chrooting ntpd, netbsd-7 (and 7.99.1)

To: current-users%NetBSD.org@localhost
Subject: chrooting ntpd, netbsd-7 (and 7.99.1)
From: Fredrik Pettai <pettai%nordu.net@localhost>
Date: Sat, 27 Dec 2014 05:19:02 +0100

Hi,

Well, due to the recent ntp vulnerabilities (and previous ntp bugs & vulnerabilities), running ntpd chrooted seems like a sane default.
So, isn't it time that NetBSD gets 'echo "ntpd_chrootdir=/var/chroot/ntpd/“ > /etc/rc.conf.d/ntpd’ ?
This has been working fine on the stable branches AFAIK.

Anyway, I discovered that on a recent netbsd-7_BETA (and on 7.99.1), chrooting ntpd doesn’t seem work well if you have /etc/resolv.conf configured with 127.0.0.1 (or ::1) as the first nameserver. If I change it to an “external” nameserver and restart ntpd, it works. (I can't replicate this problem on netbsd-6 or netbsd-5)

I get this in /var/log/messages:

Dec 27 04:08:39 netbsd-7_BETA ntpd[1805]: ntpd exiting on signal 15 (Terminated)
Dec 27 04:08:41 netbsd-7_BETA ntpd[4385]: ntpd 4.2.8-o Fri Dec 19 21:49:44 EST 2014 (import): Starting
Dec 27 04:08:41 netbsd-7_BETA ntpd[4385]: Command line: /usr/sbin/ntpd -u ntpd:ntpd -i /var/chroot/ntpd/ -p /var/run/ntpd.pid
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: proto: precision = 3.631 usec (-18)
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen and drop on 0 v6wildcard [::]:123
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 2 bge0 [fe80::20e:7fff:feac:fa6c%1]:123
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 3 bge0 193.10.5.xx:123
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 4 bge0 193.10.5.yy:123
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 5 bge0 [2001:6b0:8::xx]:123
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 6 bge0 [2001:6b0:8::yy]:123
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 7 lo0 127.0.0.1:123
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 8 lo0 [::1]:123
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listen normally on 9 lo0 [fe80::1%3]:123
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: Listening on routing socket on fd #30 for interface updates
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: restrict default: KOD does nothing without LIMITED.
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: running as non-root disables dynamic interface tracking
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: giving up resolving host 0.netbsd.pool.ntp.org: servname not supported for ai_socktype (9)
Dec 27 04:08:41 netbsd-7_BETA ntpd[6375]: giving up resolving host 1.netbsd.pool.ntp.org: servname not supported for ai_socktype (9) 
…

bash-4.3# ntpq -p
No association ID's returned

Running ntpd without chrooting it on netbsd-7_BETA (and on 7.99.1) doesn’t give me this problem...

Re,
/P

Follow-Ups:
- Re: chrooting ntpd, netbsd-7 (and 7.99.1)
  - From: Michael van Elst

Prev by Date: Re: x11 cross-compile errors
Next by Date: Re: chrooting ntpd, netbsd-7 (and 7.99.1)
Previous by Thread: daily CVS update output
Next by Thread: Re: chrooting ntpd, netbsd-7 (and 7.99.1)
Indexes:

Home | Main Index | Thread Index | Old Index