Age | Commit message (Collapse) | Author |
|
to send message to the child process. Do like we learned in httpd(8).
ok deraadt@
|
|
this should fix the problem with random ntpd(8) deaths.
ok deraadt@
|
|
additional actions before printing it. OK rzalamena@
|
|
case the dup2() would fail silently and the descriptor would remain with
the CLOEXEC flag causing the exec*()d child process to have unexpected
behavior.
ok guenther@
|
|
with this change we get the pledge() ability back to the parent process.
some tweaks from and ok reyk@
|
|
it, remove some verbose shutdown messages that we had before with pipe
close.
ok reyk@
|
|
ok reyk@, bcook@
|
|
obvious why it is implemented this way. The whole idea of constraints
is to isolate them as much as possible, in a semi-paranoid way.
OK rzalamena@
|
|
OK from the original author Alexander Guy
|
|
part of the original ISC license that we use in OpenBSD. Done for
files were Henning is the original author.
OK henning@ deraadt@
|
|
ok deraadt@
|
|
changes - map the previous configuration to the equivalent in the new
groups. This will be revisited post release.
Discussed with beck@
|
|
became more visible recently because a log_debug was changed to
log_warnx. Change it back for now.
ok jsing
|
|
ensure that we load the CA certificates and use tls_connect_servername()
so that we can verify the server we are connecting to (even though we've
already resolved the hostname). Also add additional warnings for TLS
connect and TLS write failures so that we know what is happening and why.
Lack of server name verification also reported by Luis M. Merino
<luismiguelmerino at gmail dot com> - thanks!
ok deraadt@ reyk@
|
|
ok deraadt@ reyk@
|
|
for ntpd(8), removing the pledge call is a first step: futher redesign will occurs later.
ok reyk@ benno@
|
|
removing its second parameter and the enum() that provided the
values for said parameter.
The function was only called with the second parameter set to one
value (BM_NONBLOCKING) from the enum(). So just do the right thing.
Similar to changes made in smtpd.
While here remove the pointless third parameter from the fcntl(F_GETFL)
call.
No functional change.
ok guenther@ bcook@ deraadt@
|
|
no other timezone than the fixed string "GMT". Avoid using strptime %Z,
which is nonstandard and can give surprising results on other operating
systems. ok deraadt@ giovanni@ bcook@
|
|
titles (including flags) to distinguish between daemons, this makes it
possible to manage multiple copies of a daemon using the normal infrastructure
by symlinking rc.d scripts to a new name. ok jung@ ajacoutot@, smtpd ok gilles@
|
|
process management of the contraint processes has been moved from ntp
to the parent, for better privsep and pledge, but the ntp process
still attempted to kill the constraints on timeout directly. Fix this
regression by introducing a new imsg from ntp to the parent and the
related logic to kill a constraint at the right place.
Reported & tested by bcook@
Ok bcook@
|
|
ok reyk@
|
|
|
|
Instead, check the return value of fprintf() and fflush()
and call clearerr() before returning on error. OK jca@
|
|
OK bcook@
|
|
OK bcook@ jung@
|
|
and actually not a "logging" function. No functional change.
|
|
|
|
used by the constraint processes setup later (chroot, setuid...)
[late getpwnam discovered during a further audit]
ok millert
|
|
ok deraadt
|
|
strndup().
ok millert@
|
|
|
|
so servers with numeric IP addresses won't be skipped; ok reyk@
|
|
|
|
we have ntpctl now and ntpd doesn't need redundant/obsolete features.
Pointed out by naddy@, with input from zhuk@ (SIGINFO doesn't need SIG_IGN)
OK deraadt@
|
|
/dev/null. copy the code from the ntp engine.
|
|
and coping with error conditions... that lets us avoid a pledge "wpath".
Putting it all together, this lets the master ntpd pledge "stdio rpath
inet settime proc id". It works like this: "rpath" to load the
certificates, "proc" to create constraint processes, "id" to chroot
and lock the constraint processes into a jail, then "inet" to open a
https session. "settime" is used by the master to manage the system
time when the ntp-speaking engine instructs the master.
with help from naddy
|
|
non-sensical. The dns lookups happened in the process routing table
(usually '0'), which is very likely to have different results from the
other routing domains. If you do depend on having this behaviour,
you'll need to use pf to cross the rtable boundary.
"listen on * rtable X" is still supported.
Users of "server * rtable X" will need to switch to launching ntpd with
"route -T X exec /usr/sbin/ntpd"
OK deraadt@
|
|
This helps the ntp process to a) give a better pledge(2) and to b)
keep the promise of "saving the world again... on time" by removing
the delays that have been introduced by expensive constraint forks.
The new design offers better privsep but introduces a few more imsgs
and runs a little bit more code in the privileged parent. The
privileged code is minimal, carefully checked, and does not attempt to
"parse" any contents; the forked constraints instantly drop all
privileges and pledge to "stdio inet".
OK beck@ deraadt@
|
|
types of functions (perhaps required by 'stdio' or 'libevent' will not
become available unless DNS suceeds. Replace it with "stdio dns".
|
|
including fork/exec cost, it would be better if constraints were
forked from the master process, which would then tell the ntp
engine. That would increase accuracy and security.
Lots of conversations with reyk and bcook
|
|
"stdio inet". It took weeks to get to this point...
|
|
|
|
|
|
that's the case after kernel code got fixed to handle inet6 for dns...
|
|
since that is all it will do till termination.
|
|
jontly with jsing@
|
|
ok jsing@
|
|
From Michael McConville
|
|
|
|
than < for the comparison. Otherwise, if we don't do enough work
in the loop to advance the clock (for instance if the network is
down) we may end up calling poll() multiple times with no timeout,
racking up CPU time for no real reason. OK bcook@
|