summaryrefslogtreecommitdiff
path: root/usr.sbin/ntpd
AgeCommit message (Collapse)Author
2016-10-18Check for EAGAIN on imsg_flush() return otherwise we might be failingRafael Zalamena
to send message to the child process. Do like we learned in httpd(8). ok deraadt@
2016-10-18Save the constraint process pid by getting the start_child() return value,Rafael Zalamena
this should fix the problem with random ntpd(8) deaths. ok deraadt@
2016-10-12copy updated log.c from vmd: for correctness, save errno when doingReyk Floeter
additional actions before printing it. OK rzalamena@
2016-10-03Fix a possible bug that will happen with dup2() when oldd == newd. In thatRafael Zalamena
case the dup2() would fail silently and the descriptor would remain with the CLOEXEC flag causing the exec*()d child process to have unexpected behavior. ok guenther@
2016-09-26Teach ntpd(8) constraint process to use exec*() instead of just forking,Rafael Zalamena
with this change we get the pledge() ability back to the parent process. some tweaks from and ok reyk@
2016-09-26Teach ntpd(8) how to use socket status to shutdown the daemon. While atRafael Zalamena
it, remove some verbose shutdown messages that we had before with pipe close. ok reyk@
2016-09-14Teach ntpd(8) how to fork+exec.Rafael Zalamena
ok reyk@, bcook@
2016-09-14Add clarifications ("comments") to three places where it wasn'tReyk Floeter
obvious why it is implemented this way. The whole idea of constraints is to isolate them as much as possible, in a semi-paranoid way. OK rzalamena@
2016-09-14Fix copyright disclaimer in util.c.Reyk Floeter
OK from the original author Alexander Guy
2016-09-03Remove the oh so funny "LOSS OF MIND" from the diclaimer that was notReyk Floeter
part of the original ISC license that we use in OpenBSD. Done for files were Henning is the original author. OK henning@ deraadt@
2016-08-27Pull in <sys/time.h> for struct timespec, timeval, or clockratePhilip Guenther
ok deraadt@
2016-07-13Adjust existing tls_config_set_cipher() callers for TLS cipher groupJoel Sing
changes - map the previous configuration to the equivalent in the new groups. This will be revisited post release. Discussed with beck@
2016-06-01ntpd is too aggressive about retrying constraint connections. ThisTheo de Raadt
became more visible recently because a log_debug was changed to log_warnx. Change it back for now. ok jsing
2016-05-21Harden TLS for ntpd constraints - stop disabling server name verification,Joel Sing
ensure that we load the CA certificates and use tls_connect_servername() so that we can verify the server we are connecting to (even though we've already resolved the hostname). Also add additional warnings for TLS connect and TLS write failures so that we know what is happening and why. Lack of server name verification also reported by Luis M. Merino <luismiguelmerino at gmail dot com> - thanks! ok deraadt@ reyk@
2016-05-06Unconfuse things by renaming variables to match their contents.Joel Sing
ok deraadt@ reyk@
2016-05-02prepare userland for removing chroot(2) from allowed syscalls under pledge(2).Sebastien Marie
for ntpd(8), removing the pledge call is a first step: futher redesign will occurs later. ok reyk@ benno@
2016-03-27Rename session_socket_blockmode() to session_socket_nonblockmode(),Kenneth R Westerback
removing its second parameter and the enum() that provided the values for said parameter. The function was only called with the second parameter set to one value (BM_NONBLOCKING) from the enum(). So just do the right thing. Similar to changes made in smtpd. While here remove the pointless third parameter from the fcntl(F_GETFL) call. No functional change. ok guenther@ bcook@ deraadt@
2016-03-05According to RFC7231, section 7.1.1.1, the HTTP date header supportsChristian Weisgerber
no other timezone than the fixed string "GMT". Avoid using strptime %Z, which is nonstandard and can give surprising results on other operating systems. ok deraadt@ giovanni@ bcook@
2016-02-02Remove setproctitle() for the parent process. Because rc.d(8) uses processStuart Henderson
titles (including flags) to distinguish between daemons, this makes it possible to manage multiple copies of a daemon using the normal infrastructure by symlinking rc.d scripts to a new name. ok jung@ ajacoutot@, smtpd ok gilles@
2016-01-27Don't attempt to kill() the constraint in the wrong process. TheReyk Floeter
process management of the contraint processes has been moved from ntp to the parent, for better privsep and pledge, but the ntp process still attempted to kill the constraints on timeout directly. Fix this regression by introducing a new imsg from ntp to the parent and the related logic to kill a constraint at the right place. Reported & tested by bcook@ Ok bcook@
2016-01-27update ntpd log initialization to work like relayd, fix debug log levelsBrent Cook
ok reyk@
2016-01-11sneaky whitespace snuck in againTheo de Raadt
2015-12-29Don't assume fprintf() will set the FILE * error condition.Todd C. Miller
Instead, check the return value of fprintf() and fflush() and call clearerr() before returning on error. OK jca@
2015-12-19No need for an extra log.hReyk Floeter
OK bcook@
2015-12-19Switch and sync to the log.c variant from httpd/relayd/iked/snmpd/vmd.Reyk Floeter
OK bcook@ jung@
2015-12-19Move log_sockaddr() to from log.c to util.c as it is a local additionReyk Floeter
and actually not a "logging" function. No functional change.
2015-12-05EAGAIN handling for imsg_read. OK henning@ benno@Claudio Jeker
2015-11-24Cache values from getpwnam() done at initialization, which need to beTheo de Raadt
used by the constraint processes setup later (chroot, setuid...) [late getpwnam discovered during a further audit] ok millert
2015-11-20use RMS for jitter. we're linking with enough libraries that libm is tiny.Ted Unangst
ok deraadt
2015-11-19Simplify all instances of get_string() and get_data() using malloc() andmmcc
strndup(). ok millert@
2015-11-17fix memory leak; from David CARLIERTheo de Raadt
2015-10-31fully revert some parts introduced with the original server rtable support,Christian Weisgerber
so servers with numeric IP addresses won't be skipped; ok reyk@
2015-10-30drop unused define; ok reyk@Christian Weisgerber
2015-10-30Remove support for sending status reports to syslog on SIGINFO;Reyk Floeter
we have ntpctl now and ntpd doesn't need redundant/obsolete features. Pointed out by naddy@, with input from zhuk@ (SIGINFO doesn't need SIG_IGN) OK deraadt@
2015-10-25the DNS process was not discarding & redirecting stdin/out/err toTheo de Raadt
/dev/null. copy the code from the ntp engine.
2015-10-23Rather than re-opening the driftfile to write, keep it open; rewindingTheo de Raadt
and coping with error conditions... that lets us avoid a pledge "wpath". Putting it all together, this lets the master ntpd pledge "stdio rpath inet settime proc id". It works like this: "rpath" to load the certificates, "proc" to create constraint processes, "id" to chroot and lock the constraint processes into a jail, then "inet" to open a https session. "settime" is used by the master to manage the system time when the ntp-speaking engine instructs the master. with help from naddy
2015-10-23Allowing upstream servers of ntp being in multiple routing tables isPeter Hessler
non-sensical. The dns lookups happened in the process routing table (usually '0'), which is very likely to have different results from the other routing domains. If you do depend on having this behaviour, you'll need to use pf to cross the rtable boundary. "listen on * rtable X" is still supported. Users of "server * rtable X" will need to switch to launching ntpd with "route -T X exec /usr/sbin/ntpd" OK deraadt@
2015-10-12Move execution of the constraints from the ntp to the parent process.Reyk Floeter
This helps the ntp process to a) give a better pledge(2) and to b) keep the promise of "saving the world again... on time" by removing the delays that have been introduced by expensive constraint forks. The new design offers better privsep but introduces a few more imsgs and runs a little bit more code in the privileged parent. The privileged code is minimal, carefully checked, and does not attempt to "parse" any contents; the forked constraints instantly drop all privileges and pledge to "stdio inet". OK beck@ deraadt@
2015-10-10pledge "dns rw" is not a reliable pattern. This means malloc() and otherTheo de Raadt
types of functions (perhaps required by 'stdio' or 'libevent' will not become available unless DNS suceeds. Replace it with "stdio dns".
2015-10-09the ntp engine can run with "stdio inet proc". For many reasons,Theo de Raadt
including fork/exec cost, it would be better if constraints were forked from the master process, which would then tell the ntp engine. That would increase accuracy and security. Lots of conversations with reyk and bcook
2015-10-09Once the constraint engine process is running, it only needsTheo de Raadt
"stdio inet". It took weeks to get to this point...
2015-10-09Change all tame callers to namechange to pledge(2).Theo de Raadt
2015-10-05this process deserves -fstack-protector-allTheo de Raadt
2015-10-03the ntp dns process only needs tame "dns rw" to operate. at least,Theo de Raadt
that's the case after kernel code got fixed to handle inet6 for dns...
2015-10-03In the ntpctl(1) case, after it has connect()'d to ntpd we can tame "stdio"Theo de Raadt
since that is all it will do till termination.
2015-09-10fix type and return check for tls_read/write.Bob Beck
jontly with jsing@
2015-09-10fix after libtls api changesBob Beck
ok jsing@
2015-09-09Fix memory leak in error path when max length exceeded.Todd C. Miller
From Michael McConville
2015-08-28Xr ntpctl; from Rob PierceTheo de Raadt
2015-08-14When checking whether we should scan the sensors again use <= ratherTodd C. Miller
than < for the comparison. Otherwise, if we don't do enough work in the loop to advance the clock (for instance if the network is down) we may end up calling poll() multiple times with no timeout, racking up CPU time for no real reason. OK bcook@