[Buildroot] [PATCH] package/chrony: add default unprivileged user option
James Kent
james.kent at orchestrated-technology.com
Tue Feb 7 17:10:20 UTC 2023
Configurable option to define and enable by default an unprivileged
user which the Chrony daemon will assume once initialised. Where libcap
is not enabled a comment indicates the dependency requirement to make
the option available.
This option supports the good security practice of dropping elevated
privileges for daemon runtime.
Signed-off-by: James Kent <james.kent at orchestrated-technology.com>
---
package/chrony/Config.in | 10 ++++++++++
package/chrony/chrony.mk | 8 ++++++++
2 files changed, 18 insertions(+)
diff --git a/package/chrony/Config.in b/package/chrony/Config.in
index 158dc20530..8b053ed7e2 100644
--- a/package/chrony/Config.in
+++ b/package/chrony/Config.in
@@ -14,3 +14,13 @@ config BR2_PACKAGE_CHRONY_DEBUG_LOGGING
Enable support for debug logging output from Chrony when
enabled at runtime. If disabled, code for debug logging will
not be compiled in.
+
+config BR2_PACKAGE_CHRONY_USER
+ bool "chrony default unprivileged user"
+ depends on BR2_PACKAGE_CHRONY && BR2_PACKAGE_LIBCAP
+ help
+ Define and enable default unprivileged user for the Chrony
+ daemon to run as.
+
+comment "chrony default unprivileged user requires libcap"
+ depends on BR2_PACKAGE_CHRONY && !BR2_PACKAGE_LIBCAP
diff --git a/package/chrony/chrony.mk b/package/chrony/chrony.mk
index 379e95a778..16f8f082a3 100644
--- a/package/chrony/chrony.mk
+++ b/package/chrony/chrony.mk
@@ -21,6 +21,14 @@ CHRONY_CONF_OPTS = \
ifeq ($(BR2_PACKAGE_LIBCAP),y)
CHRONY_DEPENDENCIES += libcap
+
+ifeq ($(BR2_PACKAGE_CHRONY_USER),y)
+CHRONY_CONF_OPTS += --with-user=chrony
+define CHRONY_USERS
+ chrony -1 chrony -1 * /run/chrony - - Time daemon
+endef
+endif
+
else
CHRONY_CONF_OPTS += --without-libcap
endif
--
2.35.3
More information about the buildroot
mailing list