[chrony-users] ntpdata as normal user

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-users] ntpdata as normal user
From: Kurt Roeckx <kurt@xxxxxxxxx>
Date: Mon, 30 Nov 2020 12:33:43 +0100

Hi,

I'm trying to generate graphs of the peers, and I would like to
use the ntpdata command to get to the variables. But it seems that
for some reason I'm unable to get to that data as a normal user.

The manpage says:
| Only the following monitoring commands, which do not affect the
| behaviour affect the behaviour of chronyd, are allowed from the
| network: activity, manual list, rtcdata, smoothing, sourcename,
| sources, sourcestats, tracking, waitsync. The set of hosts from
| which chronyd will accept these commands can be configured with
| the cmdallow directive in the chronyd’s configuration file or the
| cmdallow command in chronyc. By default, the commands are
| accepted only from localhost (127.0.0.1 or ::1).

| All other commands are allowed only through the Unix domain
| socket. When sent over the network, chronyd will respond with a
| ‘Not authorised’ error, even if it is from localhost.

So it seems that by design, ntpdata can't be used over a localhost
connection, nor can you give permission to do it.

I currently can't see a reason why ntpdata can't be accessed,
while sources and sourcestats can.
 
The permissions for the socket looks like:
drwxr-x---  2 _chrony _chrony  80 Nov 30 11:02 /run/chrony
srwxr-xr-x  1 _chrony _chrony   0 Nov 29 21:27 /run/chrony/chronyd.sock

So it's not even possible to connect to that socket if you put
a user in the group.

Even if you change the permissions of the socket file, chronyc
will not be able to connect to it, because it does:
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
unlink("/run/chrony/chronyc.8480.sock") = -1 ENOENT (No such file or directory)
bind(3, {sa_family=AF_UNIX, sun_path="/run/chrony/chronyc.8480.sock"}, 110) = -1 EACCES (Permission denied)
getsockname(3, {sa_family=AF_UNIX}, [112->2]) = 0
close(3)                                = 0
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(323), sin_addr=inet_addr("127.0.0.1")}, 16) = 0

That is, chronyc seems to want to bind to a unix domain socket
and put it in /run/chrony/. I don't see a reason to call bind(),
nor a reason to want to put an other named socket in
/run/chrony/. It should just call connect().

I currently need to change the permission of both /run/chrony and
/run/chrony/chronyd.sock to be able to access it from a non-root,
non-_chrony user.


Kurt


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-users] ntpdata as normal user
  - From: Miroslav Lichvar

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] PLL?
Next by Date: Re: [chrony-users] ntpdata as normal user
Previous by thread: Re: [chrony-users] PLL?
Next by thread: Re: [chrony-users] ntpdata as normal user

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/