summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobin H. Johnson <robbat2@gentoo.org>2014-01-01 23:59:55 +0000
committerRobin H. Johnson <robbat2@gentoo.org>2014-01-01 23:59:55 +0000
commitfad0848296db95175481a172d719872990cdb8fe (patch)
treeff1dbdeb4bbf3697d9a3e88a8b9422c66ee12b32 /net-misc
parentVersion bump (diff)
downloadgentoo-2-fad0848296db95175481a172d719872990cdb8fe.tar.gz
gentoo-2-fad0848296db95175481a172d719872990cdb8fe.tar.bz2
gentoo-2-fad0848296db95175481a172d719872990cdb8fe.zip
Secure default configuration (approved by NTP upstream per IRC): by default deny all non-time queries so that monlist-based NTP reflection attacks are blocked; Rate-limit queries and issue KoD for limit-exceeded; Ensure IPv6 localhost is allowed as it is used by default.
(Portage version: 2.2.7/cvs/Linux x86_64, unsigned Manifest commit)
Diffstat (limited to 'net-misc')
-rw-r--r--net-misc/ntp/ChangeLog13
-rw-r--r--net-misc/ntp/files/ntp.conf8
-rw-r--r--net-misc/ntp/ntp-4.2.6_p5-r10.ebuild135
3 files changed, 151 insertions, 5 deletions
diff --git a/net-misc/ntp/ChangeLog b/net-misc/ntp/ChangeLog
index 4e6abc080cdd..0b8484abe095 100644
--- a/net-misc/ntp/ChangeLog
+++ b/net-misc/ntp/ChangeLog
@@ -1,6 +1,15 @@
# ChangeLog for net-misc/ntp
-# Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/ntp/ChangeLog,v 1.202 2013/12/24 11:01:52 vapier Exp $
+# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/ntp/ChangeLog,v 1.203 2014/01/01 23:59:55 robbat2 Exp $
+
+*ntp-4.2.6_p5-r10 (01 Jan 2014)
+
+ 01 Jan 2014; Robin H. Johnson <robbat2@gentoo.org> +ntp-4.2.6_p5-r10.ebuild,
+ files/ntp.conf:
+ Secure default configuration (approved by NTP upstream per IRC): by default
+ deny all non-time queries so that monlist-based NTP reflection attacks are
+ blocked; Rate-limit queries and issue KoD for limit-exceeded; Ensure IPv6
+ localhost is allowed as it is used by default.
24 Dec 2013; Mike Frysinger <vapier@gentoo.org> files/ntp-client.confd,
files/ntp-client.rc:
diff --git a/net-misc/ntp/files/ntp.conf b/net-misc/ntp/files/ntp.conf
index e376fbea2186..97bed8dd13cd 100644
--- a/net-misc/ntp/files/ntp.conf
+++ b/net-misc/ntp/files/ntp.conf
@@ -38,10 +38,12 @@ driftfile /var/lib/ntp/ntp.drift
#restrict default ignore
-# To deny other machines from changing the
-# configuration but allow localhost:
-restrict default nomodify nopeer
+# Default configuration:
+# - Allow only time queries, at a limited rate, sending KoD when in excess.
+# - Allow all local queries (IPv4, IPv6)
+restrict default nomodify nopeer noquery limited kod
restrict 127.0.0.1
+restrict [::1]
# To allow machines within your network to synchronize
diff --git a/net-misc/ntp/ntp-4.2.6_p5-r10.ebuild b/net-misc/ntp/ntp-4.2.6_p5-r10.ebuild
new file mode 100644
index 000000000000..0a2c2e4bb06e
--- /dev/null
+++ b/net-misc/ntp/ntp-4.2.6_p5-r10.ebuild
@@ -0,0 +1,135 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/ntp/ntp-4.2.6_p5-r10.ebuild,v 1.1 2014/01/01 23:59:55 robbat2 Exp $
+
+EAPI="4"
+
+inherit eutils toolchain-funcs flag-o-matic user systemd
+
+MY_P=${P/_p/p}
+DESCRIPTION="Network Time Protocol suite/programs"
+HOMEPAGE="http://www.ntp.org/"
+SRC_URI="http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-${PV:0:3}/${MY_P}.tar.gz
+ mirror://gentoo/${MY_P}-manpages.tar.bz2"
+
+LICENSE="HPND BSD ISC"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux ~m68k-mint"
+IUSE="caps debug ipv6 openntpd parse-clocks samba selinux snmp ssl vim-syntax zeroconf"
+
+DEPEND=">=sys-libs/ncurses-5.2
+ >=sys-libs/readline-4.1
+ kernel_linux? ( caps? ( sys-libs/libcap ) )
+ zeroconf? ( net-dns/avahi[mdnsresponder-compat] )
+ !openntpd? ( !net-misc/openntpd )
+ snmp? ( net-analyzer/net-snmp )
+ ssl? ( dev-libs/openssl )
+ selinux? ( sec-policy/selinux-ntp )
+ parse-clocks? ( net-misc/pps-tools )"
+RDEPEND="${DEPEND}
+ vim-syntax? ( app-vim/ntp-syntax )"
+PDEPEND="openntpd? ( net-misc/openntpd )"
+
+S=${WORKDIR}/${MY_P}
+
+pkg_setup() {
+ enewgroup ntp 123
+ enewuser ntp 123 -1 /dev/null ntp
+}
+
+src_prepare() {
+ epatch "${FILESDIR}"/${PN}-4.2.4_p5-adjtimex.patch #254030
+ epatch "${FILESDIR}"/${PN}-4.2.4_p7-nano.patch #270483
+ append-cppflags -D_GNU_SOURCE #264109
+}
+
+src_configure() {
+ # avoid libmd5/libelf
+ export ac_cv_search_MD5Init=no ac_cv_header_md5_h=no
+ export ac_cv_lib_elf_nlist=no
+ # blah, no real configure options #176333
+ export ac_cv_header_dns_sd_h=$(usex zeroconf)
+ export ac_cv_lib_dns_sd_DNSServiceRegister=${ac_cv_header_dns_sd_h}
+ econf \
+ --with-lineeditlibs=readline,edit,editline \
+ $(use_enable caps linuxcaps) \
+ $(use_enable parse-clocks) \
+ $(use_enable ipv6) \
+ $(use_enable debug debugging) \
+ $(use_enable samba ntp-signd) \
+ $(use_with snmp ntpsnmpd) \
+ $(use_with ssl crypto)
+}
+
+src_install() {
+ default
+ # move ntpd/ntpdate to sbin #66671
+ dodir /usr/sbin
+ mv "${ED}"/usr/bin/{ntpd,ntpdate} "${ED}"/usr/sbin/ || die "move to sbin"
+
+ dodoc INSTALL WHERE-TO-START
+ doman "${WORKDIR}"/man/*.[58]
+ dohtml -r html/*
+
+ insinto /usr/share/ntp
+ doins "${FILESDIR}"/ntp.conf
+ cp -r scripts/* "${ED}"/usr/share/ntp/ || die
+ use prefix || fperms -R go-w /usr/share/ntp
+ find "${ED}"/usr/share/ntp \
+ '(' \
+ -name '*.in' -o \
+ -name 'Makefile*' -o \
+ -name support \
+ ')' \
+ -exec rm -r {} \;
+
+ insinto /etc
+ doins "${FILESDIR}"/ntp.conf
+ newinitd "${FILESDIR}"/ntpd.rc ntpd
+ newconfd "${FILESDIR}"/ntpd.confd ntpd
+ newinitd "${FILESDIR}"/ntp-client.rc ntp-client
+ newconfd "${FILESDIR}"/ntp-client.confd ntp-client
+ newinitd "${FILESDIR}"/sntp.rc sntp
+ newconfd "${FILESDIR}"/sntp.confd sntp
+ if ! use caps ; then
+ sed -i "s|-u ntp:ntp||" "${ED}"/etc/conf.d/ntpd || die
+ fi
+ sed -i "s:/usr/bin:/usr/sbin:" "${ED}"/etc/init.d/ntpd || die
+
+ keepdir /var/lib/ntp
+ use prefix || fowners ntp:ntp /var/lib/ntp
+
+ if use openntpd ; then
+ cd "${ED}"
+ rm usr/sbin/ntpd || die
+ rm -r var/lib
+ rm etc/{conf,init}.d/ntpd
+ rm usr/share/man/*/ntpd.8 || die
+ else
+ systemd_newunit "${FILESDIR}"/ntpd.service-r1 ntpd.service
+ systemd_enable_ntpunit 60-ntpd ntpd.service
+ fi
+
+ systemd_dounit "${FILESDIR}"/ntpdate.service
+ systemd_install_serviced "${FILESDIR}"/ntpdate.service.conf
+ systemd_dounit "${FILESDIR}"/sntp.service
+ systemd_install_serviced "${FILESDIR}"/sntp.service.conf
+}
+
+pkg_postinst() {
+ ewarn "You can find an example /etc/ntp.conf in /usr/share/ntp/"
+ ewarn "Review /etc/ntp.conf to setup server info."
+ ewarn "Review /etc/conf.d/ntpd to setup init.d info."
+ echo
+ elog "The way ntp sets and maintains your system time has changed."
+ elog "Now you can use /etc/init.d/ntp-client to set your time at"
+ elog "boot while you can use /etc/init.d/ntpd to maintain your time"
+ elog "while your machine runs"
+ if grep -qs '^[^#].*notrust' "${EROOT}"/etc/ntp.conf ; then
+ echo
+ eerror "The notrust option was found in your /etc/ntp.conf!"
+ ewarn "If your ntpd starts sending out weird responses,"
+ ewarn "then make sure you have keys properly setup and see"
+ ewarn "http://bugs.gentoo.org/41827"
+ fi
+}