#
1fa741bd |
| 16-Jul-2021 |
mestre <mestre@openbsd.org> |
main proc doesn't speak with sockets during the main loop and setpriority plus chroot (and privdrop) in the child procs at this point are all set and done so pledge("inet id") promises are not requir
main proc doesn't speak with sockets during the main loop and setpriority plus chroot (and privdrop) in the child procs at this point are all set and done so pledge("inet id") promises are not required anymore.
analysis and OK @kn
show more ...
|
#
fd393c40 |
| 16-Jul-2021 |
mestre <mestre@openbsd.org> |
/etc/ssl/cert.pem is loaded into mem with tls_load_file(3) on local function priv_constraint_child() which is called before we reach pledge(2), therefore we we don't need to unveil(2) that file nor h
/etc/ssl/cert.pem is loaded into mem with tls_load_file(3) on local function priv_constraint_child() which is called before we reach pledge(2), therefore we we don't need to unveil(2) that file nor having pledge("rpath") since it was only required to read that same file.
OK kn@
show more ...
|
#
bc5a8259 |
| 12-Jul-2021 |
beck <beck@openbsd.org> |
Change the error reporting pattern throughout the tree when unveil fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion.
Work done and verified by A
Change the error reporting pattern throughout the tree when unveil fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion.
Work done and verified by Ashton Fagg <ashton@fagg.id.au>
ok deraadt@ semarie@ claudio@
show more ...
|
#
1908d877 |
| 12-Feb-2020 |
otto <otto@openbsd.org> |
If constraints are configured but do not work for whatever reason ntpd does not work. Make that more clear in the log and ntpdctl -s status. report by and ok benno@
|
#
1511e2d1 |
| 11-Nov-2019 |
otto <otto@openbsd.org> |
Also implement "trusted" for sensors; do not do constraint validation for these. ok deraadt@
|
#
9c341873 |
| 11-Nov-2019 |
deraadt <deraadt@openbsd.org> |
Disable -s and -S functionality. -s would force time using NTP packets without any MITM protection checks. We've had constraint checks for MITM protection for some time. Recent work changed the def
Disable -s and -S functionality. -s would force time using NTP packets without any MITM protection checks. We've had constraint checks for MITM protection for some time. Recent work changed the default mode to rapidly check NTP packets against constraint validation, as the default mode. In environments where https traffic doesn't work, ethernet-near servers can be labelled as "trusted". trusted sensor support is also coming. We have reasons to immediately move people away from the -s mode. ok otto
show more ...
|
#
eb7f225f |
| 10-Nov-2019 |
otto <otto@openbsd.org> |
Introduce a "trusted" modifier, for peers that should be on a local net used in situations where https constraints cannot be used and we still want auto settime. Result of discussion with and ok dera
Introduce a "trusted" modifier, for peers that should be on a local net used in situations where https constraints cannot be used and we still want auto settime. Result of discussion with and ok deraadt@
show more ...
|
#
fe63d0d1 |
| 10-Nov-2019 |
otto <otto@openbsd.org> |
- validate sensor values against constraints - do not restart settime timeout interval if something happens in the main event loop - apply a tight loop protection; it can be painfull on a single
- validate sensor values against constraints - do not restart settime timeout interval if something happens in the main event loop - apply a tight loop protection; it can be painfull on a single core machine since the process runs at maximum priority. Should only happen when a bug is introduced while developing, but prevents having to machine taken over by ntpd.
show more ...
|
#
df69c215 |
| 28-Jun-2019 |
deraadt <deraadt@openbsd.org> |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
show more ...
|
#
8d2ac903 |
| 27-Jun-2019 |
otto <otto@openbsd.org> |
Allow logging to both stderr and syslog; don't reset the log level if the log destination changes. ok claudio@ benno@
|
#
c9addb91 |
| 12-Jun-2019 |
otto <otto@openbsd.org> |
Fix init of syslog for childs and teach dns process about synced state. ok benno@
|
#
841516aa |
| 09-Jun-2019 |
otto <otto@openbsd.org> |
Introducing autmatic settime mode: if some preconditions are met (booting, constraint(s) defined) set the time but only if the clock should be moved forward by more than a minute, based on ntp replie
Introducing autmatic settime mode: if some preconditions are met (booting, constraint(s) defined) set the time but only if the clock should be moved forward by more than a minute, based on ntp replies that satisfied the constraints. Tested by many; ok deraadt@
show more ...
|
#
febce360 |
| 14-Jan-2019 |
florian <florian@openbsd.org> |
Prevent multiple ntpds from tripping over each other. This brings over the logic from bgpd & ospfd. Input & OK deraadt
|
#
fb0a89ee |
| 29-Nov-2018 |
tedu <tedu@openbsd.org> |
update for libtls default cert changes. bonus: this exposed a few missing const qualifiers.
|
#
84c1bf98 |
| 06-Nov-2018 |
jsing <jsing@openbsd.org> |
Use TLS_CA_CERT_FILE instead of a separate define.
ok beck@ bluhm@ tb@
|
#
50c479e0 |
| 31-Aug-2018 |
deraadt <deraadt@openbsd.org> |
the main process must chdir to /, since it cannot have daemon() do the job at startup. After much anguish I accept dlg's solution of chdir for the problem ("starting ntpd on a filesystem I want to u
the main process must chdir to /, since it cannot have daemon() do the job at startup. After much anguish I accept dlg's solution of chdir for the problem ("starting ntpd on a filesystem I want to unmount"), but we cannot change the main-process daemon() call. Why? Because the ntpd privsep design predates more modern designs where the config file is parsed once, and configuration marshalled to the fork+exec children. Instead each ntpd process re-parses the config, and if we chdir before fork+exec startup, it will move the basedir causing -f "relativepath" to fail.
discussed with florian
show more ...
|
#
01a88081 |
| 08-Aug-2018 |
deraadt <deraadt@openbsd.org> |
ntpd unveils the cert.pem "r" file (which is passed-over-socket to the constraints process), and /usr/sbin/ntpd "x" to perform fork+exec operations.
|
#
bf3450a9 |
| 04-Aug-2018 |
mestre <mestre@openbsd.org> |
Revert back previous commit, we have decided that socket files don't cause any harm if not deleted after the daemon is shutdown and at the same time we also tackle another attack surface by not allow
Revert back previous commit, we have decided that socket files don't cause any harm if not deleted after the daemon is shutdown and at the same time we also tackle another attack surface by not allowing the program to create/delete any more files (by removing "cpath" promise from pledge(2)).
Discussion initiated by a question from deraadt@ OK florian@
show more ...
|
#
b6e52342 |
| 02-Aug-2018 |
mestre <mestre@openbsd.org> |
ntpd(8) has logic in place to delete its control socket on shutdown, but it currently doesn't call the function control_cleanup to do so. The solution is to simply call that function just before the
ntpd(8) has logic in place to delete its control socket on shutdown, but it currently doesn't call the function control_cleanup to do so. The solution is to simply call that function just before the program quits.
"sure" henning@
show more ...
|
#
871fc12c |
| 09-Jan-2017 |
reyk <reyk@openbsd.org> |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by ben
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
show more ...
|
#
c29ada62 |
| 01-Dec-2016 |
mestre <mestre@openbsd.org> |
Remove unused variable which was leaking memory, and while here remove 2 other variables that were also never used
OK otto@
|
#
5f14684e |
| 26-Sep-2016 |
rzalamena <rzalamena@openbsd.org> |
Teach ntpd(8) constraint process to use exec*() instead of just forking, with this change we get the pledge() ability back to the parent process.
some tweaks from and ok reyk@
|
#
78541249 |
| 26-Sep-2016 |
rzalamena <rzalamena@openbsd.org> |
Teach ntpd(8) how to use socket status to shutdown the daemon. While at it, remove some verbose shutdown messages that we had before with pipe close.
ok reyk@
|
#
4e840e7a |
| 14-Sep-2016 |
rzalamena <rzalamena@openbsd.org> |
Teach ntpd(8) how to fork+exec.
ok reyk@, bcook@
|
#
774da4d1 |
| 03-Sep-2016 |
reyk <reyk@openbsd.org> |
Remove the oh so funny "LOSS OF MIND" from the diclaimer that was not part of the original ISC license that we use in OpenBSD. Done for files were Henning is the original author.
OK henning@ deraad
Remove the oh so funny "LOSS OF MIND" from the diclaimer that was not part of the original ISC license that we use in OpenBSD. Done for files were Henning is the original author.
OK henning@ deraadt@
show more ...
|