Bug 113237 - /etc/init.d/ntpd incorrectly determines timeservers creating a firewall problem
Summary: /etc/init.d/ntpd incorrectly determines timeservers creating a firewall problem
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: ntp   
(Show other bugs)
Version: 9
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact: Brian Brock
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2004-01-10 04:09 UTC by josip
Modified: 2007-04-18 17:01 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-01-12 13:07:18 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description josip 2004-01-10 04:09:11 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5)

Description of problem:
/etc/init.d/ntpd function start() determines timeservers incorrectly,
because it does not accept any additional server options nor comments.
 As a result, "service ntpd start" can produce failed iptables updates.

Suggestion: Modify the flawed section as follows:

timeservers=`/bin/sed \
    -n -e 's/\#.*$//;/127.*/d' \
    -e 's/^[[:blank:]]*server[[:blank:]][[:blank:]]*\(.*\)/\1/p' \
's/^[[:blank:]]*server[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \
's/^[[:blank:]]*peer[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \
    $ntpconf | awk '{print $1}'`

where the added "| awk ..." bit guards against additional information
on the /etc/ntp.conf server or peer line.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. service iptables start (if needed)
2. edit /etc/ntp.conf to add "server maxpoll 8"
3. service ntpd start (or restart, as needed)

Actual Results:  ntpd: Opening firewall for host "maxpoll" fails, but
host "8" succeeds, which open (minor) holes in the firewall:

Chain RH-Lokkit-0-50-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     udp  --              udp
spt:123 dpt:123 

Expected Results:  ntpd: should open firewall port only for the NTP
server addresses, not for other parameters on the same line

Additional info:

ntpd: Opening firewall for input from port 123  [  OK  ]
ntpd: Opening firewall for input from maxpoll port 123iptables
v1.2.7a: host/network `maxpoll' not found
Try `iptables -h' or 'iptables --help' for more information.
ntpd: Opening firewall for input from 8 port 123           [  OK  ]

Note You need to log in before you can comment on or make changes to this bug.