commit 5eefb61d11a77c123475fec73db819fa6121b7f2 Author: Sam James (sam_c) <sam@cmpct.info> Date: Wed Mar 4 04:49:58 2020 +0000 net-misc/chrony: Run as non-root when USE=caps, revbump When caps is enabled, drop to the user ntp (acct-user/ntp), as opposed to remaining root. Adds a tmpfile.d entry for /run/chrony to ensure correct permissions. Closes: https://bugs.gentoo.org/711058 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> commit 87242b6f6a92328671131779c43e8f14c64f4252 Author: Sam James (sam_c) <sam@cmpct.info> Date: Mon Apr 20 11:44:57 2020 +0000 net-misc/chrony: Sync live ebuild with caps changes This includes the permission fixes from efd09f68d, added to the 9999 ebuild. This should conclude the caps fixes. Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/15547 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> (et cetera, including removal of invulnerable ebuilds) Historically, net-misc/chrony and net-misc/ntp did not both use group:user ntp:ntp. Before the changes above (among others) chronyd ran as root, which bug #711058 considered an unsafe default, and net-misc/ntp used ntp:ntp. However, on systems were both are installed and running (not necessarily concurrently), a flaw in a net-misc/ntp daemon might open remote access through /run/chrony/chronyd.sock to the chronyd daemon configuration interface. Likewise, /var/lib/{chrony,ntp} now share user write permissions that they probably shouldn't. The recent review (and reviewed(?) commits referenced) in bug #711058 did not address this issue. Instead, the old route was chosen whereby both net-misc/ntp and net-misc/chrony now share dependencies on acct-{group,user}/ntp. Ideally, net-misc/chrony should have gotten its own group and user. Compare, for example, how net-misc/openntpd does not use the same group and user and net-misc/ntp, but has simultaneously supported concurrent existence on the same system for the longest of times.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/api.git/commit/?id=b9acf0308212fcb54098bace048214194d17cded commit b9acf0308212fcb54098bace048214194d17cded Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-07-13 22:12:43 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-07-13 22:37:55 +0000 uid-gid.txt: add uid/gid (127) chrony Bug: https://bugs.gentoo.org/746116 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> files/uid-gid.txt | 1 + 1 file changed, 1 insertion(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/data/api.git/commit/?id=0c3d1a9d7e1d873e64599b51ab2e5ffa56162e41 commit 0c3d1a9d7e1d873e64599b51ab2e5ffa56162e41 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-07-13 22:47:20 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-07-13 22:48:34 +0000 uid-gid.txt: drop uid/gid (127) chrony The ntp user should be still used, so dropping. Closes: https://bugs.gentoo.org/746116 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> files/uid-gid.txt | 1 - 1 file changed, 1 deletion(-)
Just to add a bit more context (as I should've done in the first place - thanks floppym for rightly pointing this out): - My view is that it would be wasteful to use a new UID+GID allocation for chrony; - It's unlikely that anybody is running both chrony and another ntpd and given e.g. seccomp filtering, I'm unconvinced of any real security impact here; - To the best of my recollection (and seemingly from what a glance at git says), openntpd didn't actually have its own user at the time of my change (we just had acct-*/ntp). If somebody strongly feels that there's value in having its own user, we can -as ever - discuss it.