Bug 34351 - [W/ FIX] Broken ntp programs (ntpq, ntpd, ...) which hang on network access on alpha 164LX when using access control
[W/ FIX] Broken ntp programs (ntpq, ntpd, ...) which hang on network access o...
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: ntp (Show other bugs)
7.0
alpha Linux
medium Severity medium
: ---
: ---
Assigned To: Preston Brown
Brian Brock
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-04-02 11:08 EDT by Paul Millar
Modified: 2007-04-18 12:32 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-04-02 11:08:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Millar 2001-04-02 11:08:14 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.17-14 alpha; en-US; 0.8)
Gecko/20010217


Using package ntp with md5 hash:

ntp-4.0.99j-7.alpha.rpm: B4 32 03 78 86 4F 18 A3  7D 96 FE 6E B3 F7 D9 E4

ntpd apparently starts from init.d scripts fine, except for the syslog entry:

Apr  2 15:12:12 xxxxxxxx ntpd[5754]: 0.0.0.0 is inappropriate address for
the fudge command, line ignored

(the fudge command exists in /etc/ntp.conf, but is not set to the 0.0.0.0
address)

With an everything-allowed access policy, it works. With a deny-by-default
access policy, "ntpq -p" hangs with the following message:

127.0.0.1: timed out, nothing received
***Request timed out

despite having expicit allow access lines for both 127.0.0.1 and the
machines ethernet IP address. Similar problems occur when using the ntpdc
and ntptrace programs.


Reproducible: Always
Steps to Reproduce:
1.rpm -Uvh --force ntp-4.0.99j-7.alpha.rpm
2.Add a few servers and the lines:
     restrict default allow
     restrict 127.0.0.1
  to the top of the file /etc/ntp.conf
3./etc/rc.d/init.d/ntpd start
4.ntpq -p
5.Change "restrict default allow" to "restrict default ignore"
6./etc/rc.d/init.d/ntpd restart
7.ntpq -p
	

Actual Results:  output from step 4:
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 0.0.0.0         0.0.0.0         16 u    -   64    0    0.000    0.000 4000.00
 xxx.xxxxxxx.gla maverick.mcc.ac  3 u   51   64    3    0.337    2.150   0.001
 xxxxx.xxxxxxx.g maverick.mcc.ac  3 u   20   64    3    0.245   -3.906   0.001
 xxxxx.xxxxxxx.g veracity.mcc.ac  3 u   13   64    3    0.280    3.043   0.003

output from step7:

127.0.0.1: timed out, nothing received
***Request timed out


Expected Results: 

step 4 produces correct output, step 7 should produce the following output
(as we haven't allowed access from our servers):
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 LOCAL(0)        LOCAL(0)        10 l   39   64    3    0.000    0.000   0.000
 xxx.xxxxxxx.gla 0.0.0.0         16 u    -   64    0    0.000    0.000 4000.00
 xxxxx.xxxxxxx.g 0.0.0.0         16 u    -   64    0    0.000    0.000 4000.00
 xxxxx.xxxxxxx.g 0.0.0.0         16 u    -   64    0    0.000    0.000 4000.00


FIX: recompile from the Source RPM using gcc-2.96-69. Install (using
--force option) and restart server.

Although I've tagged this bug's severity as Security, it's a minor one.
Without an access policy, unauthorised machines can alter you machines'
concept of time. This is unlikely, in itself, to be a security problem, but
it may prove "useful" when combined with other attacks.

NB this style of bug (network access on Alpha 164LX) is common to other
bugs (gdm-xdmcp, samba) which are also solved by recompiling with gcc-2.96-69.
Comment 1 Preston Brown 2001-04-03 12:25:44 EDT
NTP in 7.1 has been recompiled with the newer compiler release.  These packages
are available via rawhide, and will of course also be in the next release.

Note You need to log in before you can comment on or make changes to this bug.