| Age | Commit message (Collapse) | Author |
|---|
|
used by the constraint processes setup later (chroot, setuid...)
[late getpwnam discovered during a further audit]
ok millert
|
|
ok deraadt
|
|
strndup().
ok millert@
|
|
|
|
so servers with numeric IP addresses won't be skipped; ok reyk@
|
|
|
|
we have ntpctl now and ntpd doesn't need redundant/obsolete features.
Pointed out by naddy@, with input from zhuk@ (SIGINFO doesn't need SIG_IGN)
OK deraadt@
|
|
/dev/null. copy the code from the ntp engine.
|
|
and coping with error conditions... that lets us avoid a pledge "wpath".
Putting it all together, this lets the master ntpd pledge "stdio rpath
inet settime proc id". It works like this: "rpath" to load the
certificates, "proc" to create constraint processes, "id" to chroot
and lock the constraint processes into a jail, then "inet" to open a
https session. "settime" is used by the master to manage the system
time when the ntp-speaking engine instructs the master.
with help from naddy
|
|
non-sensical. The dns lookups happened in the process routing table
(usually '0'), which is very likely to have different results from the
other routing domains. If you do depend on having this behaviour,
you'll need to use pf to cross the rtable boundary.
"listen on * rtable X" is still supported.
Users of "server * rtable X" will need to switch to launching ntpd with
"route -T X exec /usr/sbin/ntpd"
OK deraadt@
|
|
This helps the ntp process to a) give a better pledge(2) and to b)
keep the promise of "saving the world again... on time" by removing
the delays that have been introduced by expensive constraint forks.
The new design offers better privsep but introduces a few more imsgs
and runs a little bit more code in the privileged parent. The
privileged code is minimal, carefully checked, and does not attempt to
"parse" any contents; the forked constraints instantly drop all
privileges and pledge to "stdio inet".
OK beck@ deraadt@
|
|
types of functions (perhaps required by 'stdio' or 'libevent' will not
become available unless DNS suceeds. Replace it with "stdio dns".
|
|
including fork/exec cost, it would be better if constraints were
forked from the master process, which would then tell the ntp
engine. That would increase accuracy and security.
Lots of conversations with reyk and bcook
|
|
"stdio inet". It took weeks to get to this point...
|
|
|
|
|
|
that's the case after kernel code got fixed to handle inet6 for dns...
|
|
since that is all it will do till termination.
|
|
jontly with jsing@
|
|
ok jsing@
|
|
From Michael McConville
|
|
|
|
than < for the comparison. Otherwise, if we don't do enough work
in the loop to advance the clock (for instance if the network is
down) we may end up calling poll() multiple times with no timeout,
racking up CPU time for no real reason. OK bcook@
|
|
input doug@; OK beck@
|
|
patch from Mikolaj Kucharski
ok deraadt@
|
|
ok deraadt@ phessler@ claudio@
|
|
ok phessler@ deraadt@
|
|
if this happens, we want to tear down all of ntpd, so that people will
report it, any such bug can be found, and fixed.
ok bcook
|
|
ok bcook
|
|
handler. It is run in a chroot, so tzset() wouldn't even succeed to
open the zone file. Found with tame.
OK deraadt@
|
|
henning@ 9 years ago because of an issue with the /dev/hotplug device
- it does not support multiple readers opening it. Nobody ever cared
enough to fix it so it is time to sent the dead code to the Attic.
OK henning@ (feeling sad about it), mpi@ and others
|
|
instead of calling the SIOCGIFRDOMAIN ioctl for every single address.
OK deraadt@
|
|
of being wrong, not the NTP responses, reset it and query it from all
the constraint servers all over again. This is turned out to be a bit
aggressive because it could get triggered with just a few bad NTP
peers in a larger pool. To avoid constant reconnections, scale the
error margin with the number of resolved NTP peers using peer_cnt * 4.
This way a single or a few outliers in a NTP pool cannot trigger
reconnecting to the constraint servers immediately. More NTP peers,
less reason to mistrust the constraint.
Found by dtucker@
OK deraadt@
|
|
ok henning@, reyk@
|
|
addresses and try one after another until the connection succeeded -
based on the existing mechanism of "server". "constraint" previously
only tried to connect to the first returned address, aborted and
skipped the constraint on failure. In difference to "constraints"
(plural), it still only connects to one address at a time and not to
all of them at once.
Pointed out by rpe@
OK rpe@ deraadt@
|
|
|
|
Original fix from Romuald Delavergne. ok henning@
|
|
|
|
ignore it directly. no functional change. Rafael Neves rafaelneves at gmail
|
|
ok deraadt@
|
|
|
|
while here i've reformatted the page to stop kidding that -s is 4 options;
original issue kind of spotted by adam thompson, though note i am not fixing the
issue he complained about (i'll address that mail in a minute);
|
|
ok reyk@
|
|
tls_config_insecure_noverifyname(), so that it is more accurate and keeps
inline with the distinction between DNS hostname and server name.
Requested by tedu@ during s2k15.
|
|
|
|
that order, tls, crypto, ssl.
|
|
ok reyk
|
|
Reported by Stefan Wollny.
|
|
Fixes segfault on configuration load time, as reported by Donovan Watteau.
|
|
allows to get constraint addresses even if network/DNS is not
available at startup (or system boot).
thumbs up & OK henning@
|
