Joe Malcolm <[email protected]> writes: > Dag-Erling Smørgrav <[email protected]> writes: > > These work on a "last match" basis. The latter three lines lift all > > restrictions for localhost, so you can still "ntpq -pn" your own > > server, but nobody else can. > Thanks. So, if I understand correctly, the shipped config is > vulnerable to local (same-host) attackers, not remote ones.
Broadly, yes. Restricting requests from localhost makes it impossible to monitor your own server, because ntpdc and ntpq talk to ntpd over UDP to localhost rather than a Unix socket, which could be protected by file permissions. Implementing a Unix socket for ntpdc / ntpq is left as an exercise to the reader. DES -- Dag-Erling Smørgrav - [email protected] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
