Re: [chrony-users] Chrony as non-root user (again)

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] Chrony as non-root user (again)
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Tue, 15 Sep 2020 12:10:20 +0200
Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1600164626; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=lklv/zYFpfV8cRqY+voN378kfWENo4sGGmOmuywU61s=; b=WGl5ghfW9ESSiqG84YnxkT6zoF6gSPC8+8f5WOaVR9pqjqceUd+fCRpbRuE60P9/OJknny t0c6KTn2/v1mnz+U+QsSuddIdGoHb+ZZ6T5Ww7nlZmcXhI5hvCCtJAoM3eu78srWdxX9PI H1H6z1TYbxDR5dMWd9tbv/LOpYZmO+Q=

On Mon, Sep 14, 2020 at 07:59:23PM -0400, Kevin wrote:
> As for breaking features I don't think this will be a major concern as the
> failure will be obvious. As I understand it after reading the config chrony
> opens all of the files it needs (before dropping privledges) so it would be
> easy to produce an obvious error "Can not access $thing, your admin or
> package maintainer has made a mistake, do not report this issue to chrony
> developers."

Some failures due to missing permissions are currently silent. An
instance I found is with 'hwtimestamp *'. I can fix that, but there
may be others.

> Of course it isn't easy to detect the case where more than what is required
> has been opened up. However possibly with suitable documentation this is not
> a major issue?

Do you think the following description of the option would be
sufficient?

*-U*::
This option disables a check for root privileges to allow *chronyd* to
be started under a non-root user, assuming the process will have all
capabilities (e.g. provided by the service manager) and access to all
files, directories, and devices, needed to operate correctly in the
specified configuration. Note that different capabilities might be
needed with different configurations and different Linux kernel
versions. Starting *chronyd* under a non-root user is not recommended
when the configuration is not known, or at least limited to specific
directives.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-users] Chrony as non-root user (again)
  - From: Kevin

References:
- [chrony-users] Chrony as non-root user (again)
  - From: Kevin
- Re: [chrony-users] Chrony as non-root user (again)
  - From: Miroslav Lichvar
- Re: [chrony-users] Chrony as non-root user (again)
  - From: Kevin

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] Chrony as non-root user (again)
Next by Date: [chrony-users] Synchronizing clock with GPS with PPS
Previous by thread: Re: [chrony-users] Chrony as non-root user (again)
Next by thread: Re: [chrony-users] Chrony as non-root user (again)

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/