Date: Sat, 11 Aug 2001 09:29:21 -0400 From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu> To: Lamont Granquist <lamont@scriptkiddie.org>, "'freebsd-stable@freebsd.org'" <freebsd-stable@FreeBSD.ORG> Subject: (OT) Re: NTPD in upcoming release? Message-ID: <13790000.997536561@vpn48.ece.cmu.edu> In-Reply-To: <20010810221054.F26163-100000@coredump.scriptkiddie.org> References: <20010810221054.F26163-100000@coredump.scriptkiddie.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday, August 10, 2001 22:22:05 -0700, Lamont Granquist <lamont@scriptkiddie.org> wrote: +----- | Its an ugly, ugly, ugly hack that needs to be replaced with something much | more robust. I agree. But you know tomorrow you could have security | holes in both IIS and ntp released, and some asshole could adapt code red | to it with a secondary payload that attacked ntpd servers and executed "rm | -rf /" That'd probably really suck. +--->8 In a sense, the real hack is syncing time over the Internet. The "correct" fix is to sync to commonly available and inexpensive GPS clocks, use NTP only within an internal network, and block NTP packets from outside the network completely (if ntpd's own code isn't trusted for this, stick a hosts_access() call immediately after the packet receive). Which is not to say that ntpd shouldn't be changed to run as non-root, but making a key aspect of your machine environment (and one which is generally an important base for the security infrastructure!) directly or indirectly dependent on the integrity of remote servers not under your control, and that of the link to them, is iffy at best. (Another point is that ntpd should be split; there should be a small, easily verifiable root component which communicates with the main body of ntpd over a pipe/socket. This is still useful from a minimal-privileges standpoint even if you replace root with an adjtime capability.) -- brandon s. allbery [os/2][linux][solaris][freebsd] allbery@kf8nh.apk.net system administrator [JAPH][WAY too many hats] allbery@ece.cmu.edu electrical and computer engineering KF8NH carnegie mellon university [linux: proof of the million monkeys theory] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13790000.997536561>