Bug 113237 - /etc/init.d/ntpd incorrectly determines timeservers creating a firewall problem
/etc/init.d/ntpd incorrectly determines timeservers creating a firewall problem
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: ntp (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
Brian Brock
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-09 23:09 EST by josip
Modified: 2007-04-18 13:01 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-01-12 08:07:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description josip 2004-01-09 23:09:11 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5)
Gecko/20031007

Description of problem:
/etc/init.d/ntpd function start() determines timeservers incorrectly,
because it does not accept any additional server options nor comments.
 As a result, "service ntpd start" can produce failed iptables updates.

Suggestion: Modify the flawed section as follows:

timeservers=`/bin/sed \
    -n -e 's/\#.*$//;/127.*/d' \
    -e 's/^[[:blank:]]*server[[:blank:]][[:blank:]]*\(.*\)/\1/p' \
    -e
's/^[[:blank:]]*server[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \
    -e
's/^[[:blank:]]*peer[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \
    $ntpconf | awk '{print $1}'`

where the added "| awk ..." bit guards against additional information
on the /etc/ntp.conf server or peer line.


Version-Release number of selected component (if applicable):
ntp-4.1.2-0.rc1.2

How reproducible:
Always

Steps to Reproduce:
1. service iptables start (if needed)
2. edit /etc/ntp.conf to add "server 192.43.244.18 maxpoll 8"
3. service ntpd start (or restart, as needed)
    

Actual Results:  ntpd: Opening firewall for host "maxpoll" fails, but
host "8" succeeds, which open (minor) holes in the firewall:

Chain RH-Lokkit-0-50-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.8              0.0.0.0/0          udp
spt:123 dpt:123 


Expected Results:  ntpd: should open firewall port only for the NTP
server addresses, not for other parameters on the same line

Additional info:

ntpd: Opening firewall for input from 192.43.244.18 port 123  [  OK  ]
ntpd: Opening firewall for input from maxpoll port 123iptables
v1.2.7a: host/network `maxpoll' not found
Try `iptables -h' or 'iptables --help' for more information.
                                                           [FAILED]
ntpd: Opening firewall for input from 8 port 123           [  OK  ]

Note You need to log in before you can comment on or make changes to this bug.