Bug 1115529

Summary: chronyd version 3.4 has problems starting the command socket
Product: [openSUSE] openSUSE Tumbleweed Reporter: M Fredericks <emfee>
Component: BasesystemAssignee: Martin Pluskal <mpluskal>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: biblbroks, emfee, mpluskal, nwr10cst-oslnx, patrick.mcneil
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description M Fredericks 2018-11-10 10:55:43 UTC 
chrony was recently updated from version 3.3 to 3.4 for Tumbleweed and after that change I see in my boot log:

chronyd[1005]: chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
chronyd[1005]: Wrong permissions on /var/run/chrony
chronyd[1005]: Disabled command socket /var/run/chrony/chronyd.sock
chronyd[1005]: Frequency -0.992 +/- 0.666 ppm read from /var/lib/chrony/drift

chronyd runs normally, so the problem seems to be limited to setting up the command socket.

chrony has permissions are and-ed with 0770 for this check and a ls -l gives: 

drwxr-xr-x 2 chrony chrony 60 Nov  3 17:28 /var/run/chrony

So the problem is that the "other" permissions so not have read and execute.

See https://forums.opensuse.org/showthread.php/533721-Wrong-permissions-on-var-run-chrony, I did have a look and I see /var/run/chrony during boot, just before chronyd is started or by chronyd itself. So the question is how is /var/run/chrony and can we change the permissions doing that?

Looking at the chrony source I doubt if /var/run/chrony is created by chrony itself (although it will do so when it is not present) as it looks to me like the right permissions are given there.

So, is /var/run/chrony created outside of chrony and that that be updated so the correct permissions are used?
Comment 1 Martin Pluskal 2018-11-22 09:26:06 UTC 
I guess I know where the problem is - there is discrepancy between permissions defined in spec file and ones in chrony-tmpfiles
Comment 2 Reinhard Max 2018-11-22 09:32:20 UTC 
I am already working on it.
Comment 3 Reinhard Max 2018-11-22 09:32:39 UTC 
Oh, you took it. OK, so I am out.
Comment 4 Martin Pluskal 2018-11-28 12:08:44 UTC 
Is this still an issue?
Comment 5 M Fredericks 2018-11-28 22:20:37 UTC 
Yes, still a problem, updated Tumbleweed just one hour ago, rebooted and still see:

Nov 28 23:10:56 chronyd[949]: chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
Nov 28 23:10:56 chronyd[949]: Wrong permissions on /var/run/chrony
Nov 28 23:10:56 chronyd[949]: Disabled command socket /var/run/chrony/chronyd.sock
Comment 6 Aleksandar Radovanovic 2018-12-05 15:42:32 UTC 
I am seeing the same issue with chrony-3.4-1.1.x86_64 (current Tumbleweed version as of this writing). 

Symptom of this bug is that 'chronyc onoffline' returns '501 Not authorised' resulting in initially offline sources never being activated on interface bringup.

The problem is in /usr/lib/tmpfiles.d/chrony.conf (installed by chrony):

d /run/chrony 0755 chrony chrony

If I change this to:

d /run/chrony 0750 chrony chrony

and reboot, then everything works as expected.
Comment 7 M Fredericks 2018-12-05 22:29:54 UTC 
Thanks Aleksandar, that answers my question how /var/run/chrony is created and gives the fix. Tested it and it also works for me.

Would be good if this can be updated in the distribution.
Comment 8 Swamp Workflow Management 2018-12-06 08:20:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1115529) was mentioned in
https://build.opensuse.org/request/show/655501 Factory / chrony
Comment 9 Martin Pluskal 2018-12-14 08:02:29 UTC 
Fixed version accepted to Factory/Tumbleweed.
Comment 12 Swamp Workflow Management 2021-12-22 14:34:53 UTC 
SUSE-SU-2021:4147-1: An update that solves one vulnerability, contains three features and has 22 fixes is now available.

Category: security (moderate)
Bug References: 1063704,1069468,1082318,1083597,1099272,1115529,1128846,1156884,1159840,1161119,1162964,1171806,1172113,1173277,1173760,1174075,1174911,1180689,1181826,1183783,1184400,1187906,1190926
CVE References: CVE-2020-14367
JIRA References: SLE-11424,SLE-22248,SLE-22292
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    chrony-4.1-5.9.1
SUSE OpenStack Cloud Crowbar 8 (src):    chrony-4.1-5.9.1
SUSE OpenStack Cloud 9 (src):    chrony-4.1-5.9.1
SUSE OpenStack Cloud 8 (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server 12-SP5 (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    chrony-4.1-5.9.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    chrony-4.1-5.9.1
HPE Helion Openstack 8 (src):    chrony-4.1-5.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-03-15 14:18:46 UTC 
SUSE-SU-2022:0845-1: An update that solves one vulnerability, contains one feature and has 12 fixes is now available.

Category: security (moderate)
Bug References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229
CVE References: CVE-2020-14367
JIRA References: SLE-17334
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    augeas-1.10.1-3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    augeas-1.10.1-3.9.1, chrony-4.1-150300.16.3.1
SUSE Linux Enterprise Micro 5.1 (src):    augeas-1.10.1-3.9.1, chrony-4.1-150300.16.3.1
SUSE Linux Enterprise Micro 5.0 (src):    augeas-1.10.1-3.9.1
SUSE Linux Enterprise Installer 15-SP3 (src):    augeas-1.10.1-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-03-15 14:27:03 UTC 
openSUSE-SU-2022:0845-1: An update that solves one vulnerability, contains one feature and has 12 fixes is now available.

Category: security (moderate)
Bug References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229
CVE References: CVE-2020-14367
JIRA References: SLE-17334
Sources used:
openSUSE Leap 15.3 (src):    augeas-1.10.1-3.9.1, chrony-4.1-150300.16.3.1
Comment 16 Swamp Workflow Management 2022-04-19 22:21:07 UTC 
SUSE-SU-2022:0845-2: An update that solves one vulnerability, contains one feature and has 12 fixes is now available.

Category: security (moderate)
Bug References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229
CVE References: CVE-2020-14367
JIRA References: SLE-17334
Sources used:
SUSE Linux Enterprise Micro 5.2 (src):    augeas-1.10.1-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.