Re: [chrony-users] systemd service hardening

[ Thread Index | Date Index | More Archives ]

On Mon, Aug 30, 2021 at 01:30:51PM -0300, Kenny MacDermid wrote:
> Hello,
> Has there been any discussion around adding the systemd service
> hardening changes from the PR to NixOS available at:

I don't remember anyone submitting this change. I think it needs more
work to be accepted as the service example. I checked only few of the
settings. For example, chronyd can open also PPS and PHC devices, not
just RTC. The RemoveIPC setting doesn't seem to do anything if started
as root. I'm not sure if the system call filter is better than what
chronyd already has, or if it makes sense to combined them. The
ReadWritePath setting might break existing configurations that write
to other paths and the man page says it relies on the process not
having the CAP_SYS_ADMIN capability.

Miroslav Lichvar

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+