[ntp:security] [Bug 1300] savecfg allows writes to any part of the filesystem

Brian Utterback via the NTP Bugzilla bugzilla at ntp.org
Sat Sep 12 02:33:21 UTC 2009


Additional Comments From brian.utterback at sun.com (Brian Utterback)
Submitted on 2009-09-12 02:33

Well, I am not sure I agree with Danny about MD5 being "trivial" to break. But 
the point I am trying to break is that there is a balance that each system 
admin must make about how much risk to allow versus the convienience of remote 
access. As you noted, in some cases that would mean not allowing any remote 
access because the integrity of the system time is too important. In other 
cases the integrity of the time is not as important. The limited commands in 
ntpdc might be safe enough for some and not for others. However, the config 
and saveconfig commands are really too dangerous for general use, but we do 
not provide the tools to control them safely. And what is worse, it is 
unlikely that most admins will even know the danger.

Brian Utterback <brian.utterback at sun.com>

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the security mailing list