[ntp:hackers] 4.2.5p203 adds ntpq dumpcfg command
davehart at gmail.com
Wed Aug 26 18:55:07 UTC 2009
On Wed, Aug 26, 2009 at 2:33 PM, Danny Mayer wrote:
> Dave Hart wrote:
>> And no one has answered my question about why we should be concerned
>> with overwriting a file with ntpq dumpcfg and not concerned about
>> remote configuration of "logfile" or another directive that can
>> overwrite security-sensitive files.
> We should be concerned about that too. I'm not sure why you would think
> that anyone would believe otherwise.
And yet, :config has been in ntpd for quite a while without anyone
suggesting it needs to be crippled to specially reject "logfille" and
other directives which can cause files to be overwritten. This can be
prevented by not configuring remote authentication, and/or using
"restrict ... nomodify". I feel the same holds regarding dumpcfg
(soon to be saveconfig).
More information about the hackers