Commit Graph

86 Commits

Author SHA1 Message Date
Ian Lepore
3496c981ac Make it possible to run ntpd as a non-root user, add ntpd uid and gid.
Code analysis and runtime analysis using truss(8) indicate that the only
privileged operations performed by ntpd are adjusting system time, and
(re-)binding to privileged UDP port 123. These changes add a new mac(4)
policy module, mac_ntpd(4), which grants just those privileges to any
process running with uid 123.

This also adds a new user and group, ntpd:ntpd, (uid:gid 123:123), and makes
them the owner of the /var/db/ntp directory, so that it can be used as a
location where the non-privileged daemon can write files such as the
driftfile, and any optional logfile or stats files.

Because there are so many ways to configure ntpd, the question of how to
configure it to run without root privs can be a bit complex, so that will be
addressed in a separate commit. These changes are just what's required to
grant the limited subset of privs to ntpd, and the small change to ntpd to
prevent it from exiting with an error if running as non-root.

Differential Revision:	https://reviews.freebsd.org/D16281
2018-07-19 23:55:29 +00:00
Xin LI
0910025859 MFV r330102: ntp 4.2.8p11 2018-02-28 07:59:55 +00:00
Xin LI
f0574f5cf6 MFV r315791: ntp 4.2.8p10. 2017-03-23 22:06:06 +00:00
Xin LI
8624bb0572 Replay r304721 in contrib/ so the change won't get lost across import. 2016-11-22 08:30:32 +00:00
Xin LI
f391d6bc1d MFV r308954:
ntp 4.2.8p9.

Approved by:	so
2016-11-22 08:27:49 +00:00
Xin LI
e27abb6689 MFV r301238:
ntp 4.2.8p8.

Security:	CVE-2016-4957, CVE-2016-4953, CVE-2016-4954
Security:	CVE-2016-4955, CVE-2016-4956
Security:	FreeBSD-SA-16:24.ntp
With hat:	so
2016-06-03 08:00:22 +00:00
Xin LI
4990d495fc MFV r298691:
ntp 4.2.8p7.

Security:	CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550
Security:	CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518
Security:	CVE-2016-2519
Security:	FreeBSD-SA-16:16.ntp
With hat:	so
2016-04-27 07:46:38 +00:00
Glen Barber
8276572f42 Remove the RCSID line from ntp_control.c, and set the fbsd:nokeywords
property.  This should have been done a while back (certainly before
mergeing projects/release-pkg to head), but I fixed the merge conflicts
and forgot to correct the real problem afterward.

Noticed by:	peter
Sponsored by:	The FreeBSD Foundation
2016-04-16 18:10:11 +00:00
Glen Barber
f9421853ad MFH
Sponsored by:	The FreeBSD Foundation
2016-01-25 14:13:28 +00:00
Xin LI
68ba7e87e7 MFV r294491: ntp 4.2.8p6.
Security:	CVE-2015-7973, CVE-2015-7974, CVE-2015-7975
Security:	CVE-2015-7976, CVE-2015-7977, CVE-2015-7978
Security:	CVE-2015-7979, CVE-2015-8138, CVE-2015-8139
Security:	CVE-2015-8140, CVE-2015-8158
With hat:	so
2016-01-22 07:32:39 +00:00
Glen Barber
e60680024a MFH
Sponsored by:	The FreeBSD Foundation
2016-01-12 01:23:45 +00:00
Xin LI
3311ff84ea MFV r293415:
ntp 4.2.8p5

Reviewed by:	cy, roberto
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D4828
2016-01-08 15:53:48 +00:00
Glen Barber
e2e86de153 Fix another mis-merge.
Sponsored by:	The FreeBSD Foundation
2016-01-05 16:23:43 +00:00
Glen Barber
b626f5a73a MFH r289384-r293170
Sponsored by:	The FreeBSD Foundation
2016-01-04 19:19:48 +00:00
Gleb Smirnoff
9034852c84 MFV ntp-4.2.8p4 (r289715)
Security:       VuXML: c4a18a12-77fc-11e5-a687-206a8a720317
Security:	CVE-2015-7871
Security:	CVE-2015-7855
Security:	CVE-2015-7854
Security:	CVE-2015-7853
Security:	CVE-2015-7852
Security:	CVE-2015-7851
Security:	CVE-2015-7850
Security:	CVE-2015-7849
Security:	CVE-2015-7848
Security:	CVE-2015-7701
Security:	CVE-2015-7703
Security:	CVE-2015-7704, CVE-2015-7705
Security:	CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
Security:	http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner
Sponsored by:	Nginx, Inc.
2015-10-22 19:42:57 +00:00
Baptiste Daroussin
b5ff185e19 Merge from head 2015-09-12 11:41:31 +00:00
Cy Schubert
276da39af9 MFV ntp-4.2.8p3 (r284990).
Approved by:	roberto, delphij
Security:	VuXML: 0d0f3050-1f69-11e5-9ba9-d050996490d0
Security:	http://bugs.ntp.org/show_bug.cgi?id=2853
Security:	https://www.kb.cert.org/vuls/id/668167
Security:	http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi
2015-07-05 15:42:16 +00:00
Baptiste Daroussin
3deada4168 Merge from HEAD 2015-05-07 23:18:23 +00:00
Cy Schubert
a25439b686 MFV ntp 4.2.8p2 (r281348)
Reviewed by:    delphij (suggested MFC)
Approved by:	roberto
Security:       CVE-2015-1798, CVE-2015-1799
Security:       VuXML ebd84c96-dd7e-11e4-854e-3c970e169bc2
MFC after:	1 month
2015-05-04 04:45:59 +00:00
Baptiste Daroussin
4bf53d0b46 Merge from HEAD 2015-04-03 23:23:09 +00:00
Cy Schubert
21c09643ff Fix merge error.
Submitted by:	jkim
2015-04-03 10:20:59 +00:00
Cy Schubert
00cbf6c295 Remove rednandt file.
Submitted by:	jkim
2015-04-03 10:17:36 +00:00
Cy Schubert
8e4f77ede8 Fix build. 2015-03-31 19:35:32 +00:00
Cy Schubert
2b15cb3d09 MFV ntp 4.2.8p1 (r258945, r275970, r276091, r276092, r276093, r278284)
Thanks to roberto for providing pointers to wedge this into HEAD.

Approved by:	roberto
2015-03-30 13:30:15 +00:00
Hiren Panchasara
a2b8f1cbb7 ntpd tries to bind to IPv6 interfaces in 'tentative' state and fails as IPv6 is
actually disabled. Fix it by making ntpd ignore such interfaces.

Submitted by:	ume
Reviewed by:	bz, gnn
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D1527
2015-01-14 23:34:00 +00:00
Hajimu UMEMOTO
359f2b4604 Correct comparison of IPv6 wildcard address.
MFC after:	3 days
2015-01-08 07:47:39 +00:00
Xin LI
2f834a0b41 Fix multiple ntp vulnerabilities.
Reviewed by:	roberto (earlier revision), philip
Security:	CVE-2014-9293, CVE-2014-9294
Security:	CVE-2014-9295, CVE-2014-9296
Security:	FreeBSD-SA-14:31.ntp

Differential Revision: https://reviews.freebsd.org/D1343
2014-12-22 18:54:55 +00:00
Xin LI
c4bf0d04c2 Don't reply monlist request when it's not enabled.
No objection from:	roberto (but all bugs are mine)
MFC after:	2 weeks
2014-05-06 21:34:01 +00:00
Xin LI
f3f38455ea Disable 'monitor' feature in ntpd by default.
Security:	FreeBSD-SA-14:02.ntpd
Approved by:	so
2014-01-14 18:59:00 +00:00
Pedro F. Giffuni
646a7fea0c Clean some 'svn:executable' properties in the tree.
Submitted by:	Christoph Mallon
MFC after:	3 days
2013-01-26 22:08:21 +00:00
Eitan Adler
37a6031461 Clean up hardcoded ar(1) flags in the tree to use the global ARFLAGS in
share/mk/sys.mk instead.

This is part of a medium term project to permit deterministic builds of
FreeBSD.

Submitted by:	Erik Cederstrand <erik@cederstrand.dk>
Reviewed by:	imp, toolchain@
Approved by:	cperciva
MFC after:	2 weeks
2012-12-06 01:31:25 +00:00
Ed Maste
2dd1401878 Remove extraneous log message
When ntp switched between PLL and FLL mode it produced a log message
"kernel time sync status change %04x".  This issue is reported in ntp
bug 452[1] which claims that this behaviour is normal and the log
message isn't necessary.  I'm not sure exactly when it was removed, but
it's gone in the latest ntp release (4.2.6p5).

[1] http://bugs.ntp.org/show_bug.cgi?id=452

Approved by:    roberto
2012-03-12 01:06:29 +00:00
Bjoern A. Zeeb
2bddeb8538 In case ntp cannot resolve a hostname on startup it will queue the entry
for resolving by a child process that, upon success, will add the entry
to the config of the running running parent process.

Unfortunately there are a couple of bugs with this, fixed in various
later versions of upstream in potentially different ways due to other
code changes:

1) Upon server [-46] <FQDN> the [-46] are used as FQDN for later resolving
   which does not work.  Make sure we always pass the name (or IP there).

2) The intermediate file to carry the information to the child process
   does not know about -4/-6 restrictions, so that a dual-stacked host
   could resolve to an IPv6 address but that might be unreachable (see
   r223626) leading to no working synchronization ignoring a IPv4 record.
   Thus alter the intermediate format to also pass the address family
   (AF_UNSPEC (default), AF_INET or AF_INET6) to the child process
   depending on -4 or -6.

3) Make the child process to parse the new intermediate file format and
   save the address family for getaddrinfo() hints flags.

4) Change child to always reload resolv.conf calling res_init() before
   trying to resolve names.  This will pick up resolv.conf changes or
   new resolv.confs should they have not existed or been empty or
   unusable on ntp startup.  This fix is more conditional in upstream
   versions but given FreeBSD has res_init there is no need for the
   configure logic as well.

Approved by:	roberto
Sponsored by:	Sandvine Incorporated
MFC after:	9 days
2011-06-29 13:01:10 +00:00
Bjoern A. Zeeb
a9b3947837 Compare port numbers correctly. They are stored by SRCPORT()
in host byte order, so we need to compare them as such.
Properly compare IPv6 addresses as well.

This allows the, by default, 8 badaddrs slots per address
family to work correctly and only print sendto() errors once.

The change is no longer applicable to any latest upstream versions.

Approved by:	roberto
Sponsored by:	Sandvine Incorporated
MFC after:	1 week
2011-06-28 09:46:25 +00:00
Bjoern A. Zeeb
541ab6a6c5 The argument to setsockopt for IP_MULTICAST_LOOP depends on operating
system and is decided upon by configure and could be an u_int or a
u_char.  For FreeBSD it is a u_char.

For IPv6 however RFC 3493, 5.2 defines the argument to
IPV6_MULTICAST_LOOP to be an unsigned integer so make sure we always
use that using a second variable for the IPV6 case.
This is to get rid of these error messages every 5 minutes on some
systems:
ntpd[1530]: setsockopt IPV6_MULTICAST_LOOP failure: Invalid argument
  on socket 22, addr fe80::... for multicast address ff02::101

While here also fix the copy&paste error in the log message for
IPV6_MULTICAST_LOOP.

Reviewed by:	roberto
Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems
MFC after:	10 days
Filed as:	Bug 1936 on ntp.org
2011-05-29 07:40:48 +00:00
Ollivier Robert
eb6d21b4ca Merge 4.2.4p8 into contrib (r200452 & r200454).
Subversion is being difficult here so take a hammer and get it in.

MFC after:		2 weeks
Security:		CVE-2009-3563
2009-12-15 14:58:10 +00:00
Hajimu UMEMOTO
0fa2c497a6 Don't try to bind to an anycast addeess. The KAME IPv6 stack doesn't
allow bind to an anycast addeess.  It does away with an annoying
message.

Reviewed by:	bz, roberto
MFC after:	2 weeks
2009-12-01 16:07:50 +00:00
Colin Percival
7d845dde8d Remove build timestamps from the following files:
/boot/kernel/hptrr.ko
/etc/mail/*.cf
/lib/libcrypto.so.5
/usr/bin/ntpq
/usr/sbin/amd
/usr/sbin/iasl
/usr/sbin/ntpd
/usr/sbin/ntpdate
/usr/sbin/ntpdc

There does not appear to be any purpose to having these timestamps, and
they have the irritating consequence that the aforementioned files will
be different every time they are rebuilt.

After this commit, the only remaining build timestamps are in the kernel,
the boot loaders, /usr/include/osreldate.h (the year in the copyright
notice), and lib*.a (the timestamps on all of the included .o files).

Reviewed by:	scottl (hptrr), gshapiro (sendmail), simon (openssl),
		roberto (ntp), jkim (acpica)
Approved by:	re (kib)
2009-07-11 22:30:37 +00:00
Colin Percival
9a1bde1808 Prevent integer overflow in direct pipe write code from circumventing
virtual-to-physical page lookups. [09:09]

Add missing permissions check for SIOCSIFINFO_IN6 ioctl. [09:10]

Fix buffer overflow in "autokey" negotiation in ntpd(8). [09:11]

Approved by:	so (cperciva)
Approved by:	re (not really, but SVN wants this...)
Security:	FreeBSD-SA-09:09.pipe
Security:	FreeBSD-SA-09:10.ipv6
Security:	FreeBSD-SA-09:11.ntpd
2009-06-10 10:31:11 +00:00
Ollivier Robert
0963cc7dac Merge r191298 into HEAD.
Prevent a buffer overflow in ntpq.  Patch taken from the PR database
after being committed to the official ntp tree and present in 4.2.4p7-rc2.

It will be MFH to the upcoming 7.2 pending re approval.

Obtained from:  https://support.ntp.org/bugs/show_bug.cgi?id=1144
MFC after:      3 days
Security:       http://www.securityfocus.com/bid/34481
                CVE-2009-0159
2009-04-20 09:59:08 +00:00
Simon L. B. Nielsen
2568138fcd Correct ntpd(8) cryptographic signature bypass [SA-09:04].
Correct BIND DNSSEC incorrect checks for malformed signatures
[SA-09:04].

Security:	FreeBSD-SA-09:03.ntpd
Security:	FreeBSD-SA-09:04.bind
Obtained from:	ISC [SA-09:04]
Approved by:	so (simon)
2009-01-13 21:19:27 +00:00
Ollivier Robert
f8b329f0ed Merge from vendor/ntp/dist: r182856:
Apply updated patch from bin/92839 to avoid two possible buffer overflows.

PR:		bin/92839
Submitted by:	Helge Oldach <freebsdntpd@oldach.net>
2008-09-07 22:15:41 +00:00
Ollivier Robert
ea906c4152 Merge ntpd & friends 4.2.4p5 from vendor/ntp/dist into head. Next commit
will update usr.sbin/ntp to match this.

MFC after:	2 weeks
2008-08-22 15:58:00 +00:00
Ollivier Robert
0814f601e6 Move FREEBSD-upgrade as well. 2008-08-18 14:37:44 +00:00
Ollivier Robert
7d7bbd7429 Move FREEBSD-Xlist in a more proper location. 2008-08-18 14:36:57 +00:00
Ollivier Robert
cce65f4396 Flatten the dist and various 4.n.n trees in preparation of future ntp imports. 2008-08-17 17:37:33 +00:00
Ollivier Robert
8c24a1e0ff Fix compilation with gcc 4.1. This is imported on the vendor branch as it
was applied in the mainstream source and a later complete import of
4.2.2p3 will complete the fix.

Submitted by:	kan
2006-09-28 16:02:34 +00:00
Ollivier Robert
3fa694fea6 This commit was generated by cvs2svn to compensate for changes in r162735,
which included commits to RCS files with non-trunk default branches.
2006-09-28 16:02:34 +00:00
Ollivier Robert
b9bb0f5d00 Merge from the main BK repository for ntp: put two midly annoying messages
under #ifdef DEBUG. Merge of revision 1.45 by H. Stenn.

Done on the vendor branch to minimise future imports.

Reminded by:	obrien
2004-12-06 14:33:29 +00:00
Ollivier Robert
0003d12e46 This commit was generated by cvs2svn to compensate for changes in r138451,
which included commits to RCS files with non-trunk default branches.
2004-12-06 14:33:29 +00:00