When chronyd is configured to save the pidfile in a directory where the chrony user has write permissions (e.g. /var/run/chrony - the default since chrony-3.4), an attacker that compromised the chrony user account could create a symbolic link at the location of the pidfile to make chronyd starting with root privileges follow the symlink and write its process ID to a file for which the chrony user doesn't have write permissions, causing a denial of service, or data loss.
Created chrony tracking bugs for this issue:
Affects: fedora-all [bug 1870299]
Name: Matthias Gerstner (Suse)
There's an issue on chrony when creating the PID file under /var/run/chrony folder. The file is created during chronyd startup, while still running under as root user, and when it's opened for writing chronyd doesn't check if there's already a symbolic link with the same file name. An attack with privileged access may leverage this issue by creating a symlink with the default pid file name point to any destination file in the system, this may cause data loss and/or deny of service as result of the path traversal.
Upstream commits for this issue: