From owner-freebsd-security@freebsd.org Thu Jun 28 12:02:13 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E9C47102FB1F; Thu, 28 Jun 2018 12:02:12 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from echo.brtsvcs.net (echo.brtsvcs.net [IPv6:2607:f740:c::4ae]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8AECC78815; Thu, 28 Jun 2018 12:02:12 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from chombo.houseloki.net (c-73-240-250-185.hsd1.or.comcast.net [73.240.250.185]) by echo.brtsvcs.net (Postfix) with ESMTPS id 7401038D07; Thu, 28 Jun 2018 05:02:11 -0700 (PDT) Received: from [IPv6:fe80::7102:4df8:1f13:5c55] (unknown [IPv6:fe80::7102:4df8:1f13:5c55]) by chombo.houseloki.net (Postfix) with ESMTPSA id 1E099274E; Thu, 28 Jun 2018 05:02:10 -0700 (PDT) Subject: Re: Jailing {open,}ntpd To: Thomas Steen Rasmussen , Roger Marquis , freebsd-security@freebsd.org, freebsd-jail@freebsd.org References: <25837879-e464-0ed1-75f3-f4c43f47653c@gibfest.dk> From: Mel Pilgrim Message-ID: <5d28bb01-85e2-f08e-1bc8-865148c3cf9e@bluerosetech.com> Date: Thu, 28 Jun 2018 05:02:12 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <25837879-e464-0ed1-75f3-f4c43f47653c@gibfest.dk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2018 12:02:13 -0000 On 06/27/2018 23:08, Thomas Steen Rasmussen wrote: > Anything that speaks to untrusted network clients belongs in a jail, but > to my knowledge both ntpds are unjailable because they want to use some > kernel system calls (to adjust time) which are not allowed in jails (as > it should be). > > In my opinion adjusting the local bios/cmos clock and keeping it in sync > with some upstream NTP source is a different task than serving NTP to > untrusted network clients (like an ISP is expected to do). > > I'd love for one or both ntpds to have an option to only serve local > time, without attempting to adjust the clock, if such a feature is > possible. > > I'd then keep an ntpd running in the base system which takes care of > keeping the system clock in-sync, and another in a jail which only reads > the time and serves it to network clients, but doesn't try to adjust or > speak to upsteam NTPs. You can do this by configuring the jailed ntpd with the local clock driver as a reference. Doing this for an ntpd serving the general public would be evil. NTP Pool Project membership prohibits using the local clock driver. If your priority is something with a better security profile than an ISC daemon, run OpenNTPD instead. For the ISC ntpd, configure a reference clock with a server line that has a magic number 127.127.0.0/16 address. The "Reference Clock Support" section of ntp.conf(5) has more details. The local clock is type 1. OpenNTPD does not have reference clock support.