[ntp:questions] Re: server's address in ntp payload?

Danny Mayer mayer at gis.net
Thu Nov 24 03:32:44 UTC 2005


Brian Utterback wrote:
> Danny Mayer wrote:
> 
>> Brian Utterback wrote:
> 
> 
>>> Explain to me why it is necessary to bind all the addresses on a system
>>> with a UNIX privilege model. I can not see any scenario where it stops
>>> any threat for port 123. For ports above 1024, I know of some issues,
>>> which is why Solaris added the EXCL_BIND socket option. But as I said,
>>> it is a non-issue on UNIX systems for port 123.
>>>
>>
>>
>> That's not true. Any application in the startup or that gains root
>> privilege can potentially bind to port 123 on any address. It's bad to
>> make assumptions on what happens to a system under attack or just
>> accidentally. I've lost count of the number of times that people end up
>> running two copies of ntpd on a system not realising that they are.
> 
> 
> That you can start up two NTP processes is a flaw in NTP not a need
> to bind all the addresses. NTP could and should detect this even if
> only the wildcard address is bound.
> 

No, NTP does not allow you to start two NTP processes as the second one
does not gain access to the ntp port for any address. However, who says
that they have to be the same application? Binding to just the wildcard
addresses does not being a different application cannot bind to a
specific address.

> Sure, any application that is running as root could bind port 123.
> What scenario do you envision where a root process accidentally
> binds a specific interface address to port 123 and does not bind
> the port to the wildcard address? If you are talking about a deliberate
> such binding, then since the process is root, binding all the interfaces
> is no protection.
> 

Actually it should be. If you are saying that more than one application
can share an address, then setting the socket option SO_REUSEADDR to
disallow that is of no value and I would ask why if it were ignored.
Does Solaris ignore this flag?

> I still see no scenario where binding all the addresses is useful on
> UNIX, except to be able to determine the destination address. And of
> course, I stil ldo not believe that even this should be necessary.
> 

I had consulted with someone who is much more of an Internet Security
expert than me and this decision was partly based on his input, but I
did agree with his reasons. I have blind copied him and he will reply if
he chooses to do so.

Danny



More information about the questions mailing list