Bug 113237 - /etc/init.d/ntpd incorrectly determines timeservers creating a firewall problem
Summary: /etc/init.d/ntpd incorrectly determines timeservers creating a firewall problem
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: ntp
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-01-10 04:09 UTC by josip
Modified: 2007-04-18 17:01 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-01-12 13:07:18 UTC
Embargoed:


Attachments (Terms of Use)

Description josip 2004-01-10 04:09:11 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5)
Gecko/20031007

Description of problem:
/etc/init.d/ntpd function start() determines timeservers incorrectly,
because it does not accept any additional server options nor comments.
 As a result, "service ntpd start" can produce failed iptables updates.

Suggestion: Modify the flawed section as follows:

timeservers=`/bin/sed \
    -n -e 's/\#.*$//;/127.*/d' \
    -e 's/^[[:blank:]]*server[[:blank:]][[:blank:]]*\(.*\)/\1/p' \
    -e
's/^[[:blank:]]*server[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \
    -e
's/^[[:blank:]]*peer[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \
    $ntpconf | awk '{print $1}'`

where the added "| awk ..." bit guards against additional information
on the /etc/ntp.conf server or peer line.


Version-Release number of selected component (if applicable):
ntp-4.1.2-0.rc1.2

How reproducible:
Always

Steps to Reproduce:
1. service iptables start (if needed)
2. edit /etc/ntp.conf to add "server 192.43.244.18 maxpoll 8"
3. service ntpd start (or restart, as needed)
    

Actual Results:  ntpd: Opening firewall for host "maxpoll" fails, but
host "8" succeeds, which open (minor) holes in the firewall:

Chain RH-Lokkit-0-50-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.8              0.0.0.0/0          udp
spt:123 dpt:123 


Expected Results:  ntpd: should open firewall port only for the NTP
server addresses, not for other parameters on the same line

Additional info:

ntpd: Opening firewall for input from 192.43.244.18 port 123  [  OK  ]
ntpd: Opening firewall for input from maxpoll port 123iptables
v1.2.7a: host/network `maxpoll' not found
Try `iptables -h' or 'iptables --help' for more information.
                                                           [FAILED]
ntpd: Opening firewall for input from 8 port 123           [  OK  ]


Note You need to log in before you can comment on or make changes to this bug.