[Git][NTPsec/ntpsec][master] Booleanize, and fix a minor bug introduced whe facctoring out sandbox().
Eric S. Raymond
gitlab at mg.gitlab.com
Sat Aug 27 18:30:46 UTC 2016
Eric S. Raymond pushed to branch master at NTPsec / ntpsec
Commits:
319bbbb7 by Eric S. Raymond at 2016-08-27T14:26:57-04:00
Booleanize, and fix a minor bug introduced whe facctoring out sandbox().
That is, when running sandboxed synamic interface tracking should be
disabled, or at least was in NTP Classic. Seemed to work fine without
this under Linux, but maybe it's necessary on some other port. We're
being careful here.
- - - - -
3 changed files:
- include/ntpd.h
- ntpd/ntp_io.c
- ntpd/ntpd.c
Changes:
=====================================
include/ntpd.h
=====================================
--- a/include/ntpd.h
+++ b/include/ntpd.h
@@ -313,7 +313,7 @@ extern volatile u_long handler_pkts; /* number of pkts received by handler */
extern u_long io_timereset; /* time counters were reset */
/* ntp_io.c */
-extern int disable_dynamic_updates;
+extern bool disable_dynamic_updates;
extern u_int sys_ifnum; /* next .ifnum to assign */
extern endpt * any_interface; /* IPv4 wildcard */
extern endpt * any6_interface; /* IPv6 wildcard */
=====================================
ntpd/ntp_io.c
=====================================
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -170,7 +170,7 @@ bool broadcast_client_enabled; /* is broadcast client enabled */
u_int sys_ifnum; /* next .ifnum to assign */
int ninterfaces; /* Total number of interfaces */
-int disable_dynamic_updates; /* scan interfaces once only */
+bool disable_dynamic_updates; /* if true, scan interfaces once only */
#ifdef REFCLOCK
/*
=====================================
ntpd/ntpd.c
=====================================
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -846,8 +846,14 @@ ntpdmain(
#ifdef ENABLE_EARLY_DROPROOT
/* drop root privileges */
/* This doesn't work on NetBSD or with SHM */
- if (sandbox(droproot, user, group, chrootdir, interface_interval!=0) && interface_interval) {
+ if (sandbox(droproot, user, group, chrootdir, interface_interval!=0)) {
interface_interval = 0;
+ /*
+ * for now assume that the privilege to bind to privileged ports
+ * is associated with running with uid 0 - should be refined on
+ * ports that allow binding to NTP_PORT with uid != 0
+ */
+ disable_dynamic_updates = true;
msyslog(LOG_INFO, "running as non-root disables dynamic interface tracking");
}
#endif
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/319bbbb7f168e16b6a2715132c451171edea9a28
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20160827/d9e55a30/attachment.html>
More information about the vc
mailing list