[Git][NTPsec/ntpsec][master] Booleanize, and fix a minor bug introduced whe facctoring out sandbox().

Eric S. Raymond gitlab at mg.gitlab.com
Sat Aug 27 18:30:46 UTC 2016 

Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
319bbbb7 by Eric S. Raymond at 2016-08-27T14:26:57-04:00
Booleanize, and fix a minor bug introduced whe facctoring out sandbox().

That is, when running sandboxed synamic interface tracking should be
disabled, or at least was in NTP Classic. Seemed to work fine without
this under Linux, but maybe it's necessary on some other port.  We're
being careful here.

- - - - -


3 changed files:

- include/ntpd.h
- ntpd/ntp_io.c
- ntpd/ntpd.c


Changes:

=====================================
include/ntpd.h
=====================================
--- a/include/ntpd.h
+++ b/include/ntpd.h
@@ -313,7 +313,7 @@ extern volatile u_long handler_pkts;	/* number of pkts received by handler */
 extern u_long	io_timereset;		/* time counters were reset */
 
 /* ntp_io.c */
-extern  int	disable_dynamic_updates;
+extern bool	disable_dynamic_updates;
 extern u_int	sys_ifnum;		/* next .ifnum to assign */
 extern endpt *	any_interface;		/* IPv4 wildcard */
 extern endpt *	any6_interface;		/* IPv6 wildcard */


=====================================
ntpd/ntp_io.c
=====================================
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -170,7 +170,7 @@ bool broadcast_client_enabled;	/* is broadcast client enabled */
 u_int sys_ifnum;			/* next .ifnum to assign */
 int ninterfaces;			/* Total number of interfaces */
 
-int disable_dynamic_updates;		/* scan interfaces once only */
+bool disable_dynamic_updates;	/* if true, scan interfaces once only */
 
 #ifdef REFCLOCK
 /*


=====================================
ntpd/ntpd.c
=====================================
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -846,8 +846,14 @@ ntpdmain(
 #ifdef ENABLE_EARLY_DROPROOT
 	/* drop root privileges */
 	/* This doesn't work on NetBSD or with SHM */
-	if (sandbox(droproot, user, group, chrootdir, interface_interval!=0) && interface_interval) {
+	if (sandbox(droproot, user, group, chrootdir, interface_interval!=0)) {
 		interface_interval = 0;
+		/*
+		 * for now assume that the privilege to bind to privileged ports
+		 * is associated with running with uid 0 - should be refined on
+		 * ports that allow binding to NTP_PORT with uid != 0
+		 */
+		disable_dynamic_updates = true;
 		msyslog(LOG_INFO, "running as non-root disables dynamic interface tracking");
 	}
 #endif



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/319bbbb7f168e16b6a2715132c451171edea9a28
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20160827/d9e55a30/attachment.html>

More information about the vc mailing list