diff --git a/chrony.texi.in b/chrony.texi.in index 532d8f1..59caf74 100644 --- a/chrony.texi.in +++ b/chrony.texi.in @@ -976,15 +976,13 @@ no RTC or the RTC is broken (e.g. it has no battery). @item -u This option sets the name of the system user to which @code{chronyd} will switch after start in order to drop root privileges. It overrides the -@code{user} directive (default @code{@DEFAULT_USER@}). It may be set to a -non-root user only when @code{chronyd} is compiled with support for Linux -capabilities (libcap), on NetBSD with the @code{/dev/clockctl} device or on -Mac OS X. +@code{user} directive (default @code{@DEFAULT_USER@}). -In the Mac OS X implementation @code{chronyd} forks into two processes. The -child process retains root privileges but can only perform a very limited range -of privileged system calls on behalf of the parent. The parent process drops -root privileges to run as the specified system user. +On Linux, @code{chronyd} needs to be compiled with support for the +@code{libcap} library. On Mac OS X, FreeBSD, NetBSD and Solaris @code{chronyd} +forks into two processes. The child process retains root privileges, but can +only perform a very limited range of privileged system calls on behalf of the +parent. @item -F This option configures a system call filter when @code{chronyd} is compiled with support for the Linux secure computing (seccomp) facility. In level 1 the @@ -3181,16 +3179,15 @@ Valid measurements with corresponding compensations are logged to the @subsection user The @code{user} directive sets the name of the system user to which @code{chronyd} will switch after start in order to drop root privileges. -It may be set to a non-root user only when @code{chronyd} is compiled with -support for Linux capabilities (libcap), on NetBSD with the -@code{/dev/clockctl} device or on Mac OS X. -In the Mac OS X implementation @code{chronyd} forks into two processes. The -child process retains root privileges but can only perform a very limited range -of privileged system calls on behalf of the parent. The parent process drops -root privileges to run as the specified system user. +On Linux, @code{chronyd} needs to be compiled with support for the +@code{libcap} library. On Mac OS X, FreeBSD, NetBSD and Solaris @code{chronyd} +forks into two processes. The child process retains root privileges, but can +only perform a very limited range of privileged system calls on behalf of the +parent. -The default value is @code{@DEFAULT_USER@}. +The default value is @code{@DEFAULT_USER@}. The configure script has a +@code{--with-user} option, which sets the default value. @c }}} @c }}} @c {{{ S:Running chronyc diff --git a/chronyd.8.in b/chronyd.8.in index 0a10d01..bd27ba0 100644 --- a/chronyd.8.in +++ b/chronyd.8.in @@ -101,14 +101,12 @@ RTC or the RTC is broken (e.g. it has no battery). \fB\-u\fR \fIuser\fR This option sets the name of the system user to which \fBchronyd\fR will switch after start in order to drop root privileges. It overrides the \fBuser\fR -directive (default \fB@DEFAULT_USER@\fR). It may be set to a non-root user -only when \fBchronyd\fR is compiled with support for Linux capabilities -(libcap), on NetBSD with the \fB/dev/clockctl\fR device or on Mac OS X. +directive from the configuration file (default \fB@DEFAULT_USER@\fR). -In the Mac OS X implementation \fBchronyd\fR forks into two processes. The -child process retains root privileges but can only perform a very limited range -of privileged system calls on behalf of the parent. The parent process drops -root privileges to run as the specified system user. +On Linux, \fBchronyd\fR needs to be compiled with support for the \fBlibcap\fR +library. On Mac OS X, FreeBSD, NetBSD and Solaris \fBchronyd\fR forks into two +processes. The child process retains root privileges, but can only perform a +very limited range of privileged system calls on behalf of the parent. .TP \fB\-F\fR \fIlevel\fR This option configures a system call filter when \fBchronyd\fR is compiled with diff --git a/doc/faq.adoc b/doc/faq.adoc index 1eadd09..5869a65 100644 --- a/doc/faq.adoc +++ b/doc/faq.adoc @@ -128,11 +128,13 @@ under the root or chrony user (which can access +chronyd+ through a Unix domain socket since version 2.2), you can disable the internet command sockets completely by adding +cmdport 0+ to the configuration file. -On Linux, if +chronyd+ is compiled with support for Linux capabilities -(available in the libcap library), or on NetBSD with the +/dev/clockctl+ -device, you can specify an unprivileged user with the +-u+ option or +user+ -directive in the 'chrony.conf' file to drop root privileges after start. The -configure option +--with-user+ can be used to drop the privileges by default. +You can specify an unprivileged user with the +-u+ option, or the +user+ +directive in the 'chrony.conf' file, to which +chronyd+ will switch after start +in order to drop root privileges. The configure script has a +--with-user+ +option, which sets the default user. On Linux, +chronyd+ needs to be compiled +with support for the +libcap+ library. On other systems, +chronyd+ forks into +two processes. The child process retains root privileges, but can only perform +a very limited range of privileged system calls on behalf of the parent. Also, if +chronyd+ is compiled with support for the Linux secure computing (seccomp) facility, you can enable a system call filter with the +-F+ option.