search

SuperQ / chrony_exporter

Exporter for Chrony NTP
Apache License 2.0
41 stars 11 forks source link

chrony unix socket permissions #44

Closed equinox0815 closed 12 months ago

equinox0815 commented 12 months ago

PR #35 added the possibility to use chrony's unix comand socket to query the metrics. This PR also updates the README which states that running the exporter as root should work. Sadly this not the case. Imho there are 4 possible solutions to the problem:

  1. Update the README and drop the info about running the exporter as root. This means that the only documented way to run the exporter in this case is to let it run as the same user as chrony.
  2. Update the README to explain all the possible ways the exporter can be run in this case:
    • run it as the same user as chrony
    • run it as user root with umask set to 0000
    • run it as user root, set the egid of the exporter to the same group chrony runs at and set the umask to 0002
    • run it as any user, add CAP_DAC_OVERRIDE to the ambient capability set and set umask to 0000
    • run it as any user, add CAP_DAC_OVERRIDE to the ambient capability set, set the egid of the exporter to the same group chrony runs at and set the umask to 0002
    • some other even more convoluted way?
  3. Update the README and explain what operations actually need to be allowed for the exporter to work.
    • the exporter needs to be able to create a socket file inside the directory where the command socket of chrony is -> /var/run/chrony
      • run the exporter as the same user as chrony
      • run the exporter as user root
      • run the exporter as any user and add CAP_DAC_OVERRIDE to the ambient capability set
      • some other solution...
    • the socket file created by the exporter needs to be writeable by the user/group chrony runs as
      • run the exporter as the same user as chrony
      • use the umask to mangle the permissions of the socket file
      • some other solution...
  4. re-add the call to chmod in the source code.

Not sure which one is the best. Option 1 is clearly the easiest but does not tell the full story. Option 2 and 3 are more complete but a little wordy. Option 4 is is a little strange and needs an actually source code change and a new release.

SuperQ commented 12 months ago

Like I said in the PR thread, we could re-add the chmod, but behind a flag so it's disabled by default.

equinox0815 commented 12 months ago

Ok so basically option 4. I will prepare a PR for that.