Date: Fri, 2 Apr 1999 12:07:25 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: Nick Sayer <nsayer@quack.kfu.com>, freebsd-hackers@FreeBSD.ORG Subject: Re: Suggestion: loosen slightly securelevel>1 time change restriction Message-ID: <v04011702b32a992b0d5c@[128.113.24.47]> In-Reply-To: <199904020033.QAA09981@medusa.kfu.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 4:33 PM -0800 4/1/99, Nick Sayer wrote: > [...] setting the time to any point in the past (...) is not allowed > if the securelevel of the system is >1. The problem with this is that > even if you run ntpdate at boot time, xntpd can occasionally want to > make small negative steps. > > I suggest easing up slightly on the restriction. Say, negative steps > of more than a minute are disallowed. I understand the problem you're interested in, but that's the wrong solution... Of course, that begs the question "What is the right solution?". If someone has a PC which does have a slightly-fast clock, how can that be handled under securelevels>1? I am not using securelevels yet, but it's something I do hope to look into at some point. My PC does gain about a second a day. Need a solution something more like 'you can never jump back more than 1 second prior to the maximum value of time ever seen after the machine switched into securelevel'... (and attempts to do more than one second will only change the clock by one second). At that point, the worst an evil hacker could do is keep time from going forward (by running an infinite loop of setting the time back), but they couldn't really screw around with setting older time values. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v04011702b32a992b0d5c>