On Sat, Apr 25, 2015 at 07:26:53AM -0700, Bill Unruh wrote: > Of course, there is also the issue of unpriviledged people being given > permission to control and administer chrony. While sudo is a possibility, it > potentially does open up a local attack vector in which chronyc could be used > for priviledge escallation.
That is a good point. If we force the users to ssh+sudo, we should make sure the command parsing is good enough to not allow arbitrary code execution via crafted commands. The cmdmon code has been reviewed couple times already now, but I'm not sure if there was any thorough review of the chronyc code. Also, it might be a good idea to create the chronyd command socket with permissions of the user to which the root permissions are dropped, so it's not necessary to run chronyc under root in order to connect to chronyd. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.