Bug 113237
| Summary: | /etc/init.d/ntpd incorrectly determines timeservers creating a firewall problem | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | josip |
| Component: | ntp | Assignee: | Harald Hoyer <harald> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9 | CC: | mitr |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-01-12 13:07:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Description of problem: /etc/init.d/ntpd function start() determines timeservers incorrectly, because it does not accept any additional server options nor comments. As a result, "service ntpd start" can produce failed iptables updates. Suggestion: Modify the flawed section as follows: timeservers=`/bin/sed \ -n -e 's/\#.*$//;/127.*/d' \ -e 's/^[[:blank:]]*server[[:blank:]][[:blank:]]*\(.*\)/\1/p' \ -e 's/^[[:blank:]]*server[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \ -e 's/^[[:blank:]]*peer[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \ $ntpconf | awk '{print $1}'` where the added "| awk ..." bit guards against additional information on the /etc/ntp.conf server or peer line. Version-Release number of selected component (if applicable): ntp-4.1.2-0.rc1.2 How reproducible: Always Steps to Reproduce: 1. service iptables start (if needed) 2. edit /etc/ntp.conf to add "server 192.43.244.18 maxpoll 8" 3. service ntpd start (or restart, as needed) Actual Results: ntpd: Opening firewall for host "maxpoll" fails, but host "8" succeeds, which open (minor) holes in the firewall: Chain RH-Lokkit-0-50-INPUT (2 references) target prot opt source destination ACCEPT udp -- 0.0.0.8 0.0.0.0/0 udp spt:123 dpt:123 Expected Results: ntpd: should open firewall port only for the NTP server addresses, not for other parameters on the same line Additional info: ntpd: Opening firewall for input from 192.43.244.18 port 123 [ OK ] ntpd: Opening firewall for input from maxpoll port 123iptables v1.2.7a: host/network `maxpoll' not found Try `iptables -h' or 'iptables --help' for more information. [FAILED] ntpd: Opening firewall for input from 8 port 123 [ OK ]