Subject: Re: /dev/clock pseudodevice
To: Emmanuel Dreyfus <firstname.lastname@example.org>
From: Bill Studenmund <email@example.com>
Date: 07/31/2001 10:18:33
On Tue, 31 Jul 2001, Emmanuel Dreyfus wrote:
> > > > 1) only allow /dev/clock to make small adjustments to the clock
> > > > (adjtime(), ntp_adjtime(), and possibly small forward steps with
> > > > settimeofday)
> > > What do we consider as small?
> > And isn't it enough that the sysadmin has to have changed the permissions
> > on dev/clock first?
> Someone that compromised ntpd could use it to gain root?
And a compromised ntpd right now gives you what? The exact same thing? :-)
If you are running something like Kerberos, where time is used to prevent
replay attacks, then a vulnerability in the timekeeping subsystem can lead
to a compromise. I don't see how you can get around that.
Restricting time updates to "small" updates will only make the attacker
have to work harder. We may decide that's a good thing, but it won't
remove the vulnerability, just raise the bar.