From: Harlan Stenn Date: Tue, 14 Nov 2017 06:54:14 +0000 (-0800) Subject: Fix bug in the override portion of the compiler hardening macro X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a47b0fe3ea704ac14b45962bd04ee56610eb7ad1;p=thirdparty%2Fntp.git Fix bug in the override portion of the compiler hardening macro bk: 5a0a93164EVBKy4v70MgI6v1YHzE_Q --- diff --git a/ChangeLog b/ChangeLog index d6dc77330..add12209e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -47,6 +47,7 @@ * test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. * refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. * Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org +* Fix bug in the override portion of the compiler hardening macro. HStenn. --- (4.2.8p10) 2017/03/21 Released by Harlan Stenn diff --git a/html/access.html b/html/access.html index 3489f8fbd..248def183 100644 --- a/html/access.html +++ b/html/access.html @@ -19,7 +19,7 @@ color: #FF0000;

giffrom Pogo, Walt Kelly

The skunk watches for intruders and sprays.

Last update: - 11-Sep-2010 05:53 + 26-Jul-2017 20:10 UTC


Related Links

@@ -32,7 +32,7 @@ color: #FF0000;

The ACL is specified as a list of restrict commands in the following format:

restrict address [mask mask] [flag][...]

The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries. restrict source configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptable, and removed when the association is demobilized.

-

Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server.

+

Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server.

An example may clarify how it works. Our campus has two class-B networks, 128.4 for the ECE and CIS departments and 128.175 for the rest of campus. Let's assume (not true!) that subnet 128.4.1 homes critical services like class rosters and spread sheets. A suitable ACL might look like this:

 restrict default nopeer					# deny new associations
diff --git a/html/accopt.html b/html/accopt.html
index 6caff48c3..55fcced47 100644
--- a/html/accopt.html
+++ b/html/accopt.html
@@ -20,7 +20,7 @@ color: #FF0000;
 giffrom Pogo, Walt Kelly
 
The skunk watches for intruders and sprays.

 
Last update:
-  13-Nov-2014  03:00
+  26-Jul-2017  20:12
   UTC

 

 
Related Links

@@ -46,7 +46,7 @@ color: #FF0000;
     restrict source [flag][...]

     restrict address [mask mask] [flag][...]
   
The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0,	mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries. restrict source configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptible, and removed when the association is demobilized.

-  
Some flags have the effect to deny service, some  have the effect to enable service and some are  conditioned by other flags. The  flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:

+  
Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:

   

     

       
flake

@@ -60,7 +60,7 @@ color: #FF0000;
       
lowpriotrap

       
Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps.

       
mssntp

-      
Enable Microsoft Windows MS-SNTP authentication using Active Directory services. Note: Potential users should be aware that these services involve a TCP connection to another process that could potentially block, denying services to other users. Therefore, this flag should be used only for a dedicated  server with no clients other than MS-SNTP.

+      
Enable Microsoft Windows MS-SNTP authentication using Active Directory services. Note: Potential users should be aware that these services involve a TCP connection to another process that could potentially block, denying services to other users. Therefore, this flag should be used only for a dedicated server with no clients other than MS-SNTP.

       
nomodify

       
Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted.

       
noquery

@@ -72,7 +72,7 @@ color: #FF0000;
       
notrap

       
Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the ntpdc control message protocol which is intended for use by remote event logging programs.

       
notrust

-      
Deny packets that are not cryptographically authenticated. Note carefully how this flag interacts with the auth option of the enable and disable commands. If auth is enabled, which is the default, authentication is required for all packets that might mobilize  an association. If auth is disabled, but the notrust flag is not present, an association can be mobilized whether or not authenticated. If auth is disabled, but the notrust flag is present, authentication is required only for the specified address/mask range. 

+      
Deny packets that are not cryptographically authenticated. Note carefully how this flag interacts with the auth option of the enable and disable commands. If auth is enabled, which is the default, authentication is required for all packets that might mobilize an association. If auth is disabled, but the notrust flag is not present, an association can be mobilized whether or not authenticated. If auth is disabled, but the notrust flag is present, authentication is required only for the specified address/mask range. 

       
ntpport

       
This is actually a match algorithm modifier, rather than a restriction
         flag. Its presence causes the restriction entry to be matched only if the
diff --git a/sntp/m4/ntp_harden.m4 b/sntp/m4/ntp_harden.m4
index e6d5f36a9..06aebc08e 100644
--- a/sntp/m4/ntp_harden.m4
+++ b/sntp/m4/ntp_harden.m4
@@ -10,24 +10,24 @@ AC_DEFUN([NTP_HARDEN], [
 AC_MSG_CHECKING([for compile/link hardening flags])
 
 AC_ARG_WITH(
-    [locfile],
+    [hardenfile],
     [AS_HELP_STRING(
-	[--with-locfile=XXX],
-	[os-specific or "legacy"]
+	[--with-hardenfile=XXX],
+	[os-specific or "/dev/null"]
     )],
     [],
-    [with_locfile=no]
+    [with_hardenfile=no]
 )
 
 (									\
     SENTINEL_DIR="$PWD" &&						\
     cd $srcdir/$1 &&							\
-    case "$with_locfile" in						\
+    case "$with_hardenfile" in						\
      yes|no|'')								\
 	scripts/genHardFlags -d "$SENTINEL_DIR"				\
 	;;								\
      *)									\
-	scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_locfile"	\
+	scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_hardenfile"	\
 	;;								\
     esac								\
 ) > genHardFlags.i 2> genHardFlags.err