Joe Malcolm <jmalc...@uraeus.com> writes: > Dag-Erling Smørgrav <d...@des.no> writes: > > These work on a "last match" basis. The latter three lines lift all > > restrictions for localhost, so you can still "ntpq -pn" your own > > server, but nobody else can. > Thanks. So, if I understand correctly, the shipped config is > vulnerable to local (same-host) attackers, not remote ones.
Broadly, yes. Restricting requests from localhost makes it impossible to monitor your own server, because ntpdc and ntpq talk to ntpd over UDP to localhost rather than a Unix socket, which could be protected by file permissions. Implementing a Unix socket for ntpdc / ntpq is left as an exercise to the reader. DES -- Dag-Erling Smørgrav - d...@des.no _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
