Default config file behavior - request for comment

Hal Murray hmurray at megapathdsl.net
Wed Sep 20 17:11:52 UTC 2017


> Right now, if ntpd is brought up with no config file, it runs with no
> restrictions at all. Anyone can query it, anyone can configure it. This
> seems dubious from a security point of view. 

Seems not-too-likely in the normal case since it won't keep good time.

Also seems possible in, say, a recovery mode where the file system is busted, 
or during setup, so I agree that this is worth fixing.


> 2. User-friendly way.  Bring it up with these permissions:
> restrict default kod limited nomodify nopeer noquery
> restrict -6 default kod limited nomodify nopeer noquery
> restrict 127.0.0.1
> restrict -6 ::1
> pool pool.ntp.org iburst
> driftfile /var/lib/ntp/ntp.drift 

I think wiring in pool names is a bad idea.
There may already be a default drift file name.

There is already a default default restriction.  Tweaking that would be 
simple.

What does nopeer mean these days?


-- 
These are my opinions.  I hate spam.





More information about the devel mailing list