[ntp:questions] ntp.conf: noquery makes nomodify redundant?

Danny Mayer mayer at ntp.isc.org
Sun Dec 24 15:05:38 UTC 2006


woger151 at jqpx37.cotse.net wrote:
> I'm looking at the documentation, subsection "Access Control Commands,"
> section "Access Control Options," at URL
>     http://www.eecis.udel.edu/~mills/ntp/html/accopt.html#cmd
> 
> The doc states "The flags are not orthogonal, in that more restrictive
> flags will often make less restrictive ones redundant."  And then
> 
> "noquery[:] Deny ntpq and ntpdc queries. Time service is not affected."
> 
> "nomodify[:] Deny ntpq and ntpdc queries which attempt to modify the
> state of the server (i.e., run time reconfiguration). Queries which
> return information are permitted."
> 
> A naive reading would indicate that noquery is stricter than nomodify,
> hence if one has noquery, nomodify is redundant.
> 

It is redundant. In the case of noquery, the packet gets dropped. In the
case of nomodify it accepts the packet from ntpdc but does not allow
requests to make changes to be made to the configuration.

> That, however, is contradicted by numerous examples on the web and
> usenet.

The examples aren't a contradiction, merely redundant as was commented
above. Never assume that examples available on the net are correct or
even useful. Without knowing what the specific examples are that you are
 asking about it's hard to comment further.

> 
> So is the naive reading incorrect?

No.

Danny



More information about the questions mailing list