[Freeipa-devel] [PATCH] Stop ntpd before running ntpdate
Gabe Alford
redhatrises at gmail.com
Fri May 9 02:09:03 UTC 2014
Re-factored my second patch. :)
Gabe
On Tue, Apr 29, 2014 at 8:04 PM, Gabe Alford <redhatrises at gmail.com> wrote:
> Updated patch to not run ntpdate if ntpd is running.
>
> Gabe
>
>
>
> On Tue, Apr 29, 2014 at 8:16 AM, Gabe Alford <redhatrises at gmail.com>wrote:
>
>> Thanks Petr!
>>
>> Will rework patch to just skip ntpdate if ntpd is already running.
>>
>>
>> On Tue, Apr 29, 2014 at 12:59 AM, Petr Spacek <pspacek at redhat.com> wrote:
>>
>>> Hello Gabe!
>>>
>>>
>>> On 25.4.2014 16:28, Gabe Alford wrote:
>>>
>>>> Here is a patch for https://fedorahosted.org/
>>>> freeipa/ticket/3735.
>>>> It seemed better to try to stop ntpd before running ntpdate rather than
>>>> not
>>>> running ntpdate if ntpd was already running. I believe this patch only
>>>> applies to the ipa-3-3 branch as ntpdate is not used anymore in the
>>>> master.
>>>>
>>>
>>> IMHO we should never stop ntpd if it is running. Plain ntpdate opens
>>> potential security hole because attacker can fake NTP answers and force the
>>> machine to rewind it's clock to the past.
>>>
>>> This opens potential for replay attacks/re-suing old compromised keys
>>> etc.
>>>
>>> --
>>> Petr^2 Spacek
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140508/178ba238/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rga-0017-3-ipa-client-install-skip-running-ntpdate-if-ntpd-is-r.patch
Type: text/x-patch
Size: 2642 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140508/178ba238/attachment.bin>
More information about the Freeipa-devel
mailing list