Hi, On 2020-04-28T10:26+0200, Miroslav Lichvar wrote:
On Mon, Apr 27, 2020 at 10:12:59PM +0200, Vincent Blut wrote:$ getfacl /run/chrony 2>/dev/null # file: run/chrony # owner: _chrony # group: _chrony user::rwx group::r-x other::---Nonetheless, from a security point of view, would it not be better to change the group ownership to root and set the permissions to 770?Maybe. I don't know. I what case it would make a difference?
I'm sorry I didn't get back to you sooner.Well, by bypassing discretionary access control with CAP_DAC_OVERRIDE, we probably give even more privileges to root until chronyd switches to the configured unprivileged system user while this could be avoided by setting the correct Unix permissions. There is a nice blog post¹ about this from an SELinux member.
Cheers, Vincent ¹ https://danwalsh.livejournal.com/79643.html
signature.asc
Description: PGP signature
