Chrony has support[0] for privilege separation and the ebuild builds it correctly: ># chronyd --version >chronyd (chrony) version 3.5 (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER -SIGND +ASYNCDNS -SECHASH +IPV6 -DEBUG) Unfortunately, the default configuration runs as root. [0] https://chrony.tuxfamily.org/faq.html#_how_can_i_make_code_chronyd_code_more_secure Reproducible: Always Actual Results: chrony runs as root. Expected Results: chrony runs, or has a child process, running as a non-root user.
Note that the 'user' option requires the non-default caps USE flag
By default it listens on 127.0.0.1 Anyway it could be seen as improvement I don't guess it is a security bug.
@ ago: Component "Gentoo security", "Default configuration" is exactly for things like that.
(In reply to Agostino Sarubbo from comment #2) > By default it listens on 127.0.0.1 > IMO this does not matter; it's a privileged daemon which reaches out to the internet. I'd be equally concerned if e.g. dnsmasq was running as root. Best to not trust remote NTP servers. I will have a try at making a patch for this.
(In reply to Thomas Deutschmann from comment #3) > @ ago: Component "Gentoo security", "Default configuration" is exactly for > things like that. I took bug 587586 as example where is more or less the same but it is not under security. Next time I'll put it under Default configs
seccomp in chrony is only enabled at runtime if -F N is given, where: * N = 1: filtering * N = -1: logs would-be blocked syscalls, but allows through
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5eefb61d11a77c123475fec73db819fa6121b7f2 commit 5eefb61d11a77c123475fec73db819fa6121b7f2 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-04 04:49:58 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-30 18:36:43 +0000 net-misc/chrony: Run as non-root when USE=caps, revbump When caps is enabled, drop to the user ntp (acct-user/ntp), as opposed to remaining root. Adds a tmpfile.d entry for /run/chrony to ensure correct permissions. Closes: https://bugs.gentoo.org/711058 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-misc/chrony/chrony-3.5-r3.ebuild | 150 +++++++++++++++++++++++++++++++++++ net-misc/chrony/chrony-9999.ebuild | 29 ++++++- net-misc/chrony/files/chronyd.conf | 2 +- 3 files changed, 177 insertions(+), 4 deletions(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2c99543bfd3245724e21089a617f28d828c5548 commit a2c99543bfd3245724e21089a617f28d828c5548 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-15 20:53:29 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-30 18:36:44 +0000 net-misc/chrony: Enable seccomp filtering when USE=seccomp We already have USE=seccomp but chronyd won't do anything unless -F is set to 1. We could also set -F -1 which will log any syscalls which would've been blocked but won't deny them. Also fixes systemd for previous commit. Bug: https://bugs.gentoo.org/711058 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/14973 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-misc/chrony/chrony-3.5-r3.ebuild | 30 ++-- net-misc/chrony/chrony-4.0_pre1-r1.ebuild | 155 +++++++++++++++++++++ net-misc/chrony/chrony-9999.ebuild | 30 ++-- .../files/chrony-3.5-r3-systemd-gentoo.patch | 12 ++ net-misc/chrony/files/chronyd.conf | 2 +- 5 files changed, 200 insertions(+), 29 deletions(-)
