Changing the access defaults

Eric S. Raymond esr at thyrsus.com
Thu Oct 6 18:31:09 UTC 2016 

Heads up, Mark!  Security and policy implications.

Normally I'm not a big fan of backwards-incompatible changes.  But
when (a) they're justifiable in themselves on security grounds, and
(b) they help us significantly going forward, the case for them starts
to look pretty good.

(Of course, we need to give people building the software the option of
getting back the old behavior with --enable-classic-mode.)

Out of the box, ntpd ships with anyone on the net able to do anything
on the to your server - query it, KOD it, peer with it, modify its
configuration with ntpq, etc.

Because that is horribly insecure, pretty much everybody in the
universe ships the following boilerplate as part of their default
configuration:

restrict default kod limited nomodify nopeer noquery  
restrict -6 default kod limited nomodify nopeer noquery
restrict 127.0.0.1  
restrict -6 ::1

I'm thinking about changing the access defaults for ntpd so they
correspond to to that boilerplate.  (Daniel thinks we might want
to set nopeer on localhost as well, but that's a detail.)

This would have a some significant benefits:

1. Daniel wants to make this the default for the new config
language. By giving the same meaning to the empty config
in both languages, we would significantly reduce the complexity
of implementation and the potential for unintended interactions.

2. We could drop that boilerplate from the configs we ship.  That's
a good thing, it means less to explain in our HOWTOs and less
detail for newbies to be confused by.

3. Everybody runs more securely.

The only downside I see is that the tiny handful of users who *delete*
things from the standard boilerplate will see an incompatible change
that they have to fix by writing some permissive 'restrict'.  But
by hypothesis they're already customizing their access rules, so this
wouldn't represent a lot of extra effort.  Providing we invoke the
great god Security in proper form, we they probably won't even
be annoyed.

Objections?  Discussion?  
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

According to the National Crime Survey administered by the Bureau of
the Census and the National Institute of Justice, it was found that
only 12 percent of those who use a gun to resist assault are injured,
as are 17 percent of those who use a gun to resist robbery. These
percentages are 27 and 25 percent, respectively, if they passively
comply with the felon's demands. Three times as many were injured if
they used other means of resistance.
        -- G. Kleck, "Policy Lessons from Recent Gun Control Research,"
		Law and Contemporary Problems 49, no. 1. (Winter 1986.): 35-62.

More information about the devel mailing list