Re: [SLUG] Just set the time

From: Ronan Heffernan (ronan@iotcorp.com)
Date: Tue Aug 20 2002 - 09:26:07 EDT


Robert Stia wrote:
> On Monday 19 August 2002 09:17, you wrote:
>
>>>ntpdate 216.139.201.6
>>>
>>>(assuming your internet connection is up).
>>>
>>>This sets the OS's time. To sync the CMOS with that, issue:
>>>
>>>hwclock --systohc
>>>
>>>You can set this up as a cron job, if you have a consistent internet
>>>connection (like DSL).
>>
>>If you use dialup, you can put this in to the /etc/ppp/ip-up script, so
>>that it gets run every time that you successfully connect to the Internet.
>>
>>--ronan
>
>
> Many thanks to all of the Sluggers who answered. That did the trick.
> Question to you Ronan though, I use a dialup connection and I like
> your idea, however, to do the ntp thing you must be root. Will that work
> in the ppp script? I never dialup as root.
>
> Thanks, Bob
>
> I guess I could also put it in the chron job and make sure that I am on line
> at the time the script would be run.
>

You could set the UID bit on ntpdate, so that it is always run as root
(no matter who runs it). Many people think this is a bad idea. If
there is a flaw in the ntpdate program, and someone on your machine
finds a way to exploit this flaw, then that person could gain root
priveleges. One of the most common bugs that causes this risk is a
buffer overflow; let's say that the programmer who wrote ntpdate knows
that the first argument is going to be an IP address (which can never be
more than 16 characters), if he only sets-aside enough memory to hold 17
characters, a cracker could type 'ntpdate zzzzzzzzzzzzzzzzzzzz' and
crash the ntpdate program and possibly gain root priveleges.

The above concern mostly impacts machines which contain accounts for
untrusted users. It used to be very common for every student (at least
C/S students) to have an account on a school's UNIX machine(s). Some
ISPs (even today) give you a username/password to telnet into their UNIX
machines. In that situation is very likely that your UNIX box has at
least one cracker already on the inside. If this is a home or small
business machine that you are using, then it is extremely unlikely that
you have already granted an account to a cracker, and the risk of
'privelege elevation' is miniscule.

Another way to get this to work would be to use something like 'sudo'.
Someone else on the list should be able to chime-in about sudo.

--ronan



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:33:16 EDT