diff options
author | Robin H. Johnson <robbat2@gentoo.org> | 2014-01-01 23:59:55 +0000 |
---|---|---|
committer | Robin H. Johnson <robbat2@gentoo.org> | 2014-01-01 23:59:55 +0000 |
commit | fad0848296db95175481a172d719872990cdb8fe (patch) | |
tree | ff1dbdeb4bbf3697d9a3e88a8b9422c66ee12b32 /net-misc | |
parent | Version bump (diff) | |
download | gentoo-2-fad0848296db95175481a172d719872990cdb8fe.tar.gz gentoo-2-fad0848296db95175481a172d719872990cdb8fe.tar.bz2 gentoo-2-fad0848296db95175481a172d719872990cdb8fe.zip |
Secure default configuration (approved by NTP upstream per IRC): by default deny all non-time queries so that monlist-based NTP reflection attacks are blocked; Rate-limit queries and issue KoD for limit-exceeded; Ensure IPv6 localhost is allowed as it is used by default.
(Portage version: 2.2.7/cvs/Linux x86_64, unsigned Manifest commit)
Diffstat (limited to 'net-misc')
-rw-r--r-- | net-misc/ntp/ChangeLog | 13 | ||||
-rw-r--r-- | net-misc/ntp/files/ntp.conf | 8 | ||||
-rw-r--r-- | net-misc/ntp/ntp-4.2.6_p5-r10.ebuild | 135 |
3 files changed, 151 insertions, 5 deletions
diff --git a/net-misc/ntp/ChangeLog b/net-misc/ntp/ChangeLog index 4e6abc080cdd..0b8484abe095 100644 --- a/net-misc/ntp/ChangeLog +++ b/net-misc/ntp/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for net-misc/ntp -# Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/ntp/ChangeLog,v 1.202 2013/12/24 11:01:52 vapier Exp $ +# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/ntp/ChangeLog,v 1.203 2014/01/01 23:59:55 robbat2 Exp $ + +*ntp-4.2.6_p5-r10 (01 Jan 2014) + + 01 Jan 2014; Robin H. Johnson <robbat2@gentoo.org> +ntp-4.2.6_p5-r10.ebuild, + files/ntp.conf: + Secure default configuration (approved by NTP upstream per IRC): by default + deny all non-time queries so that monlist-based NTP reflection attacks are + blocked; Rate-limit queries and issue KoD for limit-exceeded; Ensure IPv6 + localhost is allowed as it is used by default. 24 Dec 2013; Mike Frysinger <vapier@gentoo.org> files/ntp-client.confd, files/ntp-client.rc: diff --git a/net-misc/ntp/files/ntp.conf b/net-misc/ntp/files/ntp.conf index e376fbea2186..97bed8dd13cd 100644 --- a/net-misc/ntp/files/ntp.conf +++ b/net-misc/ntp/files/ntp.conf @@ -38,10 +38,12 @@ driftfile /var/lib/ntp/ntp.drift #restrict default ignore -# To deny other machines from changing the -# configuration but allow localhost: -restrict default nomodify nopeer +# Default configuration: +# - Allow only time queries, at a limited rate, sending KoD when in excess. +# - Allow all local queries (IPv4, IPv6) +restrict default nomodify nopeer noquery limited kod restrict 127.0.0.1 +restrict [::1] # To allow machines within your network to synchronize diff --git a/net-misc/ntp/ntp-4.2.6_p5-r10.ebuild b/net-misc/ntp/ntp-4.2.6_p5-r10.ebuild new file mode 100644 index 000000000000..0a2c2e4bb06e --- /dev/null +++ b/net-misc/ntp/ntp-4.2.6_p5-r10.ebuild @@ -0,0 +1,135 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/ntp/ntp-4.2.6_p5-r10.ebuild,v 1.1 2014/01/01 23:59:55 robbat2 Exp $ + +EAPI="4" + +inherit eutils toolchain-funcs flag-o-matic user systemd + +MY_P=${P/_p/p} +DESCRIPTION="Network Time Protocol suite/programs" +HOMEPAGE="http://www.ntp.org/" +SRC_URI="http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-${PV:0:3}/${MY_P}.tar.gz + mirror://gentoo/${MY_P}-manpages.tar.bz2" + +LICENSE="HPND BSD ISC" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux ~m68k-mint" +IUSE="caps debug ipv6 openntpd parse-clocks samba selinux snmp ssl vim-syntax zeroconf" + +DEPEND=">=sys-libs/ncurses-5.2 + >=sys-libs/readline-4.1 + kernel_linux? ( caps? ( sys-libs/libcap ) ) + zeroconf? ( net-dns/avahi[mdnsresponder-compat] ) + !openntpd? ( !net-misc/openntpd ) + snmp? ( net-analyzer/net-snmp ) + ssl? ( dev-libs/openssl ) + selinux? ( sec-policy/selinux-ntp ) + parse-clocks? ( net-misc/pps-tools )" +RDEPEND="${DEPEND} + vim-syntax? ( app-vim/ntp-syntax )" +PDEPEND="openntpd? ( net-misc/openntpd )" + +S=${WORKDIR}/${MY_P} + +pkg_setup() { + enewgroup ntp 123 + enewuser ntp 123 -1 /dev/null ntp +} + +src_prepare() { + epatch "${FILESDIR}"/${PN}-4.2.4_p5-adjtimex.patch #254030 + epatch "${FILESDIR}"/${PN}-4.2.4_p7-nano.patch #270483 + append-cppflags -D_GNU_SOURCE #264109 +} + +src_configure() { + # avoid libmd5/libelf + export ac_cv_search_MD5Init=no ac_cv_header_md5_h=no + export ac_cv_lib_elf_nlist=no + # blah, no real configure options #176333 + export ac_cv_header_dns_sd_h=$(usex zeroconf) + export ac_cv_lib_dns_sd_DNSServiceRegister=${ac_cv_header_dns_sd_h} + econf \ + --with-lineeditlibs=readline,edit,editline \ + $(use_enable caps linuxcaps) \ + $(use_enable parse-clocks) \ + $(use_enable ipv6) \ + $(use_enable debug debugging) \ + $(use_enable samba ntp-signd) \ + $(use_with snmp ntpsnmpd) \ + $(use_with ssl crypto) +} + +src_install() { + default + # move ntpd/ntpdate to sbin #66671 + dodir /usr/sbin + mv "${ED}"/usr/bin/{ntpd,ntpdate} "${ED}"/usr/sbin/ || die "move to sbin" + + dodoc INSTALL WHERE-TO-START + doman "${WORKDIR}"/man/*.[58] + dohtml -r html/* + + insinto /usr/share/ntp + doins "${FILESDIR}"/ntp.conf + cp -r scripts/* "${ED}"/usr/share/ntp/ || die + use prefix || fperms -R go-w /usr/share/ntp + find "${ED}"/usr/share/ntp \ + '(' \ + -name '*.in' -o \ + -name 'Makefile*' -o \ + -name support \ + ')' \ + -exec rm -r {} \; + + insinto /etc + doins "${FILESDIR}"/ntp.conf + newinitd "${FILESDIR}"/ntpd.rc ntpd + newconfd "${FILESDIR}"/ntpd.confd ntpd + newinitd "${FILESDIR}"/ntp-client.rc ntp-client + newconfd "${FILESDIR}"/ntp-client.confd ntp-client + newinitd "${FILESDIR}"/sntp.rc sntp + newconfd "${FILESDIR}"/sntp.confd sntp + if ! use caps ; then + sed -i "s|-u ntp:ntp||" "${ED}"/etc/conf.d/ntpd || die + fi + sed -i "s:/usr/bin:/usr/sbin:" "${ED}"/etc/init.d/ntpd || die + + keepdir /var/lib/ntp + use prefix || fowners ntp:ntp /var/lib/ntp + + if use openntpd ; then + cd "${ED}" + rm usr/sbin/ntpd || die + rm -r var/lib + rm etc/{conf,init}.d/ntpd + rm usr/share/man/*/ntpd.8 || die + else + systemd_newunit "${FILESDIR}"/ntpd.service-r1 ntpd.service + systemd_enable_ntpunit 60-ntpd ntpd.service + fi + + systemd_dounit "${FILESDIR}"/ntpdate.service + systemd_install_serviced "${FILESDIR}"/ntpdate.service.conf + systemd_dounit "${FILESDIR}"/sntp.service + systemd_install_serviced "${FILESDIR}"/sntp.service.conf +} + +pkg_postinst() { + ewarn "You can find an example /etc/ntp.conf in /usr/share/ntp/" + ewarn "Review /etc/ntp.conf to setup server info." + ewarn "Review /etc/conf.d/ntpd to setup init.d info." + echo + elog "The way ntp sets and maintains your system time has changed." + elog "Now you can use /etc/init.d/ntp-client to set your time at" + elog "boot while you can use /etc/init.d/ntpd to maintain your time" + elog "while your machine runs" + if grep -qs '^[^#].*notrust' "${EROOT}"/etc/ntp.conf ; then + echo + eerror "The notrust option was found in your /etc/ntp.conf!" + ewarn "If your ntpd starts sending out weird responses," + ewarn "then make sure you have keys properly setup and see" + ewarn "http://bugs.gentoo.org/41827" + fi +} |