faraphel/chrony
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

cmdmon: bind to loopback interface by default

Browse source
This commit is contained in:
Miroslav Lichvar 2015-01-23 15:59:41 +01:00
parent 0ee27c6ef6
commit 5194101c8b
3 changed files with 22 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
chrony.texi.in
View file

@ -1316,10 +1316,7 @@ bindaddress 192.168.1.1
to the configuration file. to the configuration file.
This directive affects NTP (UDP port 123 by default) packets. If no This directive affects NTP (UDP port 123 by default) packets.
@code{bindcmdaddress} directive is present, the address supplied by
@code{bindaddress} will be used to control binding of the command socket (UDP
port 323 by default) as well.
The @code{bindaddress} directive has been found to cause problems when used on The @code{bindaddress} directive has been found to cause problems when used on
computers that need to pass NTP traffic over multiple network interfaces (e.g. computers that need to pass NTP traffic over multiple network interfaces (e.g.
@ -1333,30 +1330,25 @@ directive can be specified.
@c {{{ bindcmdaddress @c {{{ bindcmdaddress
@node bindcmdaddress directive @node bindcmdaddress directive
@subsection bindcmdaddress @subsection bindcmdaddress
The @code{bindcmdaddress} directive allows you to restrict the network The @code{bindcmdaddress} directive allows you to specify the network
interface to which @code{chronyd} will listen for command packets (issued by interface to which @code{chronyd} will listen for command packets (issued by
@code{chronyc}). This provides an additional level of access restriction above @code{chronyc}). This provides an additional level of access restriction above
that available through @code{cmddeny} mechanism. that available through @code{cmddeny} mechanism.
Suppose you want to block all access except from localhost. You By default, @code{chronyd} binds to the loopback interface (with addresses
could add the lines @code{127.0.0.1} and @code{::1}). This blocks all access except from
localhost. To listen for command packets on all interfaces, you can add the
lines
@example @example
bindcmdaddress 127.0.0.1 bindcmdaddress 0.0.0.0
bindcmdaddress ::1 bindcmdaddress ::
@end example @end example
to the configuration file. to the configuration file.
For each of IPv4 and IPv6 protocols, only one @code{bindcmdaddress} For each of IPv4 and IPv6 protocols, only one @code{bindcmdaddress}
directive can be specified. directive can be specified.
The default values are set by the @code{bindaddress} directive.
The @code{bindcmdaddress} directive has been found to cause problems when used
on computers that need to pass command traffic over multiple network
interfaces. Use of the @code{cmdallow} and @code{cmddeny} directives together
with a network firewall is more likely to be successful.
@c }}} @c }}}
@c {{{ broadcast directive @c {{{ broadcast directive
@node broadcast directive @node broadcast directive
@ -1424,6 +1416,10 @@ The syntax is identical to the @code{allow} directive.
There is also a @code{cmdallow all} directive with similar behaviour to the There is also a @code{cmdallow all} directive with similar behaviour to the
@code{allow all} directive (but applying to control access in this case, of @code{allow all} directive (but applying to control access in this case, of
course). course).
Note that @code{chronyd} has to be configured with the @code{bindcmdaddress}
directive to not listen only on the loopback interface to actually allow remote
access.
@c }}} @c }}}
@c {{{ cmddeny @c {{{ cmddeny
@node cmddeny directive @node cmddeny directive
@ -4721,7 +4717,7 @@ NTP requests from reaching @code{chronyd}.
If you don't need to use @code{chronyc} remotely, you can add the following If you don't need to use @code{chronyc} remotely, you can add the following
directives to the configuration file to bind the command sockets to the directives to the configuration file to bind the command sockets to the
loopback interface loopback interface. This is done by default since version 2.0.
@example @example
bindcmdaddress 127.0.0.1 bindcmdaddress 127.0.0.1
@ -4816,9 +4812,10 @@ will arise. You should always make X quite high (e.g. 10) in this directive.
@section Issues with chronyc @section Issues with chronyc
@subsection I keep getting the error @code{506 Cannot talk to daemon} @subsection I keep getting the error @code{506 Cannot talk to daemon}
Make sure that the @file{chrony.conf} file (on the computer where When accessing @code{chronyd} remotely, make sure that the @file{chrony.conf}
@code{chronyd} is running) has a @code{cmdallow} entry for the computer you are file (on the computer where @code{chronyd} is running) has a @code{cmdallow}
running @code{chronyc} on. This isn't necessary for localhost. entry for the computer you are running @code{chronyc} on and an appropriate
@code{bindcmdaddress} directive. This isn't necessary for localhost.
Perhaps @code{chronyd} is not running. Try using the ps command (e.g. on Perhaps @code{chronyd} is not running. Try using the ps command (e.g. on
Linux, 'ps -auxw') to see if it's running. Or try 'netstat -a' and see if the Linux, 'ps -auxw') to see if it's running. Or try 'netstat -a' and see if the

4
cmdmon.c
View file

@ -232,7 +232,7 @@ prepare_socket(int family, int port_number)
if (bind_address.family == IPADDR_INET4) if (bind_address.family == IPADDR_INET4)
my_addr.in4.sin_addr.s_addr = htonl(bind_address.addr.in4); my_addr.in4.sin_addr.s_addr = htonl(bind_address.addr.in4);
else else
my_addr.in4.sin_addr.s_addr = htonl(INADDR_ANY); my_addr.in4.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
break; break;
#ifdef FEAT_IPV6 #ifdef FEAT_IPV6
case AF_INET6: case AF_INET6:
@ -246,7 +246,7 @@ prepare_socket(int family, int port_number)
memcpy(my_addr.in6.sin6_addr.s6_addr, bind_address.addr.in6, memcpy(my_addr.in6.sin6_addr.s6_addr, bind_address.addr.in6,
sizeof (my_addr.in6.sin6_addr.s6_addr)); sizeof (my_addr.in6.sin6_addr.s6_addr));
else else
my_addr.in6.sin6_addr = in6addr_any; my_addr.in6.sin6_addr = in6addr_loopback;
break; break;
#endif #endif
default: default:

6
conf.c
View file

@ -177,7 +177,7 @@ static IPAddr bind_address4, bind_address6;
static IPAddr bind_acq_address4, bind_acq_address6; static IPAddr bind_acq_address4, bind_acq_address6;
/* IP addresses for binding the command socket to. UNSPEC family means /* IP addresses for binding the command socket to. UNSPEC family means
use the value of bind_address */ the loopback address will be used */
static IPAddr bind_cmd_address4, bind_cmd_address6; static IPAddr bind_cmd_address4, bind_cmd_address6;
/* Filename to use for storing pid of running chronyd, to prevent multiple /* Filename to use for storing pid of running chronyd, to prevent multiple
@ -1647,9 +1647,9 @@ void
CNF_GetBindCommandAddress(int family, IPAddr *addr) CNF_GetBindCommandAddress(int family, IPAddr *addr)
{ {
if (family == IPADDR_INET4) if (family == IPADDR_INET4)
*addr = bind_cmd_address4.family != IPADDR_UNSPEC ? bind_cmd_address4 : bind_address4; *addr = bind_cmd_address4;
else if (family == IPADDR_INET6) else if (family == IPADDR_INET6)
*addr = bind_cmd_address6.family != IPADDR_UNSPEC ? bind_cmd_address6 : bind_address6; *addr = bind_cmd_address6;
else else
addr->family = IPADDR_UNSPEC; addr->family = IPADDR_UNSPEC;
} }