[chrony-users] Chrony as non-root user (again)

[Kevin <kevincox@xxxxxxxxxxx>]

I know it has been discussed a number of times before on this list (ex: 
https://www.mail-archive.com/chrony-users@xxxxxxxxxxxxxxxxxxxx/msg01751.html) 
however it seems like it was dismissed too quickly.

The given reason was:

> Even when running as a client only, chronyd may need root permissions 
to open some devices (e.g. /dev/ptp*, /dev/rtc*), create directories 
(/var/run/chrony), or enable HW timestamping.

However it seems to me that all of these (except maybe for HW 
timestamping, I am not familiar) can be managed by more fine grained 
permissions such as chaining the group or ACL of the device node, 
creating the directories beforehand or via process capabilities.

Would it be possible to enable running chrony as a non-privileged user? 
This can either be downgrading the root check to a warning or by adding 
a flag (such as 
https://www.mail-archive.com/chrony-dev@xxxxxxxxxxxxxxxxxxxx/msg01731.html) 
that allows running as a non-root user. This would help those of us for 
whom the features we need are available in a non-root process.

If it would make you more comfortable you can label the flag as 
experimental or similar, but it would be a nice way to get some testing 
and allow running chrony more locked down.


--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.