[chrony-users] Run chronyd as unprivileged user

Miroslav Lichvar

2018-09-13 09:43:50 UTC

Post by Daniel Bechter
Hey guys
My original plan was to run chronyd as an unprivileged user, manually assigning the required capabilities (CAP_SYS_TIME as I only run it as client) via setcap command. Chronyd however complained about not being executed as superuser. Is there any way to run chronyd as unprivileged user from the beginning or are there any ambitions to change the behaviour?

There was a discussion related to this some time ago:
https://www.mail-archive.com/chrony-***@chrony.tuxfamily.org/msg01731.html

Even when running as a client only, chronyd may need root permissions
to open some devices (e.g. /dev/ptp*, /dev/rtc*), create directories
(/var/run/chrony), or enable HW timestamping.

Post by Daniel Bechter
chown root:time /usr/sbin/chronyd
chmod 4770 /usr/sbin/chronyd
Chronyd still complained about not being executed as superuser though. So I looked into the code and made a change to check for the effective UID rather than the real one, see attached patch (on top of 3.3). Everything was fine afterwards. Any chance to get that mainline?

No, chronyd doesn't support SUID. It wouldn't be secure. Users could
remove any file on the filesystem using the 'refclock SOCK /file'
directive and probably do other bad things.

It might be better to configure sudo to allow trusted users to start
chronyd. If that's not possible, I guess you could get around that UID
check with the fakeroot utility.

If you describe your use case, someone may have a better suggestion.

--
Miroslav Lichvar
--
To unsubscribe email chrony-users-***@chrony.tuxfamily.org
with "unsubscribe" in the subject.
For help email chrony-users-***@chrony.tuxfamily.org
with "help" in the subject.
Trouble? Email ***@chrony.tuxfamily.org.