Red Hat Bugzilla – Bug 134471
ntpd loads IPv6 kernel module when it starts
Last modified: 2014-03-16 22:48:59 EDT
Description of problem:
ntpd loads by itself the ipv6 kernel module, potentialy opening a
breach in the system. Initscripts could easyly prevent this by
managing a configuration line in /etc/modprobe.conf.
Steps to Reproduce:
When ntpd is started at boot, it loads ipv6 kernel module (by the way,
/etc/sysconfig/network can contain NETWORKING_IPV6=no).
Even if no ipv6 server is configured.
Ntpd should not loads ipv6 module by itself.
The problem is that this unexpected loading of ipv6 module creates a
serious problem: since it was not expected that ipv6 was to be
configured on the system, nothing is done to prevent ipv6 address
autoconfiguration or firewalling of ipv6 ports.
Suggestion: network initscripts should put a line
alias net-pf-10 off
in /etc/modprobe.conf by default or at least when NETWORKING_IPV6=no
exists in /etc/sysconfig/network.
Does the aliasing actually work (anymore, with 2.6 kernels)? -- see
the comments at:
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
ntpd is simply creating an PF_INET6 socket, which is a quite reasonable
With new modutils the equivalent of the alias would be
install ipv6 /bin/true
Adding/removing this line in modprobe.conf would probably have to be done
in rc.sysinit to avoid such autoloading :(
*** This bug has been marked as a duplicate of 198045 ***
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.