From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Wed, 16 Jun 2021 16:16:03 +0200
Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33])
	by lore.white.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1ltWKp-0001La-5B
	for lore@lore.pengutronix.de; Wed, 16 Jun 2021 16:16:03 +0200
Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de)
	by metis.ext.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1ltWKo-00034I-Or; Wed, 16 Jun 2021 16:16:02 +0200
Received: from mail-ej1-x633.google.com ([2a00:1450:4864:20::633])
 by metis.ext.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92)
 (envelope-from <bruno.thomsen@gmail.com>) id 1ltWKi-00033y-O0
 for ptxdist@pengutronix.de; Wed, 16 Jun 2021 16:15:57 +0200
Received: by mail-ej1-x633.google.com with SMTP id l1so4203532ejb.6
 for <ptxdist@pengutronix.de>; Wed, 16 Jun 2021 07:15:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
 bh=lFpoNCWfLdjgTszz+NhoV7z6kgfhJfQFLIMECeekAMA=;
 b=elu+GGSOL+a7xZvu1Ig1I33JytI2pdIKjbbx1llNbBfvAnmQNB07NcELWm7F2k9usG
 goI1oGq0Z8YalJuJGZm9MEP8RrWqcKnxecMdXuXvnJpV2XIIty3Hc8X31QSQhFhXiUYq
 l2IvNEvZWUNYb4rGmZiv+kq0AqxYby59HqOL2mD4qMNv3P3ggDSPL41TJ6Vzi+xv7wRm
 yinrdVhctVAU6tPc7kQvopx+9oahWktVBrwkLyaOhusQEMdd2Wfedya3Z018hkouYnNR
 i5wl5JIZEcpYEjEobp+VoASKEkax02Pu2qL2zqflgDlvz383T6eLmTQWxB504P3uOFqh
 v29A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to;
 bh=lFpoNCWfLdjgTszz+NhoV7z6kgfhJfQFLIMECeekAMA=;
 b=BIw8/JsYuE8oktmSPqbJ3Gw/jGBxAwUXghXWiOAlXIGmL+QDKMVZFTGS4wt6pG//nJ
 Sj08+oyR9zTDcYWAdx9Gyb+PUgkoPqTflUxwRaqFJ+KVD2c5PINsl8EZvmNG6OxjE95G
 xKN/KLxemv3gqyz+cIvbznjwRQ+7WKSaC0XDUw+eHnBJoNdQirSC2dHUCVYre2QIDjXT
 IqiwJhMQ3kanIaP4wyVv0PQ1zvYSZCdrsSDwSXPjMjxs3uz847rlrA3liGPymgyXCUpk
 Sz+bisV3IBJ49PAWihQKn6nrdlJX1UXJJThxjCdA9i2qRsa/7EpUMmnt8ZjgrcvVOrJY
 cR3g==
X-Gm-Message-State: AOAM530dVm1blSgtO33sS60W3z4S7WVxa0kGnuFtMEt1bX4385qBaTy4
 HlgXkG+NDi9eLdXuFTd4ljPY39Qab2xUEAuu8ep2Vt9EDsUcJw==
X-Google-Smtp-Source: ABdhPJyECgkjzEFBw4Drp4qQaB5XrN9/Ze1j6r8ohxYXE/OLVkai8SoPq1InP/Ahyq8N+q/P0MlMcQkqNjZc7ZCjZYw=
X-Received: by 2002:a17:907:9487:: with SMTP id
 dm7mr5430226ejc.349.1623852955741; 
 Wed, 16 Jun 2021 07:15:55 -0700 (PDT)
MIME-Version: 1.0
References: <a952ede2-c2d0-3725-22f2-55d468d7871a@ppc-ag.de>
 <20210616102629.GJ839947@pengutronix.de>
In-Reply-To: <20210616102629.GJ839947@pengutronix.de>
From: Bruno Thomsen <bruno.thomsen@gmail.com>
Date: Wed, 16 Jun 2021 16:15:39 +0200
Message-ID: <CAH+2xPBZcCCD81GED-qubX_7bHJQdw-m5sRALv4YBBGa0NtzQw@mail.gmail.com>
To: ptxdist@pengutronix.de
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 metis.ext.pengutronix.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.4 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
 RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
 autolearn_force=no version=3.4.2
Subject: Re: [ptxdist] Chrony package option --without-tomcrypt makes
 chronyc unusable
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false

Den ons. 16. jun. 2021 kl. 12.26 skrev Michael Olbrich
<m.olbrich@pengutronix.de>:
>
> Hi,
>
> I don't use chrony myself, so I can just look at the build-system.
>
> On Tue, Jun 15, 2021 at 11:55:47AM +0200, Mircea Ciocan wrote:
> > unless I'm doing something very wrong, the "out of the box" chrony package
> > does not allow talking with the chronyc, the client and daemon control
> > user-space utility, it doesn't even create the Unix socket:
> > /var/run/chrony/chronyd.sock.
> >
> > Once the line "--without-tomcrypt" in CHRONY_CONF_OPT is removed, everything
> > will work OK.
>
> This makes no sense at all. tomcrypt is a external library that is
> currently not available in PTXdist. So removing this options should not
> change anything.
> Please take a look at the build (e.g. changes to config.h and Makefile) to
> see what actually happens.
>
> > Also the option "--with-user=chrony" may make the daemon more
> > secure, but it certainly messes up the logging and drift files due to
> > permissions of the /var/run and /var/log.
>
> That's just the default user. And as far as I know, this works fine with
> systemd. If you use busybox init, then maybe the init script needs to be
> changed to create directories with the correct permissions.

I can confirm that it works as expected in systemd.

This is how it looks when service is started as chrony.
As root user:

root@xxxxxxxx:~ chronyc -n sources
210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 10.10.10.10                   3   6   377    45   +141us[ +315us] +/-   30ms

root@xxxxxxxx:~ ls -lah /run/chrony/
total 8.0K
drwxr-x---  2 chrony chrony 100 Jun 16 08:11 .
drwxr-xr-x 21 root   root   600 Jun 16 08:11 ..
-rw-r--r--  1 chrony chrony  42 Jun 16 07:57 chrony.drift
-rw-r--r--  1 root   root     4 Jun 15 06:48 chronyd.pid
srwxr-xr-x  1 chrony chrony   0 Jun 15 06:48 chronyd.sock

As tech user (another user, not in chrony group);

tech@xxxxxxxx:~ chronyc -n sources
210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 10.10.10.10                   3   6   377    45   -134us[ -266us] +/-   31ms

tech@xxxxxxxx:~ ls -lah /run/chrony/
ls: cannot open directory '/run/chrony/': Permission denied


> Patches are welcome.

We could revert the service user to root when using busybox init.

/Bruno

> > Out of these only the tomcrypt removal is critical, if somebody can explain
> > the reason behind it, or what can be done to enable the client functionality
> > with the existing compile time options I'll be most happy, because now I had
> > to move the rule to project rules and remove it.
>
> Michael
>
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de