[ntp:hackers] 4.2.5p203 adds ntpq dumpcfg command

Brian Utterback brian.utterback at sun.com
Sun Aug 23 20:35:09 UTC 2009

It would be opening a new kettle of fish to start restricting what 
could be set with :config. Could I not set statsdir to /etc and the 
statsfile name to passwd? So what is new?

Dave Hart wrote:
> On Sat, Aug 22, 2009 at 1:37 AM, Danny Mayer<mayer at ntp.org> wrote:
>> Dave Hart wrote:
>>> Definitely a SMP.  Since it is currently available to anyone without
>>> authentication, restricting to a single directory seemed wise.  Once
>>> it requires authentication, both the pathname and the
>>> non-existent-target restrictions can be removed as far as I know.
>> No. This is extremely dangerous. Paths need to restricted otherwise it
>> is a potential attack vector allowing people to overwrite the password
>> file, boot file, or anything else, particularly if ntpd is running as
>> root. Even within a root jail you are asking for trouble. The best
>> solution is to configure a write directory within the configuration file
>> and not allow that directory to be changed remotely.
> So I take you also feel that "logfile" needs to be restricted from
> remote configuration as well, since it can be used to overwrite
> /etc/passwd and other fun files?  ntpq :config requires
> authentication, which probably the majority of users don't configure,
> but for those who do have it, you feel that the operator can not be
> trusted to avoid hosing himself?
> In case it's not clear, I'm suggesting (still and again) that if
> dumping the configuration is restricted to authenticated operators,
> they can be trusted to overwrite any file they name, in any location.
> Cheers,
> Dave Hart


It's bad civic hygiene to build technologies that could someday be
used to facilitate a police state. - Bruce Schneier
Brian Utterback - Solaris RPE, Sun Microsystems, Inc.
Ph:877-259-7345, Em:brian.utterback-at-ess-you-enn-dot-kom

More information about the hackers mailing list