[Bug 2227] Enable mrulist access control via "restrict ... nomrulist".

Conditionalize msyslog messages about rejected mode 6 requests due to
  nomodify and nomrulist restrictions under "logconfig +sysinfo".
Increment sys_restricted in a few rejection paths due to nomodify
  restrictions where previosuly overlooked.

bk: 4fdeb63dpntoPSOYz-3SqES16v3kMQ

diff --git a/ChangeLog b/ChangeLog
index e02dba95dd7e10beaa77b4b0822f8aadb3212f07..b22969d05187bf76ca2d903af1b3a7e15ca6b2e6 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+* [Bug 2227] Enable mrulist access control via "restrict ... nomrulist".
+* Conditionalize msyslog messages about rejected mode 6 requests due to
+  nomodify and nomrulist restrictions under "logconfig +sysinfo".
+* Increment sys_restricted in a few rejection paths due to nomodify
+  restrictions where previosuly overlooked.
 (4.2.7p284) 2012/06/16 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 2225] libevent configure hangs.
 * Update bundled libevent to git master, post libevent 2.1.1-alpha.

diff --git a/include/ntp.h b/include/ntp.h
index 27d417b8055eec96b97f481bc95f372b58301a63..5f6c275f668b66ffd32e8115626f034809789371 100644 (file)
--- a/include/ntp.h
+++ b/include/ntp.h
@@ -830,14 +830,16 @@ struct restrict_u_tag {
 #define        RES_NOTRAP              0x0100  /* mode 6/7 set trap denied */
 #define        RES_LPTRAP              0x0200  /* mode 6/7 low priority trap */
 
-#define RES_KOD                        0x0400  /* send kiss of death packet */
+#define        RES_KOD                 0x0400  /* send kiss of death packet */
 #define        RES_MSSNTP              0x0800  /* enable MS-SNTP authentication */
-#define RES_FLAKE              0x1000  /* flakeway - drop 10% */
+#define        RES_FLAKE               0x1000  /* flakeway - drop 10% */
+#define        RES_NOMRULIST           0x2000  /* mode 6 mrulist denied */
 
 #define        RES_ALLFLAGS            (RES_FLAGS | RES_NOQUERY |      \
                                 RES_NOMODIFY | RES_NOTRAP |    \
                                 RES_LPTRAP | RES_KOD |         \
-                                RES_MSSNTP | RES_FLAKE)
+                                RES_MSSNTP | RES_FLAKE |       \
+                                RES_NOMRULIST)
 
 /*
  * Match flags

diff --git a/include/ntp_request.h b/include/ntp_request.h
index b01649e4e2b6116871e313cd8e99339472953669..abfb785811574ce02ca63f9df88834d78430e63c 100644 (file)
--- a/include/ntp_request.h
+++ b/include/ntp_request.h
@@ -195,6 +195,7 @@ struct resp_pkt {
 #define        INFO_ERR_FMT    3       /* format error */
 #define        INFO_ERR_NODATA 4       /* no data for this request */
 #define        INFO_ERR_AUTH   7       /* authentication failure */
+#define        MAX_INFO_ERR    INFO_ERR_AUTH
 
 /*
  * Maximum sequence number.

diff --git a/ntpd/complete.conf b/ntpd/complete.conf
index 7c9a251ef468fd8a3d994ba17e4d8c836d42a93b..f6b735c000b0c61aa0a3f66261fbe4c8c9341fca 100644 (file)
--- a/ntpd/complete.conf
+++ b/ntpd/complete.conf
@@ -43,7 +43,7 @@ multicastclient 224.0.1.1 ff05::101
 mru maxage 64 mindepth 600 initalloc 600 initmem 16 incalloc 99 incmem 4 maxdepth 1024 maxmem 4096
 discard minimum 1 average 3 monitor 3000
 restrict default
-restrict default nomodify limited kod noserve
+restrict default nomodify limited kod noserve nomrulist
 restrict source
 restrict source nomodify limited kod
 restrict trusted.host.name.example.com. nomodify

diff --git a/ntpd/keyword-gen.c b/ntpd/keyword-gen.c
index 0cf5466437b58766b59ae56d11274fe6c54474f6..ea548237d87a1fbb973d23bdc5d93a8efe35e134 100644 (file)
--- a/ntpd/keyword-gen.c
+++ b/ntpd/keyword-gen.c
@@ -159,6 +159,7 @@ struct key_tok ntp_keywords[] = {
 { "lowpriotrap",       T_Lowpriotrap,          FOLLBY_TOKEN },
 { "mask",              T_Mask,                 FOLLBY_TOKEN },
 { "nomodify",          T_Nomodify,             FOLLBY_TOKEN },
+{ "nomrulist",         T_Nomrulist,            FOLLBY_TOKEN },
 { "nopeer",            T_Nopeer,               FOLLBY_TOKEN },
 { "noquery",           T_Noquery,              FOLLBY_TOKEN },
 { "noserve",           T_Noserve,              FOLLBY_TOKEN },

diff --git a/ntpd/ntp_config.c b/ntpd/ntp_config.c
index 15555d1bb35b943a49c87ef3b929e9d58743d77a..f731fb9ff06035509c5a8c787e6312f9540d58e4 100644 (file)
--- a/ntpd/ntp_config.c
+++ b/ntpd/ntp_config.c
@@ -2415,6 +2415,10 @@ config_access(
                                flags |= RES_NOMODIFY;
                                break;
 
+                       case T_Nomrulist:
+                               flags |= RES_NOMRULIST;
+                               break;
+
                        case T_Nopeer:
                                flags |= RES_NOPEER;
                                break;

diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index 43ac1c8a11c24492840b69165bce618745fc371e..cef3eae621bf7aea34c08d5929ab7b2f204b8219 100644 (file)
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -884,9 +884,11 @@ save_config(
                         "saveconfig prohibited by restrict ... nomodify");
                ctl_putdata(reply, strlen(reply), 0);
                ctl_flushpkt(0);
-               msyslog(LOG_NOTICE,
-                       "saveconfig from %s rejected due to nomodify restriction",
-                       stoa(&rbufp->recv_srcadr));
+               NLOG(NLOG_SYSINFO)
+                       msyslog(LOG_NOTICE,
+                               "saveconfig from %s rejected due to nomodify restriction",
+                               stoa(&rbufp->recv_srcadr));
+               sys_restricted++;
                return;
        }
 
@@ -896,9 +898,10 @@ save_config(
                         "saveconfig prohibited, no saveconfigdir configured");
                ctl_putdata(reply, strlen(reply), 0);
                ctl_flushpkt(0);
-               msyslog(LOG_NOTICE,
-                       "saveconfig from %s rejected, no saveconfigdir",
-                       stoa(&rbufp->recv_srcadr));
+               NLOG(NLOG_SYSINFO)
+                       msyslog(LOG_NOTICE,
+                               "saveconfig from %s rejected, no saveconfigdir",
+                               stoa(&rbufp->recv_srcadr));
                return;
        }
 
@@ -3217,16 +3220,18 @@ static void configure(
                return;
        }
 
-       if (restrict_mask & RES_NOMODIFY) {
+       if (RES_NOMODIFY & restrict_mask) {
                snprintf(remote_config.err_msg,
                         sizeof(remote_config.err_msg),
                         "runtime configuration prohibited by restrict ... nomodify");
                ctl_putdata(remote_config.err_msg, 
                            strlen(remote_config.err_msg), 0);
                ctl_flushpkt(0);
-               msyslog(LOG_NOTICE,
-                       "runtime config from %s rejected due to nomodify restriction",
-                       stoa(&rbufp->recv_srcadr));
+               NLOG(NLOG_SYSINFO)
+                       msyslog(LOG_NOTICE,
+                               "runtime config from %s rejected due to nomodify restriction",
+                               stoa(&rbufp->recv_srcadr));
+               sys_restricted++;
                return;
        }
 
@@ -3638,6 +3643,15 @@ static void read_mru_list(
        mon_entry *             prior_mon;
        l_fp                    now;
 
+       if (RES_NOMRULIST & restrict_mask) {
+               ctl_error(CERR_PERMISSION);
+               NLOG(NLOG_SYSINFO)
+                       msyslog(LOG_NOTICE,
+                               "mrulist from %s rejected due to nomrulist restriction",
+                               stoa(&rbufp->recv_srcadr));
+               sys_restricted++;
+               return;
+       }
        /*
         * fill in_parms var list with all possible input parameters.
         */

diff --git a/ntpd/ntp_parser.y b/ntpd/ntp_parser.y
index 88e61cffb6dadb9a7f6fdfceb13ce8ecda31dab5..b7b28db5a050ae65b5063531a42d76a5ce3edae9 100644 (file)
--- a/ntpd/ntp_parser.y
+++ b/ntpd/ntp_parser.y
@@ -168,6 +168,7 @@
 %token <Integer>       T_Nic
 %token <Integer>       T_Nolink
 %token <Integer>       T_Nomodify
+%token <Integer>       T_Nomrulist
 %token <Integer>       T_None
 %token <Integer>       T_Nonvolatile
 %token <Integer>       T_Nopeer
@@ -845,6 +846,7 @@ access_control_flag
        |       T_Limited
        |       T_Lowpriotrap
        |       T_Nomodify
+       |       T_Nomrulist
        |       T_Nopeer
        |       T_Noquery
        |       T_Noserve

diff --git a/ntpd/ntp_request.c b/ntpd/ntp_request.c
index 56ad94e607ec126329c9472b7a52a800448a2b3c..5a961e7192b12dcd874ac630811a37feef844ac2 100644 (file)
--- a/ntpd/ntp_request.c
+++ b/ntpd/ntp_request.c
@@ -196,8 +196,10 @@ keyid_t info_auth_keyid;
 u_long numrequests;            /* number of requests we've received */
 u_long numresppkts;            /* number of resp packets sent with data */
 
-u_long errorcounter[INFO_ERR_AUTH+1];  /* lazy way to count errors, indexed */
-/* by the error code */
+/*
+ * lazy way to count errors, indexed by the error code
+ */
+u_long errorcounter[MAX_INFO_ERR + 1];
 
 /*
  * A hack.  To keep the authentication module clear of ntp-ism's, we
@@ -613,6 +615,9 @@ process_private(
                                "process_private: failed auth mod_okay %d\n",
                                mod_okay);
 #endif
+                       if (!mod_okay) {
+                               sys_restricted++;
+                       }
                        req_ack(srcadr, inter, inpkt, INFO_ERR_AUTH);
                        return;
                }