diff options
author | Nick Sayer <nsayer@FreeBSD.org> | 1999-04-07 16:36:56 +0000 |
---|---|---|
committer | Nick Sayer <nsayer@FreeBSD.org> | 1999-04-07 16:36:56 +0000 |
commit | fcae3aa61f4ad12abec2048d769d6211e3fa91c2 (patch) | |
tree | ab7f09a21bb3c8a30abfe764dc09608976dd199f /sys/kern/kern_time.c | |
parent | 953e5998b393cd9df3493c4f5b7ae63bfa56dec2 (diff) | |
download | src-fcae3aa61f4ad12abec2048d769d6211e3fa91c2.tar.gz src-fcae3aa61f4ad12abec2048d769d6211e3fa91c2.zip |
If securelevel>1, allow the clock to be adjusted negatively only up to
1 second prior to the highest the clock has run so far. This allows
time adjusters like xntpd to do their work, but the worst a miscreant
can do is "freeze" the clock, not go back in time.
We still need to decide on an algorithm to clamp positive adjustments.
As it stands, it is possible to achieve arbitrary negative adjustments
by "wrapping" time around.
PR: 10361
Notes
Notes:
svn path=/head/; revision=45433
Diffstat (limited to 'sys/kern/kern_time.c')
-rw-r--r-- | sys/kern/kern_time.c | 35 |
1 files changed, 27 insertions, 8 deletions
diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c index 4d9d0f90d464..c699c22d000b 100644 --- a/sys/kern/kern_time.c +++ b/sys/kern/kern_time.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)kern_time.c 8.1 (Berkeley) 6/10/93 - * $Id: kern_time.c,v 1.60 1999/01/27 21:49:56 dillon Exp $ + * $Id: kern_time.c,v 1.61 1999/02/25 15:54:05 bde Exp $ */ #include <sys/param.h> @@ -78,7 +78,8 @@ static int settime(tv) struct timeval *tv; { - struct timeval delta, tv1; + struct timeval delta, tv1, tv2; + static struct timeval maxtime; struct timespec ts; int s; @@ -89,13 +90,31 @@ settime(tv) /* * If the system is secure, we do not allow the time to be - * set to an earlier value (it may be slowed using adjtime, - * but not set back). This feature prevent interlopers from - * setting arbitrary time stamps on files. + * set to a value earlier than 1 second less than the highest + * time we have yet seen. The worst a miscreant can do in + * this circumstance is "freeze" time. He couldn't go + * back to the past. */ - if (delta.tv_sec < 0 && securelevel > 1) { - splx(s); - return (EPERM); + if (securelevel > 1) { + if (delta.tv_sec < 0 || delta.tv_usec < 0) { + if ( tv1.tv_sec > maxtime.tv_sec ) + maxtime=tv1; + tv2=*tv; + timevalsub( &tv2, &maxtime ); + if ( tv2.tv_sec < -1 ) { + tv.tv_sec=maxtime.tv_sec-1; + printf("Time adjustment clamped to -1 second\n"); + } + } + else { + /* XXX + * We have to figure out how to be secure + * in this case. Allowing arbitrary + * positive increases allows a miscreant + * to simply wrap time around the end + * of time. + */ + } } ts.tv_sec = tv->tv_sec; |