandAccess) Cmd hits
10 rate -14 tokens 0
2019-07-04T14:35:21Z cmdmon.c:407:(transmit_reply) Sent 32 bytes to
127.0.0.1:59526 fd 3
2019-07-04T14:35:21Z cmdmon.c:1307:(read_from_cmd_socket) Received 76
bytes from 127.0.0.1:59526 fd 3
2019-07-04T14:35:21Z clientlog.c:503:(CLG_LogCommandAccess) Cmd hits
11 rate -13 tokens 0
2019-07-04T14:35:21Z cmdmon.c:407:(transmit_reply) Sent 76 bytes to
127.0.0.1:59526 fd 3
2019-07-04T14:35:21Z cmdmon.c:1307:(read_from_cmd_socket) Received 152
bytes from 127.0.0.1:59526 fd 3
2019-07-04T14:35:21Z clientlog.c:503:(CLG_LogCommandAccess) Cmd hits
12 rate -12 tokens 0
2019-07-04T14:35:21Z cmdmon.c:407:(transmit_reply) Sent 28 bytes to
127.0.0.1:59526 fd 3

 The problem I'm trying to solve it to pull statistics from a local
monitoring agent running on the same server (with its own user). So I
was expecting it to work fine pulling stats using localhost
cmdchannel. But from what I see this user needs to be part of the
chrony group in order to be able to use the socket rather then UDP on
localhost.

 I've took a look at the code here :
https://github.com/mlichvar/chrony/blob/b8d546a0d110792b162e477a2c8249df6e25f553/cmdmon.c#L1397

  the permissions struct that seems to map commands to required access
level does not have any PERMIT_LOCAL item. I guess no command is
currently allowed through localhost (and it's either PERMIT_AUTH or
PERMIT_OPEN)

 Thank you for your help.

Youssef

PS : running stock chrony-3.2-2.el7.x86_64 on CentOS 7

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/