[ntp:hackers] 4.2.5p203 adds ntpq dumpcfg command

Dave Hart davehart at gmail.com
Sat Aug 22 19:01:39 UTC 2009


On Sat, Aug 22, 2009 at 1:37 AM, Danny Mayer<mayer at ntp.org> wrote:
> Dave Hart wrote:
>> Definitely a SMP.  Since it is currently available to anyone without
>> authentication, restricting to a single directory seemed wise.  Once
>> it requires authentication, both the pathname and the
>> non-existent-target restrictions can be removed as far as I know.
>
> No. This is extremely dangerous. Paths need to restricted otherwise it
> is a potential attack vector allowing people to overwrite the password
> file, boot file, or anything else, particularly if ntpd is running as
> root. Even within a root jail you are asking for trouble. The best
> solution is to configure a write directory within the configuration file
> and not allow that directory to be changed remotely.

So I take you also feel that "logfile" needs to be restricted from
remote configuration as well, since it can be used to overwrite
/etc/passwd and other fun files?  ntpq :config requires
authentication, which probably the majority of users don't configure,
but for those who do have it, you feel that the operator can not be
trusted to avoid hosing himself?

In case it's not clear, I'm suggesting (still and again) that if
dumping the configuration is restricted to authenticated operators,
they can be trusted to overwrite any file they name, in any location.

Cheers,
Dave Hart


More information about the hackers mailing list