From owner-freebsd-stable  Sat Aug 11  6:29:42 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from ece.cmu.edu (ECE.CMU.EDU [128.2.136.200])
	by hub.freebsd.org (Postfix) with ESMTP id 1E4F237B401
	for <freebsd-stable@FreeBSD.ORG>; Sat, 11 Aug 2001 06:29:37 -0700 (PDT)
	(envelope-from allbery@ece.cmu.edu)
Received: from vpn48.ece.cmu.edu (ANNEX-1.ECE.CMU.EDU [128.2.136.1])
	(authenticated)
	by ece.cmu.edu (8.11.0/8.10.2) with ESMTP id f7BDTPe13341;
	Sat, 11 Aug 2001 09:29:25 -0400 (EDT)
Date: Sat, 11 Aug 2001 09:29:21 -0400
From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
To: Lamont Granquist <lamont@scriptkiddie.org>,
	"'freebsd-stable@freebsd.org'" <freebsd-stable@FreeBSD.ORG>
Subject: (OT) Re: NTPD in upcoming release?
Message-ID: <13790000.997536561@vpn48.ece.cmu.edu>
In-Reply-To: <20010810221054.F26163-100000@coredump.scriptkiddie.org>
References:  <20010810221054.F26163-100000@coredump.scriptkiddie.org>
X-Mailer: Mulberry/2.1.0b3 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Friday, August 10, 2001 22:22:05 -0700, Lamont Granquist 
<lamont@scriptkiddie.org> wrote:
+-----
| Its an ugly, ugly, ugly hack that needs to be replaced with something much
| more robust.  I agree.  But you know tomorrow you could have security
| holes in both IIS and ntp released, and some asshole could adapt code red
| to it with a secondary payload that attacked ntpd servers and executed "rm
| -rf /"  That'd probably really suck.
+--->8

In a sense, the real hack is syncing time over the Internet.  The "correct" 
fix is to sync to commonly available and inexpensive GPS clocks, use NTP 
only within an internal network, and block NTP packets from outside the 
network completely (if ntpd's own code isn't trusted for this, stick a 
hosts_access() call immediately after the packet receive).

Which is not to say that ntpd shouldn't be changed to run as non-root, but 
making a key aspect of your machine environment (and one which is generally 
an important base for the security infrastructure!) directly or indirectly 
dependent on the integrity of remote servers not under your control, and 
that of the link to them, is iffy at best.

(Another point is that ntpd should be split; there should be a small, 
easily verifiable root component which communicates with the main body of 
ntpd over a pipe/socket.  This is still useful from a minimal-privileges 
standpoint even if you replace root with an adjtime capability.)

-- 
brandon s. allbery  [os/2][linux][solaris][freebsd]   allbery@kf8nh.apk.net
system administrator   [JAPH][WAY too many hats]        allbery@ece.cmu.edu
electrical and computer engineering                                   KF8NH
carnegie mellon university     [linux: proof of the million monkeys theory]


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message