First Last Prev Next    This bug is not in your last search results.
Bug 62238 - default configuration is insecure
default configuration is insecure
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: ntp (Show other bugs)
7.3
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Harald Hoyer
Brian Brock
: Security
Depends On:
Blocks: 61901
  Show dependency treegraph
 
Reported: 2002-03-28 14:01 EST by Brent Fox
Modified: 2007-03-26 23:52 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-04-02 03:47:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Brent Fox 2002-03-28 14:01:04 EST 
The default configuration file for ntp.conf has:

authenticate  no

This allows regular users to change the remote timeserver.  We should change the
default to:

authenticate  yes
Comment 1 Benjamin Shrom 2002-03-28 14:12:42 EST 
please, don't forget ia64 :-)
Comment 2 Harald Hoyer 2002-04-02 03:47:04 EST 
Or that one:

# Prohibit general access to this service.
restrict default ignore

# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# restrict time.stuttgart.redhat.com noquery nomodify notrap

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
# restrict 127.0.0.1
Comment 3 Harald Hoyer 2002-04-02 10:46:35 EST 
ntp-4.1.0b-6
Comment 4 Benjamin Shrom 2002-06-28 17:37:41 EDT 
there is a new NTP package in RH7.3

what about 7.2 ?

It's still a security bug.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.