On Thu, Sep 13, 2018 at 08:28:42AM +0000, Daniel Bechter wrote: > Hey guys > > My original plan was to run chronyd as an unprivileged user, manually > assigning the required capabilities (CAP_SYS_TIME as I only run it as client) > via setcap command. Chronyd however complained about not being executed as > superuser. Is there any way to run chronyd as unprivileged user from the > beginning or are there any ambitions to change the behaviour?
There was a discussion related to this some time ago: https://www.mail-archive.com/[email protected]/msg01731.html Even when running as a client only, chronyd may need root permissions to open some devices (e.g. /dev/ptp*, /dev/rtc*), create directories (/var/run/chrony), or enable HW timestamping. > Next thing I tried was to run chronyd with the SUID bit set: > > chown root:time /usr/sbin/chronyd > chmod 4770 /usr/sbin/chronyd > > Chronyd still complained about not being executed as superuser though. So I > looked into the code and made a change to check for the effective UID rather > than the real one, see attached patch (on top of 3.3). Everything was fine > afterwards. Any chance to get that mainline? No, chronyd doesn't support SUID. It wouldn't be secure. Users could remove any file on the filesystem using the 'refclock SOCK /file' directive and probably do other bad things. It might be better to configure sudo to allow trusted users to start chronyd. If that's not possible, I guess you could get around that UID check with the fakeroot utility. If you describe your use case, someone may have a better suggestion. -- Miroslav Lichvar -- To unsubscribe email [email protected] with "unsubscribe" in the subject. For help email [email protected] with "help" in the subject. Trouble? Email [email protected].
