Re: [chrony-users] ntpdata as normal user

[Miroslav Lichvar <mlichvar@xxxxxxxxxx>]

On Mon, Nov 30, 2020 at 01:45:24PM +0100, Kurt Roeckx wrote:
> On Mon, Nov 30, 2020 at 01:23:10PM +0100, Miroslav Lichvar wrote:
> > > I currently need to change the permission of both /run/chrony and
> > > /run/chrony/chronyd.sock to be able to access it from a non-root,
> > > non-_chrony user.
> > 
> > Would it work if /var/run/chrony had permissions 0775 and the user was
> > in the chrony group?
> 
> It's not just the directory, but also the socket itself that needs
> write permission for the group. I've previously tested that, and
> that works, probably until chrony is restarted.

I should have looked at the code first. The directory is already
created with the 0770 permissions and it doesn't change permissions of
the Unix socket.

I think you just need to change the umask in the systemd unit file for
chronyd. I vaguely remember doing that.

I personally prefer using sudo to give access only to specific chronyc
commands.

> > Maybe chronyc could have an option to specify the location of its
> > socket and let the user put it in a hidden directory where chronyd is
> > allowed to write? Too risky?
> 
> I'm not sure if there is a safe way to create a socket in /tmp.

Yes, I suspect it would be tricky. There would be other issues with
/tmp, e.g. systemd service providing a private /tmp for chronyd.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.