Re: [chrony-users] Regarding socket permissions

[Morten Nissov <morten.c.nissov@xxxxxxxxx>]

The code above sets permissions of /var/run/chrony/chronyc.$PID.sock,
so chronyd running under the chrony user can respond to chronyc
running as root. The refclock socket is not related to that.

Huh, I see you're right about that, I found the correct lines in `refclock_sock.c` where the permissions aren't changed.

I suppose that's it then, the permissions aren't changed therefore access will be restricted since it's owned by root. Do you think there's any workaround? Or any interest from others to set the sock with the same 666 permissions, i.e. such that I could PR this?

Best regards,

Morten

On Tue, Mar 14, 2023 at 8:14 AM Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:

On Mon, Mar 13, 2023 at 06:47:23PM +0100, Morten Nissov wrote:
> /* Allow server without root privileges to send replies to our socket */
> if (chmod(sa_un.sun_path, 0666) < 0) {
> DEBUG_LOG("Could not change socket permissions : %s", strerror(errno));
> return 0;
> }
> in client.c.
>
> Looking at the permissions for chrony.ttyACM0.sock this doesn't seem right,
> no? AFAIK 666 permissions should be *srwxr-rw-rw* and here it is *srwxr-xr-x
> *instead.

The code above sets permissions of /var/run/chrony/chronyc.$PID.sock,
so chronyd running under the chrony user can respond to chronyc
running as root. The refclock socket is not related to that.

--
Miroslav Lichvar


--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.