| Age | Commit message (Collapse) | Author |
|---|
|
for these. ok deraadt@
|
|
any MITM protection checks. We've had constraint checks for MITM protection
for some time. Recent work changed the default mode to rapidly check NTP packets against constraint validation, as the default mode.
In environments where https traffic doesn't work, ethernet-near servers can
be labelled as "trusted". trusted sensor support is also coming.
We have reasons to immediately move people away from the -s mode.
ok otto
|
|
used in situations where https constraints cannot be used and we still want
auto settime. Result of discussion with and ok deraadt@
|
|
- do not restart settime timeout interval if something happens in the main
event loop
- apply a tight loop protection; it can be painfull on a single
core machine since the process runs at maximum priority. Should only
happen when a bug is introduced while developing, but prevents having to
machine taken over by ntpd.
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
the log destination changes. ok claudio@ benno@
|
|
ok benno@
|
|
(booting, constraint(s) defined) set the time but only if the clock
should be moved forward by more than a minute, based on ntp replies
that satisfied the constraints. Tested by many; ok deraadt@
|
|
This brings over the logic from bgpd & ospfd.
Input & OK deraadt
|
|
bonus: this exposed a few missing const qualifiers.
|
|
ok beck@ bluhm@ tb@
|
|
job at startup. After much anguish I accept dlg's solution of chdir
for the problem ("starting ntpd on a filesystem I want to unmount"),
but we cannot change the main-process daemon() call. Why? Because
the ntpd privsep design predates more modern designs where the config
file is parsed once, and configuration marshalled to the fork+exec
children. Instead each ntpd process re-parses the config, and if
we chdir before fork+exec startup, it will move the basedir causing
-f "relativepath" to fail.
discussed with florian
|
|
constraints process), and /usr/sbin/ntpd "x" to perform fork+exec operations.
|
|
harm if not deleted after the daemon is shutdown and at the same time we also
tackle another attack surface by not allowing the program to create/delete
any more files (by removing "cpath" promise from pledge(2)).
Discussion initiated by a question from deraadt@ OK florian@
|
|
currently doesn't call the function control_cleanup to do so. The solution is
to simply call that function just before the program quits.
"sure" henning@
|
|
This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().
Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
|
variables that were also never used
OK otto@
|
|
with this change we get the pledge() ability back to the parent process.
some tweaks from and ok reyk@
|
|
it, remove some verbose shutdown messages that we had before with pipe
close.
ok reyk@
|
|
ok reyk@, bcook@
|
|
part of the original ISC license that we use in OpenBSD. Done for
files were Henning is the original author.
OK henning@ deraadt@
|
|
for ntpd(8), removing the pledge call is a first step: futher redesign will occurs later.
ok reyk@ benno@
|
|
titles (including flags) to distinguish between daemons, this makes it
possible to manage multiple copies of a daemon using the normal infrastructure
by symlinking rc.d scripts to a new name. ok jung@ ajacoutot@, smtpd ok gilles@
|
|
process management of the contraint processes has been moved from ntp
to the parent, for better privsep and pledge, but the ntp process
still attempted to kill the constraints on timeout directly. Fix this
regression by introducing a new imsg from ntp to the parent and the
related logic to kill a constraint at the right place.
Reported & tested by bcook@
Ok bcook@
|
|
ok reyk@
|
|
|
|
Instead, check the return value of fprintf() and fflush()
and call clearerr() before returning on error. OK jca@
|
|
OK bcook@ jung@
|
|
|
|
used by the constraint processes setup later (chroot, setuid...)
[late getpwnam discovered during a further audit]
ok millert
|
|
and coping with error conditions... that lets us avoid a pledge "wpath".
Putting it all together, this lets the master ntpd pledge "stdio rpath
inet settime proc id". It works like this: "rpath" to load the
certificates, "proc" to create constraint processes, "id" to chroot
and lock the constraint processes into a jail, then "inet" to open a
https session. "settime" is used by the master to manage the system
time when the ntp-speaking engine instructs the master.
with help from naddy
|
|
This helps the ntp process to a) give a better pledge(2) and to b)
keep the promise of "saving the world again... on time" by removing
the delays that have been introduced by expensive constraint forks.
The new design offers better privsep but introduces a few more imsgs
and runs a little bit more code in the privileged parent. The
privileged code is minimal, carefully checked, and does not attempt to
"parse" any contents; the forked constraints instantly drop all
privileges and pledge to "stdio inet".
OK beck@ deraadt@
|
|
|
|
since that is all it will do till termination.
|
|
ok phessler@ deraadt@
|
|
while here i've reformatted the page to stop kidding that -s is 4 options;
original issue kind of spotted by adam thompson, though note i am not fixing the
issue he complained about (i'll address that mail in a minute);
|
|
ntp_dns some years ago).
OK henning@
|
|
|
|
OK henning@ deraadt@
|
|
time from HTTPS servers, by parsing the Date: header, and use the
median constraint time as a boundary to verify NTP responses. This
adds some level of authentication and protection against MITM attacks
while preserving the accuracy of the NTP protocol; without relying on
authentication options for NTP that are basically unavailable at
present. This is an initial implementation and the semantics will be
improved once it is in the tree.
Discussed with deraadt@ and henning@
OK henning@
|
|
If the network is unreachable when ntpd starts and host_dns fails, be sure
that we still close the HOST_DNS imsg.
Thanks to Paul de Weerd <weerd at weirdnet dot nl> for reporting this.
ok beck@
|
|
This simplifies things and make action = -1 no longer a dead store.
Also, spell FALLTHROUGH consistently.
reported by fritjof@alokat.org
|
|
daemon.
Old drift files will be interpreted as a minuscule adjustment and
ntpd will proceed to rediscover the drift, like starting from zero
on a newly installed machine.
ok deraadt@
|
|
from Paul B. Henson, ok phessler@
|
|
- Nothing seems to free the result of host_dns(), so add host_dns_free() and
call after each query.
- If imsg_add() fails, it frees buf. Avoid subsequently dereferencing the
freed buf in imsg_close().
ok millert@ deraadt@
|
|
peanuts -- but all work has to start somewhere.
|
|
Reduces the number of log.c snowflakes by a little, and gives ntpd a
variadic fatal() function to be used later.
ok deraadt@
|
|
This avoids a namespace conflict with Solaris build environments.
discussed with deraadt@ and kettenis@
|
|
strftime.
ok jsing@ phessler@ naddy@
|
|
dns process at normal priority. Should improve latency on loaded machines.
ok henning@
|
