> I'd be inclined to:
> 
>  1) only allow /dev/clock to make small adjustments to the clock
> (adjtime(), ntp_adjtime(), and possibly small forward steps with settimeofday)
>  2) verify that *adjtime() can't be used to step the clock backwards
>  3) verify that ntpd can still behave properly given (1).

I think it would be nice to have theses restriction enabled by default
and add sysctl's to disabled them. Of course, only root could change the
restrictions, and he could only do it if securelevel <= 1.

After all, the superuser could want to put his system at risk, we
already don't prevent him from doing a chmod 666 /dev/kmem...

-- 
Emmanuel Dreyfus.  
Hiroshima 45. Tchernobyl 86. Windows 95. 
manu@netbsd.org