Date: Tue, 06 Apr 1999 10:51:17 +0100 From: Niall Smart <niall@pobox.com> To: Nick Sayer <nsayer@quack.kfu.com> Cc: hackers@freebsd.org Subject: Re: Revised suggestion for securelevel negative time deltas Message-ID: <3709D915.E3592B05@pobox.com> References: <199904060202.TAA31558@medusa.kfu.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nick Sayer wrote: > > Thanks to Garance A Droshihn for a better idea. > > Attempts to negatively offset the clock are clamped to one second less > than the highest the clock has yet reached. This will allow xntpd > (or a miscreant, alas) to "freeze" the clock in place, but not > go backwards in time beyond a second. > Here is a proposed patch. Note the big blank spot where a proposal > for handling positive deltas should go. :-) Well, how about a sysctl (kern.maxclockdelta) which specifies the maximum amount of seconds that the clock can be brought forward or back in a specified period, say 7 days. This fixes the problem mentioned by Matt Dillon (?) whereby an attacker can wind the clock forward indefinately and overflow a time_t. (Naturally this sysctl would be read-only when securelevel > 1). Regards, Niall > --- kern_time.c.orig Fri Apr 2 13:35:13 1999 > +++ kern_time.c Fri Apr 2 13:34:11 1999 > @@ -77,7 +77,8 @@ > settime(tv) > struct timeval *tv; > { > - struct timeval delta, tv1; > + struct timeval delta, tv1, tv2; > + static struct timeval maxtime; > struct timespec ts; > int s; > > @@ -88,13 +89,30 @@ > > /* > * If the system is secure, we do not allow the time to be > - * set to an earlier value (it may be slowed using adjtime, > - * but not set back). This feature prevent interlopers from > - * setting arbitrary time stamps on files. > + * set to a value earlier than 1 second less than the highest > + * time we have yet seen. The worst a miscreant can do in > + * this circumstance is "freeze" time. He couldn't go > + * back to the past. > */ > - if (delta.tv_sec < 0 && securelevel > 1) { > - splx(s); > - return (EPERM); > + if (securelevel > 1) { > + if (delta.tv_sec < 0 || delta.tv_usec < 0) { > + if ( tv1.tv_sec > maxtime.tv_sec ) > + maxtime=tv1; > + tv2=maxtime; > + timevalsub( &tv2, &tv ); > + if ( tv2.tv_sec < -1 ) { > + tv.tv_sec=maxtime.tv_sec-1; > + } > + } > + else { > + /* XXX > + * We have to figure out how to be secure > + * in this case. Allowing arbitrary > + * positive increases allows a miscreant > + * to simply wrap time around the end > + * of time. > + */ > + } > } > > ts.tv_sec = tv->tv_sec; > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3709D915.E3592B05>