Comment 5 for bug 1746444

Per [1] I found a better solution.

There is a defined entry for that in systemd, so it comes down to the even easier.

RuntimeDirectory=chrony
RuntimeDirectoryMode=0770

For user&group (which we need) we also need to set User & Group but that would affect ExecStart which would break it.

Via [2] and IRC discussion I found a way through that.
One can set user/group but ignore it for the execution.

User=_chrony
Group=_chrony
And add a ! at ExecStart

I'll check if the Priv/Protect settings are affected (They would be at ExecStart=+.

[1]: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
[2]: https://www.freedesktop.org/software/systemd/man/systemd.service.html