[ntp:hackers] 4.2.5p203 adds ntpq dumpcfg command

Terje Mathisen terje at tmsw.no
Sat Aug 22 07:59:11 UTC 2009


Danny Mayer wrote:
> Dave Hart wrote:
>> On Mon, Aug 17, 2009 at 5:09 PM, Brian Utterback wrote:
>>> Why can't it have a full or relative path? Is there a technical reason, or
>>> is it a SMP (Simple Matter of Programming)? It seems like a strange
>>> limitation.
>> Definitely a SMP.  Since it is currently available to anyone without
>> authentication, restricting to a single directory seemed wise.  Once
>> it requires authentication, both the pathname and the
>> non-existent-target restrictions can be removed as far as I know.
> 
> No. This is extremely dangerous. Paths need to restricted otherwise it
> is a potential attack vector allowing people to overwrite the password

I agree.

> file, boot file, or anything else, particularly if ntpd is running as
> root. Even within a root jail you are asking for trouble. The best
> solution is to configure a write directory within the configuration file
> and not allow that directory to be changed remotely.

No, the 'best solution' is to return the configuration to the machine 
doing the query, just like monlist and other long response queries.

Terje

-- 
- <Terje at tmsw.no>
"almost all programming can be viewed as an exercise in caching"


More information about the hackers mailing list