From owner-freebsd-hackers  Mon Apr  5 19: 4:55 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from quack.kfu.com (quack.kfu.com [170.1.70.2])
	by hub.freebsd.org (Postfix) with ESMTP id 9E8CE14CA5
	for <hackers@freebsd.org>; Mon,  5 Apr 1999 19:04:51 -0700 (PDT)
	(envelope-from nsayer@medusa.kfu.com)
Received: from medusa.kfu.com (medusa.kfu.com [170.1.70.5])
	by quack.kfu.com (8.9.2/8.8.5) with ESMTP id TAA97618
	for <hackers@freebsd.org>; Mon, 5 Apr 1999 19:02:53 -0700 (PDT)
Received: (from nsayer@localhost)
	by medusa.kfu.com (8.9.2/8.8.8) id TAA31558
	for hackers@freebsd.org; Mon, 5 Apr 1999 19:02:52 -0700 (PDT)
	(envelope-from nsayer)
Date: Mon, 5 Apr 1999 19:02:52 -0700 (PDT)
From: Nick Sayer <nsayer@quack.kfu.com>
Message-Id: <199904060202.TAA31558@medusa.kfu.com>
To: hackers@freebsd.org
Subject: Revised suggestion for securelevel negative time deltas
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


Thanks to Garance A Droshihn for a better idea.

Attempts to negatively offset the clock are clamped to one second less
than the highest the clock has yet reached. This will allow xntpd
(or a miscreant, alas) to "freeze" the clock in place, but not
go backwards in time beyond a second.

Here is a proposed patch. Note the big blank spot where a proposal
for handling positive deltas should go. :-)

--- kern_time.c.orig	Fri Apr  2 13:35:13 1999
+++ kern_time.c	Fri Apr  2 13:34:11 1999
@@ -77,7 +77,8 @@
 settime(tv)
 	struct timeval *tv;
 {
-	struct timeval delta, tv1;
+	struct timeval delta, tv1, tv2;
+	static struct timeval maxtime;
 	struct timespec ts;
 	int s;
 
@@ -88,13 +89,30 @@
 
 	/*
 	 * If the system is secure, we do not allow the time to be 
-	 * set to an earlier value (it may be slowed using adjtime,
-	 * but not set back). This feature prevent interlopers from
-	 * setting arbitrary time stamps on files.
+	 * set to a value earlier than 1 second less than the highest
+	 * time we have yet seen. The worst a miscreant can do in
+	 * this circumstance is "freeze" time. He couldn't go
+	 * back to the past.
 	 */
-	if (delta.tv_sec < 0 && securelevel > 1) {
-		splx(s);
-		return (EPERM);
+	if (securelevel > 1) {
+		if (delta.tv_sec < 0 || delta.tv_usec < 0) {
+			if ( tv1.tv_sec > maxtime.tv_sec )
+				maxtime=tv1;
+			tv2=maxtime;
+			timevalsub( &tv2, &tv );
+			if ( tv2.tv_sec < -1 ) {
+				tv.tv_sec=maxtime.tv_sec-1;
+			}
+		}
+		else {
+			/* XXX
+			 * We have to figure out how to be secure
+			 * in this case. Allowing arbitrary
+			 * positive increases allows a miscreant
+			 * to simply wrap time around the end
+			 * of time.
+			 */
+		}
 	}
 
 	ts.tv_sec = tv->tv_sec;


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message