From owner-freebsd-hackers Sat Apr 3 22:49:21 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from zibbi.mikom.csir.co.za (zibbi.mikom.csir.co.za [146.64.24.58]) by hub.freebsd.org (Postfix) with ESMTP id 51DD514DC5 for ; Sat, 3 Apr 1999 22:49:15 -0800 (PST) (envelope-from jhay@zibbi.mikom.csir.co.za) Received: (from jhay@localhost) by zibbi.mikom.csir.co.za (8.9.2/8.9.2) id IAA28163; Sun, 4 Apr 1999 08:47:08 +0200 (SAT) (envelope-from jhay) From: John Hay Message-Id: <199904040647.IAA28163@zibbi.mikom.csir.co.za> Subject: Re: Suggestion: loosen slightly securelevel>1 time change restriction In-Reply-To: <199904020033.QAA09981@medusa.kfu.com> from Nick Sayer at "Apr 1, 1999 4:33:25 pm" To: nsayer@quack.kfu.com (Nick Sayer) Date: Sun, 4 Apr 1999 08:47:08 +0200 (SAT) Cc: freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > At the moment, setting the time to any point in the past (that is, > if the delta being applied is negative) is not allowed if the securelevel > of the system is >1. > > The problem with this is that even if you run ntpdate at boot time, > xntpd can occasionally want to make small negative steps. > > I suggest easing up slightly on the restriction. Say, negative steps of > more than a minute are disallowed. It would seem to me that this would > let xntpd operate correctly in most cases while still denying the > opportunity for serious mischief to hackers desiring to wreak havoc > with time warps. > I think that you should just tell ntpd that it can't step the time. With xntpd 3.x it was a compile time define SLEWALWAYS and with ntpd 4.x the -x commandline option can be used. John -- John Hay -- John.Hay@mikom.csir.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message