Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 28 Jun 2018 05:02:12 -0700
From:      Mel Pilgrim <list_freebsd@bluerosetech.com>
To:        Thomas Steen Rasmussen <thomas@gibfest.dk>, Roger Marquis <marquis@roble.com>, freebsd-security@freebsd.org, freebsd-jail@freebsd.org
Subject:   Re: Jailing {open,}ntpd
Message-ID:  <5d28bb01-85e2-f08e-1bc8-865148c3cf9e@bluerosetech.com>
In-Reply-To: <25837879-e464-0ed1-75f3-f4c43f47653c@gibfest.dk>
References:  <nycvar.OFS.7.76.444.1806261238560.57821@mx.roble.com> <25837879-e464-0ed1-75f3-f4c43f47653c@gibfest.dk>
index | next in thread | previous in thread | raw e-mail 

On 06/27/2018 23:08, Thomas Steen Rasmussen wrote:
> Anything that speaks to untrusted network clients belongs in a jail, but 
> to my knowledge both ntpds are unjailable because they want to use some 
> kernel system calls (to adjust time) which are not allowed in jails (as 
> it should be).
> 
> In my opinion adjusting the local bios/cmos clock and keeping it in sync 
> with some upstream NTP source is a different task than serving NTP to 
> untrusted network clients (like an ISP is expected to do).
> 
> I'd love for one or both ntpds to have an option to only serve local 
> time, without attempting to adjust the clock, if such a feature is 
> possible.
> 
> I'd then keep an ntpd running in the base system which takes care of 
> keeping the system clock in-sync, and another in a jail which only reads 
> the time and serves it to network clients, but doesn't try to adjust or 
> speak to upsteam NTPs.

You can do this by configuring the jailed ntpd with the local clock 
driver as a reference.  Doing this for an ntpd serving the general 
public would be evil.  NTP Pool Project membership prohibits using the 
local clock driver.

If your priority is something with a better security profile than an ISC 
daemon, run OpenNTPD instead.

For the ISC ntpd, configure a reference clock with a server line that 
has a magic number 127.127.0.0/16 address.  The "Reference Clock 
Support" section of ntp.conf(5) has more details.  The local clock is 
type 1.

OpenNTPD does not have reference clock support.
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5d28bb01-85e2-f08e-1bc8-865148c3cf9e>