Re: [ptxdist] Chrony package option --without-tomcrypt makes chronyc unusable

[Bruno Thomsen <bruno.thomsen@gmail.com>]

Den ons. 16. jun. 2021 kl. 12.26 skrev Michael Olbrich
<m.olbrich@pengutronix.de>:
>
> Hi,
>
> I don't use chrony myself, so I can just look at the build-system.
>
> On Tue, Jun 15, 2021 at 11:55:47AM +0200, Mircea Ciocan wrote:
> > unless I'm doing something very wrong, the "out of the box" chrony package
> > does not allow talking with the chronyc, the client and daemon control
> > user-space utility, it doesn't even create the Unix socket:
> > /var/run/chrony/chronyd.sock.
> >
> > Once the line "--without-tomcrypt" in CHRONY_CONF_OPT is removed, everything
> > will work OK.
>
> This makes no sense at all. tomcrypt is a external library that is
> currently not available in PTXdist. So removing this options should not
> change anything.
> Please take a look at the build (e.g. changes to config.h and Makefile) to
> see what actually happens.
>
> > Also the option "--with-user=chrony" may make the daemon more
> > secure, but it certainly messes up the logging and drift files due to
> > permissions of the /var/run and /var/log.
>
> That's just the default user. And as far as I know, this works fine with
> systemd. If you use busybox init, then maybe the init script needs to be
> changed to create directories with the correct permissions.

I can confirm that it works as expected in systemd.

This is how it looks when service is started as chrony.
As root user:

root@xxxxxxxx:~ chronyc -n sources
210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 10.10.10.10                   3   6   377    45   +141us[ +315us] +/-   30ms

root@xxxxxxxx:~ ls -lah /run/chrony/
total 8.0K
drwxr-x---  2 chrony chrony 100 Jun 16 08:11 .
drwxr-xr-x 21 root   root   600 Jun 16 08:11 ..
-rw-r--r--  1 chrony chrony  42 Jun 16 07:57 chrony.drift
-rw-r--r--  1 root   root     4 Jun 15 06:48 chronyd.pid
srwxr-xr-x  1 chrony chrony   0 Jun 15 06:48 chronyd.sock

As tech user (another user, not in chrony group);

tech@xxxxxxxx:~ chronyc -n sources
210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 10.10.10.10                   3   6   377    45   -134us[ -266us] +/-   31ms

tech@xxxxxxxx:~ ls -lah /run/chrony/
ls: cannot open directory '/run/chrony/': Permission denied


> Patches are welcome.

We could revert the service user to root when using busybox init.

/Bruno

> > Out of these only the tomcrypt removal is critical, if somebody can explain
> > the reason behind it, or what can be done to enable the client functionality
> > with the existing compile time options I'll be most happy, because now I had
> > to move the rule to project rules and remove it.
>
> Michael
>
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de