Yo Hal! On Wed, 09 Jul 2025 18:37:27 -0700 Hal Murray <[email protected]> wrote:
> > You can do that now, a few distros even do that. Except, as James
> > pointed out, it is chronyd/ntpd that creates the UNIX socket.
>
> That seems backwards to me. I think of gpsd as a server that can
> support multiple clients. Normally, the client makes the connection
> to the server.
Agreed, on many levels, but that is what chronyd came up with.
> > How does that solve the problem of ntpd/chronyd knowing it is
> > connected to a true gpsd server? Root or non-root?
>
> ntpd/chronyd would be trusting the admin to set things up right.
Hohoho! Best joke all day!
I fail to see how any of this adds trust. To me, running as non-root
is removing trust from the admin (root) and moving it to the (l)user.
> If the file protection works as I expect, then a random hacker with a
> shell account on that system can't sneak in and grab the connection
> when gpsd or ntpd/chronyd is getting restarted.
Except all this mucking around with groups, setguid, run-as-user, etc,
makes it more likely, not less, that a random hacker with a shell
account can take over the system.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
[email protected] Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin
pgpolYWtElHkS.pgp
Description: OpenPGP digital signature
