When chronyd is configured to save the pidfile in a directory where the chrony user has write permissions (e.g. /var/run/chrony - the default since chrony-3.4), an attacker that compromised the chrony user account could create a symbolic link at the location of the pidfile to make chronyd starting with root privileges follow the symlink and write its process ID to a file for which the chrony user doesn't have write permissions, causing a denial of service, or data loss.
Created chrony tracking bugs for this issue: Affects: fedora-all [bug 1870299]
Acknowledgments: Name: Matthias Gerstner (Suse)
There's an issue on chrony when creating the PID file under /var/run/chrony folder. The file is created during chronyd startup, while still running under as root user, and when it's opened for writing chronyd doesn't check if there's already a symbolic link with the same file name. An attack with privileged access may leverage this issue by creating a symlink with the default pid file name point to any destination file in the system, this may cause data loss and/or deny of service as result of the path traversal.
Upstream commits for this issue: https://git.tuxfamily.org/chrony/chrony.git/commit/util.c?id=7a4c396bba8f92a3ee8018620983529152050c74 https://git.tuxfamily.org/chrony/chrony.git/commit/main.c?id=e18903a6b56341481a2e08469c0602010bf7bfe3