This is an automated email from git. It was generated because a ref
change was pushed to the "chrony/chrony.git" repository.
The branch, master has been updated
via 83f96efdfd2d42a8de51ac3b05120acf5292bb00 (commit)
from 127826a399826b048c3b13d04771129b6f4f373d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 83f96efdfd2d42a8de51ac3b05120acf5292bb00
Author: Miroslav Lichvar <mlich...@redhat.com>
Date: Wed Sep 29 15:25:48 2021 +0200
examples: harden systemd services
Add various settings to the example chronyd and chrony-wait services to
decrease the exposure reported by the "systemd-analyze security"
command. The original exposure was high as the analyzer does not check
the actual process (e.g. that it dropped the root privileges or that it
has its own seccomp filter).
Limit read-write access to /run, /var/lib/chrony, and /var/spool.
Access to /run (instead of /run/chrony) is needed for the refclock
socket expected by gpsd.
The mailonchange directive is most likely to break as it executes
/usr/sbin/sendmail, which can do unexpected operations depending on the
implementation. It should work with a setuid/setgid binary, but it is
not expected to write outside of /var/spool and the private /tmp.
-----------------------------------------------------------------------
Summary of changes:
examples/chrony-wait.service | 27 +++++++++++++++++++++++++++
examples/chronyd.service | 33 ++++++++++++++++++++++++++++++++-
2 files changed, 59 insertions(+), 1 deletion(-)
hooks/post-receive
--
chrony/chrony.git
--
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe"
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the
subject.
Trouble? Email listmas...@chrony.tuxfamily.org.
