From: Dave Hart <hart@ntp.org>
Date: Mon, 18 Jun 2012 05:01:49 +0000 (+0000)
Subject: [Bug 2227] Enable mrulist access control via "restrict ... nomrulist".
X-Git-Tag: NTP_4_2_7P285~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3453b426718c3bf2fa10a1fe604e1630e11bfd6b;p=thirdparty%2Fntp.git

[Bug 2227] Enable mrulist access control via "restrict ... nomrulist".
Conditionalize msyslog messages about rejected mode 6 requests due to
  nomodify and nomrulist restrictions under "logconfig +sysinfo".
Increment sys_restricted in a few rejection paths due to nomodify
  restrictions where previosuly overlooked.

bk: 4fdeb63dpntoPSOYz-3SqES16v3kMQ
---

diff --git a/ChangeLog b/ChangeLog
index e02dba95d..b22969d05 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+* [Bug 2227] Enable mrulist access control via "restrict ... nomrulist".
+* Conditionalize msyslog messages about rejected mode 6 requests due to
+  nomodify and nomrulist restrictions under "logconfig +sysinfo".
+* Increment sys_restricted in a few rejection paths due to nomodify
+  restrictions where previosuly overlooked.
 (4.2.7p284) 2012/06/16 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 2225] libevent configure hangs.
 * Update bundled libevent to git master, post libevent 2.1.1-alpha.
diff --git a/include/ntp.h b/include/ntp.h
index 27d417b80..5f6c275f6 100644
--- a/include/ntp.h
+++ b/include/ntp.h
@@ -830,14 +830,16 @@ struct restrict_u_tag {
 #define	RES_NOTRAP		0x0100	/* mode 6/7 set trap denied */
 #define	RES_LPTRAP		0x0200	/* mode 6/7 low priority trap */
 
-#define RES_KOD			0x0400	/* send kiss of death packet */
+#define	RES_KOD			0x0400	/* send kiss of death packet */
 #define	RES_MSSNTP		0x0800	/* enable MS-SNTP authentication */
-#define RES_FLAKE		0x1000	/* flakeway - drop 10% */
+#define	RES_FLAKE		0x1000	/* flakeway - drop 10% */
+#define	RES_NOMRULIST		0x2000	/* mode 6 mrulist denied */
 
 #define	RES_ALLFLAGS		(RES_FLAGS | RES_NOQUERY |	\
 				 RES_NOMODIFY | RES_NOTRAP |	\
 				 RES_LPTRAP | RES_KOD |		\
-				 RES_MSSNTP | RES_FLAKE)
+				 RES_MSSNTP | RES_FLAKE |	\
+				 RES_NOMRULIST)
 
 /*
  * Match flags
diff --git a/include/ntp_request.h b/include/ntp_request.h
index b01649e4e..abfb78581 100644
--- a/include/ntp_request.h
+++ b/include/ntp_request.h
@@ -195,6 +195,7 @@ struct resp_pkt {
 #define	INFO_ERR_FMT	3	/* format error */
 #define	INFO_ERR_NODATA	4	/* no data for this request */
 #define	INFO_ERR_AUTH	7	/* authentication failure */
+#define	MAX_INFO_ERR	INFO_ERR_AUTH
 
 /*
  * Maximum sequence number.
diff --git a/ntpd/complete.conf b/ntpd/complete.conf
index 7c9a251ef..f6b735c00 100644
--- a/ntpd/complete.conf
+++ b/ntpd/complete.conf
@@ -43,7 +43,7 @@ multicastclient 224.0.1.1 ff05::101
 mru maxage 64 mindepth 600 initalloc 600 initmem 16 incalloc 99 incmem 4 maxdepth 1024 maxmem 4096
 discard minimum 1 average 3 monitor 3000
 restrict default
-restrict default nomodify limited kod noserve
+restrict default nomodify limited kod noserve nomrulist
 restrict source
 restrict source nomodify limited kod
 restrict trusted.host.name.example.com. nomodify
diff --git a/ntpd/keyword-gen.c b/ntpd/keyword-gen.c
index 0cf546643..ea548237d 100644
--- a/ntpd/keyword-gen.c
+++ b/ntpd/keyword-gen.c
@@ -159,6 +159,7 @@ struct key_tok ntp_keywords[] = {
 { "lowpriotrap",	T_Lowpriotrap,		FOLLBY_TOKEN },
 { "mask",		T_Mask,			FOLLBY_TOKEN },
 { "nomodify",		T_Nomodify,		FOLLBY_TOKEN },
+{ "nomrulist",		T_Nomrulist,		FOLLBY_TOKEN },
 { "nopeer",		T_Nopeer,		FOLLBY_TOKEN },
 { "noquery",		T_Noquery,		FOLLBY_TOKEN },
 { "noserve",		T_Noserve,		FOLLBY_TOKEN },
diff --git a/ntpd/ntp_config.c b/ntpd/ntp_config.c
index 15555d1bb..f731fb9ff 100644
--- a/ntpd/ntp_config.c
+++ b/ntpd/ntp_config.c
@@ -2415,6 +2415,10 @@ config_access(
 				flags |= RES_NOMODIFY;
 				break;
 
+			case T_Nomrulist:
+				flags |= RES_NOMRULIST;
+				break;
+
 			case T_Nopeer:
 				flags |= RES_NOPEER;
 				break;
diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index 43ac1c8a1..cef3eae62 100644
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -884,9 +884,11 @@ save_config(
 			 "saveconfig prohibited by restrict ... nomodify");
 		ctl_putdata(reply, strlen(reply), 0);
 		ctl_flushpkt(0);
-		msyslog(LOG_NOTICE,
-			"saveconfig from %s rejected due to nomodify restriction",
-			stoa(&rbufp->recv_srcadr));
+		NLOG(NLOG_SYSINFO)
+			msyslog(LOG_NOTICE,
+				"saveconfig from %s rejected due to nomodify restriction",
+				stoa(&rbufp->recv_srcadr));
+		sys_restricted++;
 		return;
 	}
 
@@ -896,9 +898,10 @@ save_config(
 			 "saveconfig prohibited, no saveconfigdir configured");
 		ctl_putdata(reply, strlen(reply), 0);
 		ctl_flushpkt(0);
-		msyslog(LOG_NOTICE,
-			"saveconfig from %s rejected, no saveconfigdir",
-			stoa(&rbufp->recv_srcadr));
+		NLOG(NLOG_SYSINFO)
+			msyslog(LOG_NOTICE,
+				"saveconfig from %s rejected, no saveconfigdir",
+				stoa(&rbufp->recv_srcadr));
 		return;
 	}
 
@@ -3217,16 +3220,18 @@ static void configure(
 		return;
 	}
 
-	if (restrict_mask & RES_NOMODIFY) {
+	if (RES_NOMODIFY & restrict_mask) {
 		snprintf(remote_config.err_msg,
 			 sizeof(remote_config.err_msg),
 			 "runtime configuration prohibited by restrict ... nomodify");
 		ctl_putdata(remote_config.err_msg, 
 			    strlen(remote_config.err_msg), 0);
 		ctl_flushpkt(0);
-		msyslog(LOG_NOTICE,
-			"runtime config from %s rejected due to nomodify restriction",
-			stoa(&rbufp->recv_srcadr));
+		NLOG(NLOG_SYSINFO)
+			msyslog(LOG_NOTICE,
+				"runtime config from %s rejected due to nomodify restriction",
+				stoa(&rbufp->recv_srcadr));
+		sys_restricted++;
 		return;
 	}
 
@@ -3638,6 +3643,15 @@ static void read_mru_list(
 	mon_entry *		prior_mon;
 	l_fp			now;
 
+	if (RES_NOMRULIST & restrict_mask) {
+		ctl_error(CERR_PERMISSION);
+		NLOG(NLOG_SYSINFO)
+			msyslog(LOG_NOTICE,
+				"mrulist from %s rejected due to nomrulist restriction",
+				stoa(&rbufp->recv_srcadr));
+		sys_restricted++;
+		return;
+	}
 	/*
 	 * fill in_parms var list with all possible input parameters.
 	 */
diff --git a/ntpd/ntp_parser.y b/ntpd/ntp_parser.y
index 88e61cffb..b7b28db5a 100644
--- a/ntpd/ntp_parser.y
+++ b/ntpd/ntp_parser.y
@@ -168,6 +168,7 @@
 %token	<Integer>	T_Nic
 %token	<Integer>	T_Nolink
 %token	<Integer>	T_Nomodify
+%token	<Integer>	T_Nomrulist
 %token	<Integer>	T_None
 %token	<Integer>	T_Nonvolatile
 %token	<Integer>	T_Nopeer
@@ -845,6 +846,7 @@ access_control_flag
 	|	T_Limited
 	|	T_Lowpriotrap
 	|	T_Nomodify
+	|	T_Nomrulist
 	|	T_Nopeer
 	|	T_Noquery
 	|	T_Noserve
diff --git a/ntpd/ntp_request.c b/ntpd/ntp_request.c
index 56ad94e60..5a961e719 100644
--- a/ntpd/ntp_request.c
+++ b/ntpd/ntp_request.c
@@ -196,8 +196,10 @@ keyid_t info_auth_keyid;
 u_long numrequests;		/* number of requests we've received */
 u_long numresppkts;		/* number of resp packets sent with data */
 
-u_long errorcounter[INFO_ERR_AUTH+1];	/* lazy way to count errors, indexed */
-/* by the error code */
+/*
+ * lazy way to count errors, indexed by the error code
+ */
+u_long errorcounter[MAX_INFO_ERR + 1];
 
 /*
  * A hack.  To keep the authentication module clear of ntp-ism's, we
@@ -613,6 +615,9 @@ process_private(
 				"process_private: failed auth mod_okay %d\n",
 				mod_okay);
 #endif
+			if (!mod_okay) {
+				sys_restricted++;
+			}
 			req_ack(srcadr, inter, inpkt, INFO_ERR_AUTH);
 			return;
 		}