mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
* [ptxdist] Chrony package option --without-tomcrypt makes chronyc unusable
@ 2021-06-15  9:55 Mircea Ciocan
  2021-06-16 10:26 ` Michael Olbrich
  0 siblings, 1 reply; 3+ messages in thread
From: Mircea Ciocan @ 2021-06-15  9:55 UTC (permalink / raw)
  To: ptxdist

Hello everybody,

unless I'm doing something very wrong, the "out of the box" chrony 
package does not allow talking with the chronyc, the client and daemon 
control user-space utility, it doesn't even create the Unix socket: 
/var/run/chrony/chronyd.sock.

Once the line "--without-tomcrypt" in CHRONY_CONF_OPT is removed, 
everything will work OK. Also the option "--with-user=chrony" may make 
the daemon more secure, but it certainly messes up the logging and drift 
files due to permissions of the /var/run and /var/log.

Out of these only the tomcrypt removal is critical, if somebody can 
explain the reason behind it, or what can be done to enable the client 
functionality with the existing compile time options I'll be most happy, 
because now I had to move the rule to project rules and remove it.


  Thanks and best regards,

  Mircea


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [ptxdist] Chrony package option --without-tomcrypt makes chronyc unusable
  2021-06-15  9:55 [ptxdist] Chrony package option --without-tomcrypt makes chronyc unusable Mircea Ciocan
@ 2021-06-16 10:26 ` Michael Olbrich
  2021-06-16 14:15   ` Bruno Thomsen
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Olbrich @ 2021-06-16 10:26 UTC (permalink / raw)
  To: ptxdist

Hi,

I don't use chrony myself, so I can just look at the build-system.

On Tue, Jun 15, 2021 at 11:55:47AM +0200, Mircea Ciocan wrote:
> unless I'm doing something very wrong, the "out of the box" chrony package
> does not allow talking with the chronyc, the client and daemon control
> user-space utility, it doesn't even create the Unix socket:
> /var/run/chrony/chronyd.sock.
> 
> Once the line "--without-tomcrypt" in CHRONY_CONF_OPT is removed, everything
> will work OK.

This makes no sense at all. tomcrypt is a external library that is
currently not available in PTXdist. So removing this options should not
change anything.
Please take a look at the build (e.g. changes to config.h and Makefile) to
see what actually happens.

> Also the option "--with-user=chrony" may make the daemon more
> secure, but it certainly messes up the logging and drift files due to
> permissions of the /var/run and /var/log.

That's just the default user. And as far as I know, this works fine with
systemd. If you use busybox init, then maybe the init script needs to be
changed to create directories with the correct permissions.

Patches are welcome.

> Out of these only the tomcrypt removal is critical, if somebody can explain
> the reason behind it, or what can be done to enable the client functionality
> with the existing compile time options I'll be most happy, because now I had
> to move the rule to project rules and remove it.

Michael

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [ptxdist] Chrony package option --without-tomcrypt makes chronyc unusable
  2021-06-16 10:26 ` Michael Olbrich
@ 2021-06-16 14:15   ` Bruno Thomsen
  0 siblings, 0 replies; 3+ messages in thread
From: Bruno Thomsen @ 2021-06-16 14:15 UTC (permalink / raw)
  To: ptxdist

Den ons. 16. jun. 2021 kl. 12.26 skrev Michael Olbrich
<m.olbrich@pengutronix.de>:
>
> Hi,
>
> I don't use chrony myself, so I can just look at the build-system.
>
> On Tue, Jun 15, 2021 at 11:55:47AM +0200, Mircea Ciocan wrote:
> > unless I'm doing something very wrong, the "out of the box" chrony package
> > does not allow talking with the chronyc, the client and daemon control
> > user-space utility, it doesn't even create the Unix socket:
> > /var/run/chrony/chronyd.sock.
> >
> > Once the line "--without-tomcrypt" in CHRONY_CONF_OPT is removed, everything
> > will work OK.
>
> This makes no sense at all. tomcrypt is a external library that is
> currently not available in PTXdist. So removing this options should not
> change anything.
> Please take a look at the build (e.g. changes to config.h and Makefile) to
> see what actually happens.
>
> > Also the option "--with-user=chrony" may make the daemon more
> > secure, but it certainly messes up the logging and drift files due to
> > permissions of the /var/run and /var/log.
>
> That's just the default user. And as far as I know, this works fine with
> systemd. If you use busybox init, then maybe the init script needs to be
> changed to create directories with the correct permissions.

I can confirm that it works as expected in systemd.

This is how it looks when service is started as chrony.
As root user:

root@xxxxxxxx:~ chronyc -n sources
210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 10.10.10.10                   3   6   377    45   +141us[ +315us] +/-   30ms

root@xxxxxxxx:~ ls -lah /run/chrony/
total 8.0K
drwxr-x---  2 chrony chrony 100 Jun 16 08:11 .
drwxr-xr-x 21 root   root   600 Jun 16 08:11 ..
-rw-r--r--  1 chrony chrony  42 Jun 16 07:57 chrony.drift
-rw-r--r--  1 root   root     4 Jun 15 06:48 chronyd.pid
srwxr-xr-x  1 chrony chrony   0 Jun 15 06:48 chronyd.sock

As tech user (another user, not in chrony group);

tech@xxxxxxxx:~ chronyc -n sources
210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 10.10.10.10                   3   6   377    45   -134us[ -266us] +/-   31ms

tech@xxxxxxxx:~ ls -lah /run/chrony/
ls: cannot open directory '/run/chrony/': Permission denied


> Patches are welcome.

We could revert the service user to root when using busybox init.

/Bruno

> > Out of these only the tomcrypt removal is critical, if somebody can explain
> > the reason behind it, or what can be done to enable the client functionality
> > with the existing compile time options I'll be most happy, because now I had
> > to move the rule to project rules and remove it.
>
> Michael
>
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-06-16 14:16 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-15  9:55 [ptxdist] Chrony package option --without-tomcrypt makes chronyc unusable Mircea Ciocan
2021-06-16 10:26 ` Michael Olbrich
2021-06-16 14:15   ` Bruno Thomsen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox