[ntp:security] [Bug 1300] savecfg allows writes to any part of the filesystem

Dave Hart via the NTP Bugzilla bugzilla at ntp.org
Sat Sep 12 01:47:03 UTC 2009


http://bugs.ntp.org/1300



----------------------------------------------------------------------------
Additional Comments From hart at ntp.org (Dave Hart)
Submitted on 2009-09-12 01:47

(In reply to comment #10)
> I do like the list that Brian posted, and I think we should work on
> discussing and implementing something.

Agreed.  I think a different bug should be filed, or the discussion moved out of 
this bug at any rate.

> I'm fine with Brian's suggestion of requiring explicit action to enable
> the saveconfig stuff for now, and if we can resolve this before 4.2.6 is
> released so much the better.

If you're going to make something opt-in in 4.2.6 to protect against users of 
ntp-stable being shocked by the new capability to brick or root their systems 
using ntpq, saveconfig is the wrong target.  Remote configuration is the issue.

-- 
Dave Hart <hart at ntp.org>



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


More information about the security mailing list