From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from dude02.hi.pengutronix.de ([2001:67c:670:100:1d::28]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k15KX-00015L-PV for ptxdist@pengutronix.de; Thu, 30 Jul 2020 11:58:29 +0200 Received: from mol by dude02.hi.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1k15KX-0008Nj-HQ for ptxdist@pengutronix.de; Thu, 30 Jul 2020 11:58:29 +0200 Date: Thu, 30 Jul 2020 11:58:29 +0200 From: Michael Olbrich Message-ID: <20200730095829.GF30568@pengutronix.de> References: <20200724154843.5552-1-bruno.thomsen@gmail.com> <20200724154843.5552-5-bruno.thomsen@gmail.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200724154843.5552-5-bruno.thomsen@gmail.com> Subject: Re: [ptxdist] [PATCH 5/6] chrony: run as chrony user option List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de On Fri, Jul 24, 2020 at 05:48:42PM +0200, Bruno Thomsen wrote: > Default chrony service run as root and that is not > best practice as it's doing network communication. Is there a use-case to run chrony as root? I think we can skip the option and always run it as user chrony. Michael > Signed-off-by: Bruno Thomsen > --- > rules/chrony.in | 7 +++++++ > rules/chrony.make | 1 + > 2 files changed, 8 insertions(+) > > diff --git a/rules/chrony.in b/rules/chrony.in > index 525be2681..6a4f12de0 100644 > --- a/rules/chrony.in > +++ b/rules/chrony.in > @@ -29,6 +29,13 @@ config CHRONY_USE_NETTLE > Use nettle crypto library for stronger keys than MD5 in > NTP authentication. > > +config CHRONY_RUN_AS_NON_ROOT > + bool > + prompt "Run chronyd as non root user" > + help > + Default chronyd is started as root, select this > + to run service with chrony user. > + > comment "install options ---" > > config CHRONY_INSTALL_CHRONY_COMMAND > diff --git a/rules/chrony.make b/rules/chrony.make > index a72752030..d5ae52883 100644 > --- a/rules/chrony.make > +++ b/rules/chrony.make > @@ -48,6 +48,7 @@ CHRONY_CONF_OPT := \ > --disable-phc \ > --disable-pps \ > $(call ptx/ifdef, PTXCONF_GLOBAL_IPV6,,--disable-ipv6) \ > + $(call ptx/ifdef, PTXCONF_CHRONY_RUN_AS_USER,--with-user=chrony,) \ > --without-seccomp > > # ---------------------------------------------------------------------------- > -- > 2.26.2 > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de