Bug 134471

Summary: ntpd loads IPv6 kernel module when it starts
Product: [Fedora] Fedora Reporter: Olivier Benghozi <olivier.benghozi+redhatbugzilla>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED DUPLICATE QA Contact: Brock Organ <borgan>
Severity: low Docs Contact:
Priority: medium    
Version: 3CC: mattdm, mitr, pekkas, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-10 20:39:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 150221    

Description Olivier Benghozi 2004-10-03 15:14:20 UTC 
Description of problem:
ntpd loads by itself the ipv6 kernel module, potentialy opening a
breach in the system. Initscripts could easyly prevent this by
managing a configuration line in /etc/modprobe.conf.

How reproducible:
Always

Steps to Reproduce:
When ntpd is started at boot, it loads ipv6 kernel module (by the way,
/etc/sysconfig/network can contain NETWORKING_IPV6=no).
Even if no ipv6 server is configured.

Ntpd should not loads ipv6 module by itself.

The problem is that this unexpected loading of ipv6 module creates a
serious problem: since it was not expected that ipv6 was to be
configured on the system, nothing is done to prevent ipv6 address
autoconfiguration or firewalling of ipv6 ports.

Additional info:

Suggestion: network initscripts should put a line
alias net-pf-10 off
in /etc/modprobe.conf by default or at least when NETWORKING_IPV6=no
exists in /etc/sysconfig/network.
Comment 1 Pekka Savola 2004-10-17 10:28:54 UTC 
Does the aliasing actually work (anymore, with 2.6 kernels)? -- see 
the comments at:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=112535
Comment 2 Matthew Miller 2005-04-26 15:25:38 UTC 
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
Comment 3 Miloslav Trmač 2006-03-01 02:17:08 UTC 
ntpd is simply creating an PF_INET6 socket, which is a quite reasonable
operation.

With new modutils the equivalent of the alias would be
        install ipv6 /bin/true

Adding/removing this line in modprobe.conf would probably have to be done
in rc.sysinit to avoid such autoloading :(
Comment 4 Bill Nottingham 2006-07-10 20:07:27 UTC 

*** This bug has been marked as a duplicate of 198045 ***
Comment 5 Matthew Miller 2006-07-10 20:37:13 UTC 
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 6 Miloslav Trmač 2006-07-10 20:39:36 UTC 

*** This bug has been marked as a duplicate of 198045 ***