On Tue, 31 Jul 2001, Emmanuel Dreyfus wrote:

> > > >  1) only allow /dev/clock to make small adjustments to the clock
> > > > (adjtime(), ntp_adjtime(), and possibly small forward steps with
> > > > settimeofday)
> > > What do we consider as small?
> > And isn't it enough that the sysadmin has to have changed the permissions
> > on dev/clock first?
>
> Someone that compromised ntpd could use it to gain root?

And a compromised ntpd right now gives you what? The exact same thing? :-)

If you are running something like Kerberos, where time is used to prevent
replay attacks, then a vulnerability in the timekeeping subsystem can lead
to a compromise. I don't see how you can get around that.

Restricting time updates to "small" updates will only make the attacker
have to work harder. We may decide that's a good thing, but it won't
remove the vulnerability, just raise the bar.

Take care,

Bill