Subject: Re: /dev/clock pseudodevice
To: Emmanuel Dreyfus <manu@netbsd.org>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: tech-kern
Date: 07/28/2001 18:48:01
> If the kernel was build without the pseudodevice, or if /dev/clock was
> not created, everything works exactly like it does now, because the libc
> revert to calling settimeofday.
> 
> Currently, the pseudodevice only implements settimeofday, I'll add
> adjtime and setclock. 

You'd also need to fold the calls used by the "options NTP" in-kernel
PLL into this scheme:

	ntp_gettime
	ntp_adjtime

> Comments, opinions? 

Kerberos uses time-based nonces and can be tricked into accepting
replayed authenticators if you can set the clock backwards by a
significant amount; as a result, the ability to set the clock can turn
into the ability to compromise root.

The ability to set the clock backwards may also be used to confuse
audit trails and LFSv1, though I think it's fixed in LFSv2.

I'd be inclined to:

 1) only allow /dev/clock to make small adjustments to the clock
(adjtime(), ntp_adjtime(), and possibly small forward steps with settimeofday)
 2) verify that *adjtime() can't be used to step the clock backwards
 3) verify that ntpd can still behave properly given (1).

					- Bill