On Mon, Nov 30, 2020 at 01:45:24PM +0100, Kurt Roeckx wrote: > On Mon, Nov 30, 2020 at 01:23:10PM +0100, Miroslav Lichvar wrote: > > > I currently need to change the permission of both /run/chrony and > > > /run/chrony/chronyd.sock to be able to access it from a non-root, > > > non-_chrony user. > > > > Would it work if /var/run/chrony had permissions 0775 and the user was > > in the chrony group? > > It's not just the directory, but also the socket itself that needs > write permission for the group. I've previously tested that, and > that works, probably until chrony is restarted.
I should have looked at the code first. The directory is already created with the 0770 permissions and it doesn't change permissions of the Unix socket. I think you just need to change the umask in the systemd unit file for chronyd. I vaguely remember doing that. I personally prefer using sudo to give access only to specific chronyc commands. > > Maybe chronyc could have an option to specify the location of its > > socket and let the user put it in a hidden directory where chronyd is > > allowed to write? Too risky? > > I'm not sure if there is a safe way to create a socket in /tmp. Yes, I suspect it would be tricky. There would be other issues with /tmp, e.g. systemd service providing a private /tmp for chronyd. -- Miroslav Lichvar -- To unsubscribe email [email protected] with "unsubscribe" in the subject. For help email [email protected] with "help" in the subject. Trouble? Email [email protected].
