Re: [chrony-users] Usage of `chrony accheck ip-address`

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ] 

On Thu, Apr 30, 2020 at 12:54:52PM +0000, Jürgen Gmach wrote:
> Eventually I figured out that the "not authorised" does not mean my other server is not authorised to check the time, but my Linux user is not authorised to use the accheck sub command.
> 
> I wonder why.

chronyc can connect to chronyd using a Unix domain socket, which is
not accesible to ordinary users, or over internet. The accheck command
works only over the former.

> The chrony.conf is readable by everybody (at least on Ubuntu after a simple apt install chrony). So, I see no reason to hide to which subnets the time server is available.

Yes, but for chronyd there is no difference between a local user
connecting to 127.0.0.1 or a remote user connecting to a public
address of the machine. Also, the configuration file could have
different permissions.

> Also, ususally one gets a different error like "you have to be root" or similar.

Root or the user under which chronyd is running, which chronyc doesn't
know.

> What is the reasoning behind this decision?
> 
> Is it possible to amend the documentation?

Which part of the documentation would you suggest to amend? The
chronyc man page tries to explain the difference between the
connections and lists commands that always work in the 4th paragraph.

-- 
Miroslav Lichvar


--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/