Re: [chrony-users] Perms on refclock socket

[Miroslav Lichvar <mlichvar@xxxxxxxxxx>]

On Sun, Mar 17, 2024 at 04:06:48PM -0700, infection.many550@xxxxxxxxxxx wrote:
> is there any way to make the socket created for a SOCK instance
> have a bit looser permissions? Currently it is always root:root
> mode 0755 which means a non-root process can't connect to it :-(
> 
> Or maybe it is just the ambient umask in action? Can that be changed
> in the systemd bit for chrony?
> 
> I have written a driver process for a device and I'd much prefer
> not to have running it as root, at least for some time until I'm sure
> it's bugfree.

Normally you wouldn't want non-root users to be able to send chronyd
bogus refclock data in order to modify the system clock.

You could drop root privileges in your program after connecting to the
socket. That's what gpsd and ntp-refclock do for example.

If you really want to change the permissions or ownership of the
socket, you can do it in the chronyd systemd service file like this

ExecStartPost=/usr/bin/chown user:root /var/run/chrony.refclock.sock

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.