Re: [chrony-users] Chrony as non-root user (again)

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] Chrony as non-root user (again)
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Mon, 14 Sep 2020 12:03:57 +0200
Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1600077845; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=qCmZ3hK4zGsxMw0l7Wvf+vhxTeGNXs4MXJ9ktUaZr4w=; b=M59hgKZZIKYBxD1NonE7xsx6oOvF6xL4hgjxElYRmL+cudkI/P9hGOCOQ0sfRMByZEcMDf HRse8hmmZIaWXwfEHVrpH6Ivl4F+E0zZ6McdCZL4MWpU3ltjAjCvuGS2s4NsnUvjC665tk OlZ+Dr02bOsNxtXO/S1vjzB/6T9syUs=

On Thu, Sep 10, 2020 at 07:28:23PM -0400, Kevin wrote:
> I know it has been discussed a number of times before on this list (ex:
> https://www.mail-archive.com/chrony-users@xxxxxxxxxxxxxxxxxxxx/msg01751.html)
> however it seems like it was dismissed too quickly.

Maybe this mail has more details:
https://www.mail-archive.com/chrony-dev@xxxxxxxxxxxxxxxxxxxx/msg01731.html

> However it seems to me that all of these (except maybe for HW timestamping,
> I am not familiar) can be managed by more fine grained permissions such as
> chaining the group or ACL of the device node, creating the directories
> beforehand or via process capabilities.

There are devices that chronyd may need to open in some configurations
and there are also capabilities that chronyd may need. Without parsing
the configuration file we don't know in advance. I don't think
requiring the admin to modify those permissions and capabilities per
configuration would be acceptable. Setting the permissions for all
devices that chronyd might ever need and allowing all the capabilities
would weaken the security.

> Would it be possible to enable running chrony as a non-privileged user?

Removing that check is easy. My concern is that it would lead to some
distributions switching their default service, which would either
break some features or give the chrony user too many privileges that
it doesn't usually need to have.

On systems where configuration is fixed, or can be modified only in a
small extent (e.g. change NTP servers), this would make more sense,
but I think the developers can patch that out if needed.

What do you suggest?

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-users] Chrony as non-root user (again)
  - From: Kevin

References:
- [chrony-users] Chrony as non-root user (again)
  - From: Kevin

Messages sorted by: [ date | thread ]
Prev by Date: [chrony-users] Chrony as non-root user (again)
Next by Date: Re: [chrony-users] Chrony as non-root user (again)
Previous by thread: [chrony-users] Chrony as non-root user (again)
Next by thread: Re: [chrony-users] Chrony as non-root user (again)

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/