Re: [chrony-users] ntpdata as normal user |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] ntpdata as normal user
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Mon, 30 Nov 2020 14:40:45 +0100
- Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606743678; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=2Z8dYs7WoPNURnZsqjyOCUlKQuzlGd3t9FjXT4DnPl8=; b=cFWwqmHki2AqNloKozDNHrgt3sXSJzmwGGaRSLoDoz4v4f/FNYZzfLt7oi6yvX3okJiiJL JZCt2FSdN85hCruzEWskKkz9O2H2AVDVg4tVaFRWW108SIayGgA9R1Y/jbgrLzyTJldEeg z50+kFcQOuPey9nywWefolnVIA4qObo=
On Mon, Nov 30, 2020 at 01:45:24PM +0100, Kurt Roeckx wrote:
> On Mon, Nov 30, 2020 at 01:23:10PM +0100, Miroslav Lichvar wrote:
> > > I currently need to change the permission of both /run/chrony and
> > > /run/chrony/chronyd.sock to be able to access it from a non-root,
> > > non-_chrony user.
> >
> > Would it work if /var/run/chrony had permissions 0775 and the user was
> > in the chrony group?
>
> It's not just the directory, but also the socket itself that needs
> write permission for the group. I've previously tested that, and
> that works, probably until chrony is restarted.
I should have looked at the code first. The directory is already
created with the 0770 permissions and it doesn't change permissions of
the Unix socket.
I think you just need to change the umask in the systemd unit file for
chronyd. I vaguely remember doing that.
I personally prefer using sudo to give access only to specific chronyc
commands.
> > Maybe chronyc could have an option to specify the location of its
> > socket and let the user put it in a hidden directory where chronyd is
> > allowed to write? Too risky?
>
> I'm not sure if there is a safe way to create a socket in /tmp.
Yes, I suspect it would be tricky. There would be other issues with
/tmp, e.g. systemd service providing a private /tmp for chronyd.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.