I've been thinking about security and defaults.
Right now, if ntpd is brought up with no config file, it runs with no
restrictions at all. Anyone can query it, anyone can configure it.
This seems dubious from a security point of view.
To fix this, we're going to have to feed it a string of config
defaults if no config file is present. This is easy to do, and easily
tested.
There are three obvious ways to address this.
1. The infosec-focused way. Change the default restrictions to be
"allow nothing." This way, if you bring it up with no config, there's
no harm. It just spins inaccessibly.
2. User-friendly way. Bring it up with these permissions:
restrict default kod limited nomodify nopeer noquery
restrict -6 default kod limited nomodify nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
pool pool.ntp.org iburst
driftfile /var/lib/ntp/ntp.drift
That is, the behavior 99.9% of all installations want.
3. Leave current behavior alone.
Please comment, everyone.
Personally, I favor 2.
Mark, this edges into policy territory. I'd especially like to hear
your opinion.
--
<a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>
"Gun control" is a job-safety program for criminals.
_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
