Hi Daniel,
Le 2022-06-26 17:45, Daniel Baumann a écrit :
> Package: chrony
> Version: 4.2-2
>
> Hi,
>
> thank you for maintaining chrony in Debian.
You're welcome! :-)
> When configuring NTS and using letsencrypt, I'd like to have the
> certificates owned by root:ssl-cert with directory permissions set to
> 0750 and file permissions set to 0640.
>
> For every other daemon used so far, that works perfectly fine when
> putting the daemon user to the ssl-cert group.
>
> However, with chrony, this does not work. I confirmed that _chrony can
> read the files. Anything but having the files/directories-along-the-path
> either world-readable or readable by _chrony directly does not work.
>
> It would be nice if this could be fixed, looking at the sources I don't
> see anything obvious that would make it fail though.
>
> Let me know if you need more information to reproduce it.
The behavior you are describing here is expected. chronyd reads the
certificates and private keys after dropping root privileges. Consequently,
those files need to be readable by the user under which chronyd is running.
> Regards,
> Daniel
Cheers,
Vincent
signature.asc
Description: PGP signature
