Date: Tue, 15 Jan 2002 15:03:42 -0500 (EST) From: FreeBSD@jovi.net To: freebsd-questions@FreeBSD.ORG Cc: FreeBSD@jovi.net, freebsd-arch@FreeBSD.ORG Subject: Re: kern/33904: secure mode bug Message-ID: <200201152003.g0FK3gb04767@grant.org> In-Reply-To: <CD13C334-09D5-11D6-8ED3-003065D5E9A4@infospace.com> (message from William Carrel on Tue, 15 Jan 2002 08:34:52 -0800) References: <CD13C334-09D5-11D6-8ED3-003065D5E9A4@infospace.com>
next in thread | previous in thread | raw e-mail | index | archive | help
It would help to document or fix date/ntpdate/ntpd/...
to warn of this "clock clamp" trouble or better yet
fix settimeofday to return EPERM instead of trying
to second-guess the intent of the programmer.
If not, settimeofday documentation must clarify this silent lossage
of setting a time other than what the calling program specified.
If write were to sometimes read rather than report EROFS
we'd expect that to be prominently and frequently documented!
		Cheers
			--Devon
	 /"\
	 \ /	 ASCII Ribbon Campaign
	  X	  Help Cure HTML Mail
	 / \
PS:  Yes, I read everything you quote before writing the initial bug report.
While I was flogging ntpdate and tailing logs it was clear the kernel
was clamping the clock but it offered no clue as to how or why.
The fact that date/ntpdate/ntpd/... were silently failing was
especially confusing.  Silent failure can never be tolerated.
Yes, my hardware has major clock drift.  I am in the real world, I
have more things to do than read up on every ill considered experiment
that breaks stuff which used to work.  I enabled no secure level,
whoever configured the box did.  Time was silently failing.
At the very least, document trouble if you won't fix it.
Date: Tue, 15 Jan 2002 08:34:52 -0800
Reply-To: freebsd-questions@FreeBSD.ORG
From: William Carrel <william.carrel@infospace.com>
[This probably belongs to -questions.]
On Tuesday, January 15, 2002, at 07:26 AM, FreeBSD@jovi.net wrote:
> Thanks for your reply.
> I suggest escalating the trouble.
> Correct time is mission-critical on many systems
> and this is an issue of unreliable service under FreeBSD.
No.  This is an issue of a user not reading the appropriate 
documentation before changing the securelevel and then being surprised 
when it exhibits exactly the behavior documented there.  There are good 
reasons why time changes are clamped to one second under that 
securelevel.
> A settimeofday other than that programmed is worse than doing nothing.
> Three orders of magnitude is a complete failure by every reasonable 
> standard.
> Breaking date, ntpdate, ntpd, ... is a reliable indication of severe 
> failure.
> These programs now need rewriting to operate reliably.
No.  You need to run sync your clock before raising securelevel.  Or 
keep your securelevel down below two.  Of course, I'm sure you read this 
part of init(8)'s man page:
      2     Highly secure mode - same as secure mode, plus disks may not 
be
	    opened for writing (except by mount(2)) whether mounted or 
not.
	    This level precludes tampering with filesystems by unmounting 
them,
	    but also inhibits running newfs(8) while the system is 
multi-user.
	    In addition, kernel time changes are restricted to less than 
or
	    equal to one second.  Attempts to change the time by more 
than this
	    will log the message ``Time adjustment clamped to +1 second''.
If you sync before raising securelevel and then run ntpd, unless your 
box has severe problems with clock drift (like NetBSD/mac68k 
15mins/hour) it should stay in sync.  Be sure not to adjust other knobs 
like securelevel without knowing what you're doing and consulting the 
appropriate manpages, it will save you lots of pain.
Modifying these things to return ETIMEADJCLAMPED or some such seems a 
little silly, and would represent a pretty hairy delta into ntpd.
-- Andy
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201152003.g0FK3gb04767>
