[ntp:hackers] 4.2.5p203 adds ntpq dumpcfg command

Brian Utterback brian.utterback at sun.com
Mon Aug 24 18:14:27 UTC 2009



> How did you resolve it?  Did you disable :config and :config-from-file?
> 
> Cheers,
> Dave Hart

No. There were actually two issues. Since the log file and the 
debugging file were made configurable using the command line option, 
once issue was the ability of someone given config authorization to 
set the logfile to an arbitrary string, potentially having an embedded 
command which would then be executed by the startup script. The other 
was the issue we have been discussing.

We ultimately deferred the issue since it takes a positive action by 
root to confer the authorizations. The ultimate solution will be to 
have a special non-priv account to run ntpd under. This will solve a 
lot of security issues.

-- 
blu

It's bad civic hygiene to build technologies that could someday be
used to facilitate a police state. - Bruce Schneier
----------------------------------------------------------------------
Brian Utterback - Solaris RPE, Sun Microsystems, Inc.
Ph:877-259-7345, Em:brian.utterback-at-ess-you-enn-dot-kom


More information about the hackers mailing list