| Re: [chrony-users] systemd service hardening |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] systemd service hardening
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Tue, 31 Aug 2021 09:55:02 +0200
- Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630396508; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=4/tjVajDaiqjz9wOhjXavNuTR2u3yN41YGWgDz7th94=; b=PmSr/I3l0kGfnFreoxv0DFZadENOK4H1IvCPqZHgUqWnX4R7ac6bUg4EDHzkNiCcEwexsE 3IzeIpKWmsH9j0bZ3Ab2M8FOrTNUpXJxFrfmoSzib6qVxmI+oSEHiYfDnT2FbcPFnE4uPu KR4v/qhYXjBP27kU5Uj+ednOIbQtJ2I=
On Mon, Aug 30, 2021 at 01:30:51PM -0300, Kenny MacDermid wrote:
> Hello,
>
> Has there been any discussion around adding the systemd service
> hardening changes from the PR to NixOS available at:
>
> https://github.com/NixOS/nixpkgs/pull/104944
I don't remember anyone submitting this change. I think it needs more
work to be accepted as the service example. I checked only few of the
settings. For example, chronyd can open also PPS and PHC devices, not
just RTC. The RemoveIPC setting doesn't seem to do anything if started
as root. I'm not sure if the system call filter is better than what
chronyd already has, or if it makes sense to combined them. The
ReadWritePath setting might break existing configurations that write
to other paths and the man page says it relies on the process not
having the CAP_SYS_ADMIN capability.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.