> Dag-Erling Smørgrav <des@des.no> writes:
> > These work on a "last match" basis. The latter three lines lift all
> > restrictions for localhost, so you can still "ntpq -pn" your own
> > server, but nobody else can.
> Thanks. So, if I understand correctly, the shipped config is
> vulnerable to local (same-host) attackers, not remote ones.
Broadly, yes. Restricting requests from localhost makes it impossible
to monitor your own server, because ntpdc and ntpq talk to ntpd over UDP
to localhost rather than a Unix socket, which could be protected by file
permissions. Implementing a Unix socket for ntpdc / ntpq is left as an
exercise to the reader.
DES
--
Dag-Erling Smørgrav - des@des.no
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
No comments:
Post a Comment