Commit https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5eefb61d11a77c123475fec73db819fa6121b7f2 added proper support to run as non-root when USE=caps but /var/lib/chrony is still created as root:root preventing chrony from writing the drift file: Mar 31 09:36:12 [chronyd] chronyd exiting Mar 31 09:36:12 [chronyd] Could not open /var/lib/chrony/drift.tmp : Permission denied For comparison, net-misc/ntp does: keepdir /var/lib/ntp use prefix || fowners ntp:ntp /var/lib/ntp Although in ntp's case the addition of ntp:ntp user/group is non-conditional regardless of USE=caps ntp:ntp on /var/lib/chrony allows it as expected: $ ls -l /var/lib/chrony/drift -rw-r--r-- 1 ntp ntp 42 Mar 31 09:37 /var/lib/chrony/drift The /var/log/chrony permissions is likely an issue too, but I personally mask that directory+logrotate script since I have syslog handle chrony's logs, so I won't comment more on that. Albeit I'd "personally" argue the log directory should just be done away with but it'd break configs that specify 'logdir /var/log/chrony' and may need a notice.
@ jer: Sam will work on this.
Would be nice if someone could accept that PR anytime soon.
(In reply to Kajzer from comment #2) > Would be nice if someone could accept that PR anytime soon. It should get merged later today. It looks right to me (obviously), but if you'd like to test it and give us some feedback, that would of course be appreciated.
(In reply to Sam James (sam_c) (security padawan) from comment #3) > It should get merged later today. It looks right to me (obviously), but if > you'd like to test it and give us some feedback, that would of course be > appreciated. Okay, I installed it just now, will know the results in the next hour (in 50 minutes from now), at the moment I'm receiving this every hour : chronyd[2945]: Could not open /var/lib/chrony/drift.tmp : Permission denied If it doesn't happen again I would say it's good.
Tested 4.0_pre1-r2, seems to be fine now. chronyd[17754]: chronyd version 4.0-pre1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER -SIGND +ASYNCDNS +NTS +SECHASH -IPV6 -DEBUG) chronyd[17754]: Frequency -29.501 +/- 0.043 ppm read from /var/lib/chrony/drift chronyd[17754]: Loaded seccomp filter chronyd[17754]: Selected source 134.215.114.200 chronyd[17754]: Selected source 107.21.100.177
It's interesting that it still works when I downgraded to r1 I guess that's because of this in r2 : fowners ntp:ntp /var/lib/chrony fperms 770 /var/lib/chrony
(In reply to Kajzer from comment #6) > It's interesting that it still works when I downgraded to r1 Yes, portage doesn't update permissions of already-existing directories during merge and only copies them over the first time. This is why the workaround in pkg_postinst() is needed, users could even be switching the flag on/off and depclean+remove ntp:ntp given it's conditional. And -r1 is oblivious to all this leaving it alone, so for anyone waiting simply setting ntp:ntp yourself to those directories is fine and won't be lost in rebuilds.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5fbd34fc6db83dc94cefe8cae5577e21656b1a2 commit f5fbd34fc6db83dc94cefe8cae5577e21656b1a2 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-04-06 21:51:20 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-04-14 13:09:57 +0000 net-misc/chrony: Fix permissions with USE=caps Note that we explicitly do not adjust permissions due to possible security problems and it is counter to user-expectations. mjo has a good writeup [Link 1] on this which led to the decision to only inform the user of changes needed. Link 1: http://michael.orlitzky.com/articles/end_root_chowning_now_%28make_pkg_postinst_great_again%29.xhtml Closes: https://bugs.gentoo.org/715618 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/15187 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-misc/chrony/chrony-3.5-r4.ebuild | 172 +++++++++++++++++++++++++++++ net-misc/chrony/chrony-4.0_pre1-r2.ebuild | 175 ++++++++++++++++++++++++++++++ 2 files changed, 347 insertions(+)
