Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 28 Jun 2018 05:02:12 -0700
From:      Mel Pilgrim <list_freebsd@bluerosetech.com>
To:        Thomas Steen Rasmussen <thomas@gibfest.dk>, Roger Marquis <marquis@roble.com>, freebsd-security@freebsd.org, freebsd-jail@freebsd.org
Subject:   Re: Jailing {open,}ntpd
Message-ID:  <5d28bb01-85e2-f08e-1bc8-865148c3cf9e@bluerosetech.com>
In-Reply-To: <25837879-e464-0ed1-75f3-f4c43f47653c@gibfest.dk>
References:  <nycvar.OFS.7.76.444.1806261238560.57821@mx.roble.com> <25837879-e464-0ed1-75f3-f4c43f47653c@gibfest.dk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 06/27/2018 23:08, Thomas Steen Rasmussen wrote:
> Anything that speaks to untrusted network clients belongs in a jail, but 
> to my knowledge both ntpds are unjailable because they want to use some 
> kernel system calls (to adjust time) which are not allowed in jails (as 
> it should be).
> 
> In my opinion adjusting the local bios/cmos clock and keeping it in sync 
> with some upstream NTP source is a different task than serving NTP to 
> untrusted network clients (like an ISP is expected to do).
> 
> I'd love for one or both ntpds to have an option to only serve local 
> time, without attempting to adjust the clock, if such a feature is 
> possible.
> 
> I'd then keep an ntpd running in the base system which takes care of 
> keeping the system clock in-sync, and another in a jail which only reads 
> the time and serves it to network clients, but doesn't try to adjust or 
> speak to upsteam NTPs.

You can do this by configuring the jailed ntpd with the local clock 
driver as a reference.  Doing this for an ntpd serving the general 
public would be evil.  NTP Pool Project membership prohibits using the 
local clock driver.

If your priority is something with a better security profile than an ISC 
daemon, run OpenNTPD instead.

For the ISC ntpd, configure a reference clock with a server line that 
has a magic number 127.127.0.0/16 address.  The "Reference Clock 
Support" section of ntp.conf(5) has more details.  The local clock is 
type 1.

OpenNTPD does not have reference clock support.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5d28bb01-85e2-f08e-1bc8-865148c3cf9e>