[chrony-users] Chrony permissions question.

[chrony-users] Chrony permissions question.

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: "chrony-users@xxxxxxxxxxxxxxxxxxxx" <chrony-users@xxxxxxxxxxxxxxxxxxxx>
Subject: [chrony-users] Chrony permissions question.
From: "Kohr, Alexander" <Alexander.Kohr@xxxxxxxxxxxxxxx>
Date: Fri, 20 Dec 2019 16:30:52 +0000
Accept-language: en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 155.247.195.54) smtp.rcpttodomain=chrony.tuxfamily.org smtp.mailfrom=tuhs.temple.edu; dmarc=bestguesspass action=none header.from=tuhs.temple.edu; dkim=none (message not signed); arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mlDv+3VsZd0gXFACNT5ALTJsFxwf83GmON9bsR1HNMQ=; b=AW07vtXismGAlMTzBJwIk1AYly63vMU5GE4VddZ+WDi2ISkWQYJUi9gODsBx+Gd9/Gw2+1uFFR18WCeDrdmJcDmCryzhoZ6njVzQuV99XzuKDhm0T1+a3Zwfp2rbvkqNuZywL3CLWB6WVyp60Rl8g5VQCUwE+Dbiv15RR0jYOQb4LZFyxlfnC4nahGH5a6EGbiR/zfe2kjNB1soellFs6J36Bw7UYa2OICtWUGrWz6xr6bFQYgqVALHp1KyQv0ZIj0L5n/oQMxzWOCrVSW+1tMkphB5dn5A1iTWaGfLe/Zp8+PmGd7C96vn3k2WYt0TsMXPOI/hU63cx58XXWgeFRg==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aUq/XVG+fqTUJBZsAXQqStZPQ3Zqf1HgIvByg+QSHQQ03MFRJ73STwfYr04NirolALE+mCD6GH21E92bq6gE7JHVkXjvdK37I6qH5E9O2JgxKUdUGnpnsenaDXryaoWxkZxiRUDvgWWRUeP+Xcptmmn/hdESTT3IMGEK87ogx2id4EiJSIw354ynlHgx3utbukpD25+/w+TpfTM245rlcfJGsUJNdfLzzFxCaqMXmUCuxoosp3UGOFbrT4tSgJvhnYZHSHb5FMf/pyNunyHQL8WzvquTQSo5Co91k/L8k0qf8lvw9zZQzMBwPVpNsVL49fMilPJ3bo62nsnhAnG+1Q==
Authentication-results: spf=pass (sender IP is 155.247.195.54) smtp.mailfrom=tuhs.temple.edu; chrony.tuxfamily.org; dkim=none (message not signed) header.d=none;chrony.tuxfamily.org; dmarc=bestguesspass action=none header.from=tuhs.temple.edu;
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuhs.onmicrosoft.com; s=selector2-tuhs-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mlDv+3VsZd0gXFACNT5ALTJsFxwf83GmON9bsR1HNMQ=; b=nhZX5hrqvOJPxjd09ntYsyM1M+02F2r/PjpVmVetB0HOsDfxzsZXp3ygbF5oeNhTO56bIwP3i8ePrF4iReklE4PK9YDrkq8ysw0ynrlC4eBL9SC0jRINlDahKCA8TMwvtMwkT+xT4wu82STmOLRApf6jpwI7J4Kumjc/7Vealak=
Thread-index: AdW3TowqzGQDowVzT/WQR79yPSPoZA==
Thread-topic: Chrony permissions question.

My IT security group is using a new tool and as part of the security scan results for a new RHEL 7.7 box, the tool is complaining that a few home directories including chrony’s (/var/lib/chrony) have permissions that are too permissive at 755 instead of 750 or more secure. In reality this may just be an issue with the tool not knowing that chrony’s permissions are that way by default, as there are other user accounts like the ntp users on the box with home directories permissions of 755 and it is not complaining about them. (I am going to follow up on this as well.) Though there are other application specific user account with permissions of 700, so I wonder if chrony could be the same.

I know in RHEL 7 the default location of the drift file sis the home directory of /var/lib/chrony. (I also know it is the recommended location for some other files if they are enabled in the chrony configuration.)

Is there a reasons that the chrony home directory is /var/lib/chrony instead of something else, that does not contain the drift file?

If so is there a reason that the chrony home directory permission are 755 instead of 750 or 700?

_________________________

Alexander Kohr

Unix Systems Administrator

Temple University Health System

2450 W. Hunting Park Ave

Philadelphia PA 19129

Alexander.Kohr@xxxxxxxxxxxxxxx

267-666-8341 (Corporate Cell)

This electronic message is intended to be for the use of the named recipient, and may contain information that is confidential or privileged. This communication may contain protected health information (PHI) that is legally protected from inappropriate disclosure by the Privacy Standards of the Health Insurance Portability and Accountability Act (HIPAA) and relevant Pennsylvania Laws. You can direct questions concerning PHI or HIPAA to the Corporate Compliance and Privacy Officer at (215) 707-5605. If you are not the intended recipient, please note that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error, you should notify the sender immediately by telephone or by return e-mail and delete and destroy all copies of this message.

Messages sorted by: [ date | thread ]
Prev by Date: [chrony-users] unsubscribe
Next by Date: [chrony-users] Backward time jump detected! Can't synchronise: no selectable sources
Previous by thread: [chrony-users] unsubscribe
Next by thread: [chrony-users] Backward time jump detected! Can't synchronise: no selectable sources

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/