Π
The vulnerability is caused by the insecure creation of a pid file, which was created at a stage when chrony had not yet reset privileges and is executed as root. At the same time, the /run/chrony directory, into which the pid file is written, was created with permissions 0750 via systemd-tmpfiles or when chronyd was started in relation to the βchronyβ user and group. Thus, if you have access to the chrony user, you can replace the /run/chrony/chronyd.pid pid file with a symbolic link. The symbolic link can point to any system file, which will be overwritten when chronyd is started.
root# systemctl stop chronyd.service
root# sudo -u chrony /bin/bash
chrony$ cd /run/chrony
chrony$ ln -s /etc/shadow chronyd.pid
chrony$ exit
root# /usr/sbin/chronyd -n
^C
# instead of the contents of /etc/shadow, the process ID of chronyd will be saved
root# cat /etc/shadow
15287
Vulnerability
SUSE and openSUSE problem
Source: opennet.ru