titles (including flags) to distinguish between daemons, this makes it
possible to manage multiple copies of a daemon using the normal infrastructure
by symlinking rc.d scripts to a new name. ok jung@ ajacoutot@, smtpd ok gilles@
process management of the contraint processes has been moved from ntp
to the parent, for better privsep and pledge, but the ntp process
still attempted to kill the constraints on timeout directly. Fix this
regression by introducing a new imsg from ntp to the parent and the
related logic to kill a constraint at the right place.
Reported & tested by bcook@
Ok bcook@
and coping with error conditions... that lets us avoid a pledge "wpath".
Putting it all together, this lets the master ntpd pledge "stdio rpath
inet settime proc id". It works like this: "rpath" to load the
certificates, "proc" to create constraint processes, "id" to chroot
and lock the constraint processes into a jail, then "inet" to open a
https session. "settime" is used by the master to manage the system
time when the ntp-speaking engine instructs the master.
with help from naddy
This helps the ntp process to a) give a better pledge(2) and to b)
keep the promise of "saving the world again... on time" by removing
the delays that have been introduced by expensive constraint forks.
The new design offers better privsep but introduces a few more imsgs
and runs a little bit more code in the privileged parent. The
privileged code is minimal, carefully checked, and does not attempt to
"parse" any contents; the forked constraints instantly drop all
privileges and pledge to "stdio inet".
OK beck@ deraadt@
while here i've reformatted the page to stop kidding that -s is 4 options;
original issue kind of spotted by adam thompson, though note i am not fixing the
issue he complained about (i'll address that mail in a minute);
time from HTTPS servers, by parsing the Date: header, and use the
median constraint time as a boundary to verify NTP responses. This
adds some level of authentication and protection against MITM attacks
while preserving the accuracy of the NTP protocol; without relying on
authentication options for NTP that are basically unavailable at
present. This is an initial implementation and the semantics will be
improved once it is in the tree.
Discussed with deraadt@ and henning@
OK henning@
If the network is unreachable when ntpd starts and host_dns fails, be sure
that we still close the HOST_DNS imsg.
Thanks to Paul de Weerd <weerd at weirdnet dot nl> for reporting this.
ok beck@
daemon.
Old drift files will be interpreted as a minuscule adjustment and
ntpd will proceed to rediscover the drift, like starting from zero
on a newly installed machine.
ok deraadt@
- Nothing seems to free the result of host_dns(), so add host_dns_free() and
call after each query.
- If imsg_add() fails, it frees buf. Avoid subsequently dereferencing the
freed buf in imsg_close().
ok millert@ deraadt@
NB: this utility has only one option, and it's not optional! i haven;t
marked -s as being mandatory, since hopefully someone will make
ntpctl run without arguments do something useful;
* For time_t values, use the printf("%lld", (long long)t) idiom.
* Don't print "Invalid program name" in usage() when main() just runs ntpd.
* Make "Show/Shows" consistent in the manual, sort .Xr and correct .Ox.
OK phessler@
rzalamena