| [chrony-users] cmd channel on localhost |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: [chrony-users] cmd channel on localhost
- From: Youssef Ghorbal <youssef.ghorbal@xxxxxxxxx>
- Date: Thu, 4 Jul 2019 17:04:55 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Tn6bL2wPuOx5IeG5CH3jOv+WsAzZsd8np9ec4RbHCrg=; b=apqniChs37NnRMrq1MMtLws+hvpcowtj7bzOjMdT1Cwi65nzSNL80x5xmEnowdPcMr B67aS3ZdNFID0xAL05SQDnxMr8e9PS3xeNghY0wJyNMqHYsjJ4tEajSbaee0scv0Mba2 X5dQPpfe0JuhPnboG0dFsiQhYDsvE86VTCqsJzvUNWG68aSyl6LgtOU8BW1mquFNzOPh fVhL59GPT5omEEl58dxocMXnyKNAmaBo7RXcW88wmA/bClVaoF2DoiWep7g1xFspmsWk iJ13gWAtTK+wtfpsU43YiWzSHBPzz6Vjza6mcnBhEdpor0Cxrp4KxjtE4X3Rz0dfCCNu Ng5w==
Hello,
I'm not sure to understand cmd channel access control. The
documentation states that bindcmdaddress pemits chrony to bind the cmd
channel on a specified IP (defaults to localhost which is fine for me)
There is also cmdallow that restricts cmd sources that I defined on
localhost too)
Still, when I issue, as a normal user (not root nor chrony user) :
chronyc ntpdata I get "501 Not authorised" (with root or chrony users
it works fine)
The server "debug" logs are very explicit :
2019-07-04T14:35:21Z cmdmon.c:1307:(read_from_cmd_socket) Received 32
bytes from 127.0.0.1:59526 fd 3
2019-07-04T14:35:21Z clientlog.c:503:(CLG_LogCommandAccess) Cmd hits
10 rate -14 tokens 0
2019-07-04T14:35:21Z cmdmon.c:407:(transmit_reply) Sent 32 bytes to
127.0.0.1:59526 fd 3
2019-07-04T14:35:21Z cmdmon.c:1307:(read_from_cmd_socket) Received 76
bytes from 127.0.0.1:59526 fd 3
2019-07-04T14:35:21Z clientlog.c:503:(CLG_LogCommandAccess) Cmd hits
11 rate -13 tokens 0
2019-07-04T14:35:21Z cmdmon.c:407:(transmit_reply) Sent 76 bytes to
127.0.0.1:59526 fd 3
2019-07-04T14:35:21Z cmdmon.c:1307:(read_from_cmd_socket) Received 152
bytes from 127.0.0.1:59526 fd 3
2019-07-04T14:35:21Z clientlog.c:503:(CLG_LogCommandAccess) Cmd hits
12 rate -12 tokens 0
2019-07-04T14:35:21Z cmdmon.c:407:(transmit_reply) Sent 28 bytes to
127.0.0.1:59526 fd 3
The problem I'm trying to solve it to pull statistics from a local
monitoring agent running on the same server (with its own user). So I
was expecting it to work fine pulling stats using localhost
cmdchannel. But from what I see this user needs to be part of the
chrony group in order to be able to use the socket rather then UDP on
localhost.
I've took a look at the code here :
https://github.com/mlichvar/chrony/blob/b8d546a0d110792b162e477a2c8249df6e25f553/cmdmon.c#L1397
the permissions struct that seems to map commands to required access
level does not have any PERMIT_LOCAL item. I guess no command is
currently allowed through localhost (and it's either PERMIT_AUTH or
PERMIT_OPEN)
Thank you for your help.
Youssef
PS : running stock chrony-3.2-2.el7.x86_64 on CentOS 7
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.