[ntp:hackers] 4.2.5p203 adds ntpq dumpcfg command

Hal Murray hmurray at megapathdsl.net
Wed Aug 26 21:08:12 UTC 2009


davehart at gmail.com said:
> And yet, :config has been in ntpd for quite a while without anyone
> suggesting it needs to be crippled to specially reject "logfille" and
> other directives which can cause files to be overwritten. 

There are (at least) two ways to interpret that:

1) dumpcfg isn't a problem either.

2) We need to pay more attention to security so we discuss things like 
:config sooner.


I think there are two types of security issues.  (I'm not sure this 
distinction is important.)

One is asjusting the time on a system so you can use other attacks on it or 
machines that use it for a time server, say by telling it to use some bogus 
servers you control.  (Lots of other security related protocols depend on 
both ends having the same/correct time.)

The other is attacking the system itself, say by overwriting a security 
enabling control file or a denial-of-service by writing log files on a file 
system that is close to full.



-- 
These are my opinions, not necessarily my employer's.  I hate spam.





More information about the hackers mailing list