cmdmon: make open commands configurable

Replace the hardcoded list of open commands (accessible over UDP), with a list that can be configured with a new "opencommands" directive. The default matches the original list. All read-only commands except accheck and cmdaccheck can be enabled. The naming follows the chronyc naming. Enable the N_SOURCES request only when needed. This makes it possible to have a full monitoring access without access to the Unix domain socket. It also allows restricting the monitoring access to a smaller number of commands if some commands from the default list are not needed. Mention in the man page that the protocol of the non-default commands is not consider stable and the information they provide may have security implications.
2025-12-07 09:35:07 -05:00 · 2025-02-11 12:27:23 +01:00
parent 51da7a0694
commit 1967fbf1f2
6 changed files with 148 additions and 17 deletions
--- a/doc/chrony.conf.adoc
+++ b/doc/chrony.conf.adoc
@@ -2143,6 +2143,27 @@ An example of the use of the directive is:
 cmdratelimit interval 2
 ----

+[[opencommands]]*opencommands* [_command_]...::
+This directive specifies a list of monitoring commands to be enabled for the
+hosts allowed by the *cmdallow* directive. The following commands can be
+specified (the naming follows *chronyc*):
+
+*activity*+*+, *authdata*, *clients*, *manual*+*+, *ntpdata*, *rtcdata*+*+,
+*selectdata*, *serverstats*+*+, *smoothing*+*+, *sourcename*+*+, *sources*+*+,
+*sourcestats*, *tracking*+*+.
+
+The commands marked with +*+ are enabled by default. The protocol of these
+commands is considered stable and can be expected to work between different
+versions of *chronyc* and *chronyd*. The protocol of the other commands is not
+considered stable and different versions of *chronyc* and *chronyd* may not
+interoperate. When that happens, *chronyc* will print an '`Invalid command`' or
+'`Bad reply from daemon`' error.
+
+Note that some of the reported data can be potentially useful to attackers,
+enabling them to better observe and predict the internal state of *chronyd*.
+It is recommended to enable only commands that are actually needed for
+monitoring and limit the access to the hosts that need it.
+
 === Real-time clock (RTC)

 [[hwclockfile]]*hwclockfile* _file_::
--- a/doc/chronyc.adoc
+++ b/doc/chronyc.adoc
@@ -50,7 +50,7 @@ running under a non-root user), it will try to connect to 127.0.0.1 and then
 ::1.

 Only the following monitoring commands, which do not affect the behaviour of
-*chronyd*, are allowed from the network: *activity*, *manual list*,
+*chronyd*, are allowed from the network by default: *activity*, *manual list*,
 *rtcdata*, *smoothing*, *sourcename*, *sources*, *sourcestats*, *tracking*,
 *waitsync*. The
 set of hosts from which *chronyd* will accept these commands can be configured
@@ -58,7 +58,10 @@ with the <<chrony.conf.adoc#cmdallow,*cmdallow*>> directive in the *chronyd*'s
 configuration file or the <<cmdallow,*cmdallow*>> command in *chronyc*. By
 default, the commands are accepted only from localhost (127.0.0.1 or ::1).

-All other commands are allowed only through the Unix domain socket. When sent
+Other monitoring commands can be enabled for network access by the
+<<chrony.conf.adoc#opencommands,*opencommands*>> directive. Monitoring commands
+with disabled network access and commands that affect the behaviour of
+*chronyd* are allowed only through the Unix domain socket. If they are sent
 over the network, *chronyd* will respond with a '`Not authorised`' error, even
 if it is from localhost.