Bugzilla – Bug 1115529
chronyd version 3.4 has problems starting the command socket
Last modified: 2022-04-19 22:21:07 UTC
chrony was recently updated from version 3.3 to 3.4 for Tumbleweed and after that change I see in my boot log: chronyd[1005]: chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG) chronyd[1005]: Wrong permissions on /var/run/chrony chronyd[1005]: Disabled command socket /var/run/chrony/chronyd.sock chronyd[1005]: Frequency -0.992 +/- 0.666 ppm read from /var/lib/chrony/drift chronyd runs normally, so the problem seems to be limited to setting up the command socket. chrony has permissions are and-ed with 0770 for this check and a ls -l gives: drwxr-xr-x 2 chrony chrony 60 Nov 3 17:28 /var/run/chrony So the problem is that the "other" permissions so not have read and execute. See https://forums.opensuse.org/showthread.php/533721-Wrong-permissions-on-var-run-chrony, I did have a look and I see /var/run/chrony during boot, just before chronyd is started or by chronyd itself. So the question is how is /var/run/chrony and can we change the permissions doing that? Looking at the chrony source I doubt if /var/run/chrony is created by chrony itself (although it will do so when it is not present) as it looks to me like the right permissions are given there. So, is /var/run/chrony created outside of chrony and that that be updated so the correct permissions are used?
I guess I know where the problem is - there is discrepancy between permissions defined in spec file and ones in chrony-tmpfiles
I am already working on it.
Oh, you took it. OK, so I am out.
Is this still an issue?
Yes, still a problem, updated Tumbleweed just one hour ago, rebooted and still see: Nov 28 23:10:56 chronyd[949]: chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG) Nov 28 23:10:56 chronyd[949]: Wrong permissions on /var/run/chrony Nov 28 23:10:56 chronyd[949]: Disabled command socket /var/run/chrony/chronyd.sock
I am seeing the same issue with chrony-3.4-1.1.x86_64 (current Tumbleweed version as of this writing). Symptom of this bug is that 'chronyc onoffline' returns '501 Not authorised' resulting in initially offline sources never being activated on interface bringup. The problem is in /usr/lib/tmpfiles.d/chrony.conf (installed by chrony): d /run/chrony 0755 chrony chrony If I change this to: d /run/chrony 0750 chrony chrony and reboot, then everything works as expected.
Thanks Aleksandar, that answers my question how /var/run/chrony is created and gives the fix. Tested it and it also works for me. Would be good if this can be updated in the distribution.
This is an autogenerated message for OBS integration: This bug (1115529) was mentioned in https://build.opensuse.org/request/show/655501 Factory / chrony
Fixed version accepted to Factory/Tumbleweed.
SUSE-SU-2021:4147-1: An update that solves one vulnerability, contains three features and has 22 fixes is now available. Category: security (moderate) Bug References: 1063704,1069468,1082318,1083597,1099272,1115529,1128846,1156884,1159840,1161119,1162964,1171806,1172113,1173277,1173760,1174075,1174911,1180689,1181826,1183783,1184400,1187906,1190926 CVE References: CVE-2020-14367 JIRA References: SLE-11424,SLE-22248,SLE-22292 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): chrony-4.1-5.9.1 SUSE OpenStack Cloud Crowbar 8 (src): chrony-4.1-5.9.1 SUSE OpenStack Cloud 9 (src): chrony-4.1-5.9.1 SUSE OpenStack Cloud 8 (src): chrony-4.1-5.9.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): chrony-4.1-5.9.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): chrony-4.1-5.9.1 SUSE Linux Enterprise Server 12-SP5 (src): chrony-4.1-5.9.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): chrony-4.1-5.9.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): chrony-4.1-5.9.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): chrony-4.1-5.9.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): chrony-4.1-5.9.1 HPE Helion Openstack 8 (src): chrony-4.1-5.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0845-1: An update that solves one vulnerability, contains one feature and has 12 fixes is now available. Category: security (moderate) Bug References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229 CVE References: CVE-2020-14367 JIRA References: SLE-17334 Sources used: SUSE Linux Enterprise Realtime Extension 15-SP2 (src): augeas-1.10.1-3.9.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): augeas-1.10.1-3.9.1, chrony-4.1-150300.16.3.1 SUSE Linux Enterprise Micro 5.1 (src): augeas-1.10.1-3.9.1, chrony-4.1-150300.16.3.1 SUSE Linux Enterprise Micro 5.0 (src): augeas-1.10.1-3.9.1 SUSE Linux Enterprise Installer 15-SP3 (src): augeas-1.10.1-3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0845-1: An update that solves one vulnerability, contains one feature and has 12 fixes is now available. Category: security (moderate) Bug References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229 CVE References: CVE-2020-14367 JIRA References: SLE-17334 Sources used: openSUSE Leap 15.3 (src): augeas-1.10.1-3.9.1, chrony-4.1-150300.16.3.1
SUSE-SU-2022:0845-2: An update that solves one vulnerability, contains one feature and has 12 fixes is now available. Category: security (moderate) Bug References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229 CVE References: CVE-2020-14367 JIRA References: SLE-17334 Sources used: SUSE Linux Enterprise Micro 5.2 (src): augeas-1.10.1-3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.