[chrony-users] Re: Perms on refclock socket

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-users] Re: Perms on refclock socket
From: infection.many550@xxxxxxxxxxx
Date: Mon, 18 Mar 2024 10:13:31 -0700

On Mon, Mar 18, 2024 at 09:15:57AM +0100, Miroslav Lichvar wrote:

> Normally you wouldn't want non-root users to be able to send chronyd
> bogus refclock data in order to modify the system clock.

If an attacker can assume the identity of this account, I have *much*
bigger problems than that.

> If you really want to change the permissions or ownership of the
> socket, you can do it in the chronyd systemd service file like this

> ExecStartPost=/usr/bin/chown user:root /var/run/chrony.refclock.sock

Thanks. I'll probably use a dedicated group instead, but the idea is
perfect.

-- 
Ian

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

References:
- [chrony-users] Perms on refclock socket
  - From: infection . many550
- Re: [chrony-users] Perms on refclock socket
  - From: Miroslav Lichvar

Messages sorted by: [ date | thread ]
Prev by Date: Re[3]: [chrony-users] Repeated 'refresh'es may cause excessive DNS queries
Next by Date: [chrony-users] Using gpsd
Previous by thread: Re: [chrony-users] Perms on refclock socket
Next by thread: [chrony-users] Using gpsd

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/