Re: ntp.... was Re: Fresh rawhide install / AVC messages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Mar 11, 2004 at 11:50:18AM -0500, Steven Bonneville wrote:
> Tom Mitchell <mitch48@xxxxxxxxx> wrote:
>                                                                                 
> > I might trust my dhcp server to give me an IP address but do I also
> > want it to set the time of day.  Then what else do I trust it to do?
> > How do I manage the list of things that dhcp might update?
> >
> > For example if I have a well crafted /etc/ntp.conf file will that file
> > be lost if I move to a different DHCP served net.
>                                                                                 
> I don't have FC2t1 handy at the moment, but on RHEL 3 I believe that you can 
> set the following options in /etc/sysconfig/network-scripts/ifcfg-* files:
>                                                                                 
>    PEERDNS=no   (/etc/resolv.conf)
>    PEERNTP=no   (/etc/ntp.conf, /etc/ntp/step-tickers)
>    PEERNIS=no   (/etc/yp.conf)
>                                                                                 
> If set to no, then those files won't get modified even if appropriate
> DHCP options are sent.  See /sbin/dhclient-script for details.

I missed the  PEER*=no flags when I first glanced at the script.

This looks like the the correct place to manage the long list of
DHCP-able config items.

This permits a default "policy" configuration for the expected common
situation of a responsible ISP or IT department.  Individual DHCP
decisions can be made and set without the complexity of editing
policy.  -- Cool --

My concern was the cyber cafe or hotel that a traveling businessman
encounters.  There have already been rumors of bad boys snooping bits
and doing naughty things in the cyber cafes.  DHCP smelled like a
potential problem where time of day, DNS, SMTP and a list of other
"important" administrative decisions could be silently co-opted.

Since all these issues exist regardless of SELinux the common and correct
place do address this is via /sbin/dhclient-scrip and the associated
config tools. -- Excellent --



-- 
	T o m  M i t c h e l l 
	/dev/null the ultimate in secure storage.



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux