1.0 Project Information 1.1 Name of project/component Upgrade NTP to version 4 1.2 Author of document brian.utterback@sun.com 2.0 Project Summary 2.1 Project Description Replace the existing NTP version 3 with version 4. 2.2 Release binding What is is the release binding? (see http://opensolaris.org/os/community/arc/policies/release-taxonomy/) [ ] Major [x] Minor [ ] Patch or Micro [ ] Unknown -- ARC review required 2.3 Type of project Is this case a Linux Familiarity project? [x] Yes [ ] No 2.4 Originating Community 2.4.1 Community Name NTP.org 2.4.2 Community Involvement Indicate Sun's involvement in the community [ ] Maintainer [x] Contributor [ ] Monitoring Will the project team work with the upstream community to resolve architectural issues of interest to Sun? [x] Yes [ ] No - briefly explain Will we or are we forking from the community? [ ] Yes - ARC review required prior to forking [x] No 3.0 Technical Description 3.1 Installation & Sharable 3.1.1S Solaris Installation - section only required for Solaris Software (see http://opensolaris.org/os/community/arc/policies/install-locations/ for details) Does this project follow the Install Locations best practice? [x] Yes [ ] No - ARC review required Does this project install into /usr under [sbin|bin|lib|include|man|share]? [x] Yes [ ] No or N/A Does this project install into /opt? [ ] Yes - explain below [x] No or N/A Does this project install into a different directory structure? [ ] Yes - ARC review required [x] No or N/A Do any of the components of this project conflict with anything under /usr? (see http://opensolaris.org/os/community/arc/caselog/2007/047/ for details) [ ] Yes - explain below [x] No If conflicts exist then will this project install under /usr/gnu? [ ] Yes [ ] No - ARC review required [x] N/A Is this project installing into /usr/sfw? [ ] Yes - ARC review required [x] No 3.1.2 Share and Sharable Does the module include any components that are used or shared by other projects? [ ] Yes [x] No If yes are these components packaged to be shared with the other FOSS? [ ] Yes [ ] No - ARC review required [x] N/A 3.2 Exported Libraries Are libraries being delivered by this project? [ ] Yes [x] No - continue with next section (section 3.3) 3.3 Services and the /etc Directory (see http://opensolaris.org/os/community/arc/policies/SMF-policy/) Does the project integrate anything into /etc/init.d or /etc/rc?.d? [ ] Yes - ARC review required [x] No Does the project integrate any new entries into /etc/inittab or /etc/inetd.conf? [ ] Yes - ARC review required [x] No Does the project integrate any private non-public files into /etc/default or /etc/ configuration files? [ ] Yes - ARC review required [x] No Does the service manifests method context grant rights above that of the noaccess user and basic privilege set? [ ] Yes - ARC review required [x] No 3.4 Security 3.4.1 Secure By Default (see http://opensolaris.org/os/community/arc/policies/secure-by-default/ for details) (see http://www.opensolaris.org/os/community/arc/policies/NITS-policy/ for details) (see parts of http://opensolaris.org/os/community/arc/policies/SMF-policy/ for addtional details) Are there any network services provided by this project? [x] Yes [ ] No - continue with the next section (section 3.4.2) Are network services enabled by default? [ ] Yes - ARC review required [x] No [ ] N/A Are network services automatically enabled by the project during installation? [ ] Yes - ARC review required [x] No [ ] N/A Are inbound network communications denied by default? [x] Yes [ ] No - ARC review required [ ] N/A Is inbound data checked to prevent content-based attacks? [x] Yes [ ] No - ARC review required [ ] N/A Is the outbound receiver authenticated? [ ] Yes [ ] No - ARC review required [x] N/A Is the receiver authenticated prior to receiving any sensitive outbound communication? [ ] Yes [ ] No - ARC review required [x] N/A 3.4.2 Authorization (see http://opensolaris.org/os/community/arc/bestpractices/rbac-intro/ and http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/ and http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/ for details) Are there any setuid/setgid privileged binaries in the project? [ ] Yes - ARC review required [x] No - continue with next section (section 3.4.3) 3.4.3 Auditing (see http://opensolaris.org/os/community/arc/policies/audit-policy/ for details) (see http://opensolaris.org/os/community/arc/caselog/2003/397 for details) Does this component contain administrative or security enforcing software? [ ] Yes - ARC review required [x] No - continue to next section (section 3.4.4) 3.4.4 Authentication (see http://opensolaris.org/os/community/arc/policies/PAM/) Do the components contain any authentication code? [ ] Yes [x] No - continue to next section (section 3.4.5) 3.4.5 Passwords (see http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/ and http://opensolaris.org/os/community/arc/bestpractices/passwords-files/ for details) Do any of the components for the project deal with passwords? [x] Yes [ ] No - continue to next section (section 3.4.6) If yes are these passwords entered via the CLI or environment? [ ] Yes - ARC review required [x] No Are passwords stored within the file system for the component? [x] Yes [ ] No - continue to next section (section 3.4.6) If yes are the permissions on the file such to protect exposing the password(s)? [x] Yes [ ] No - ARC review required The passwords are stored in the /etc/inet/ntp.keys file, which is not delivered. This file is administrator created. The passwords in question authenticate NTP servers and clients to one another and not individual users. It is up to the administrator to set permissions appropriately when the file is created. 3.4.6 General Security Questions (see http://opensolaris.org/os/community/arc/bestpractices/security-questions/ for details) Are there any network protocols used by this project? [x] Yes [ ] No - continue with the next section (section 3.5) Do the components use standard network protocols? [x] Yes [ ] No - ARC review required Do network services for the project make decisions based upon user, host or service identities? [x] Yes - explain below [ ] No [ ] N/A Crypto authentication can used to verify the trust relationships between NTP servers and clients. Do the components make use of secret information during authentication and/or authorization? [x] Yes - explain below [ ] No [ ] N/A The high security crypto key options for authentication can be used to verify server identity. These require a public and private key pair generation in a manner analogous to the one used to identify systems by ssh. 3.5 Networking Do the components access the network? [x] Yes [ ] No - continue with the next section (section 3.6) If yes do the components support IPv6? [x] Yes [ ] No - ARC review required 3.6 Core Solaris Components Do the components of this project compete with or duplicate core Solaris components? [ ] Yes - ARC review required [x] No They replace current core components. 4.0 Interfaces (see http://www.opensolaris.org/os/community/arc/policies/interface-taxonomy/ for details) 4.1 Exported Interfaces Interface Name Classification Comments --------------------------- ------------------- --------------------------- SUNWntpr Uncommitted Root package SUNWntpu Uncommitted /usr package /etc/inet/ntp.conf Uncommitted Configuration file /usr/lib/inet/ntpd Uncommitted NTP daemon /usr/lib/inet/ntp-wait Project Private /usr/sbin/ntpdate Volatile /usr/sbin/ntptrace Volatile /usr/sbin/ntpq Uncommitted /usr/sbin/ntpdc Volatile /usr/sbin/ntp-keygen Uncommitted Crypto key gen utility. /usr/sbin/ntptime Volatile Kernel NTP state utility. /usr/share/doc/ntp Uncommitted Location for html docs /usr/share/doc/ntp/* Volatile Contents of HTML docs. SMF properties config/debugfile Uncommitted config/debuglevel Uncommitted config/logfile Uncommitted config/no_auth_required Uncommitted Restores Solaris 9 default. config/slew_always Uncommitted Raises threshold for step. config/wait_for_sync Uncommitted Prevents method completion until sync. config/mdnsregister Uncommitted Registers server with mDNS config/verbose_logging Uncommitted 4.2 Imported Interfaces Interface Name Classification Comments ----------------------------------- ----------- -------------------------- /usr/lib/libdns_sd.so Committed /usr/sfw/lib/libcrypto.so Private Contracted svc:/network/dns/multicast:default Used to test if mDNS configured. ntp_adjtime,ntp_gettime syscalls Project Private Brief Interface Classifications - See Appendix C for definitions Volatile - interfaces are fluid and will follow a rapidly changing community Uncommitted - interfaces are still evolving in the community and might follow the community Committed - interfaces are stable in the community Project Private - no review required, just document in table Contracted (interface modifier) - further review required Appendix A - References 1. Solaris Installation Locations Policy http://opensolaris.org/os/community/arc/policies/install-locations/ 2. /usr/gnu Installation ARC case http://opensolaris.org/os/community/arc/caselog/2007/047/ 3. Secure By Default Policy http://opensolaris.org/os/community/arc/policies/secure-by-default/ 4. Network Install Time Securityuy Policy http://www.opensolaris.org/os/community/arc/policies/NITS-policy/ 5. Adding RBAC Authorizations Policy http://opensolaris.org/os/community/arc/bestpractices/rbac-auths/ 6. When to use setuid -vs- RBAC roles and profiles http://opensolaris.org/os/community/arc/bestpractices/rbac-intro/ and 7. Building RBAC Rights Profiles http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/ 8. Solaris Audit Policy http://opensolaris.org/os/community/arc/policies/audit-policy/ 9. Security questionaire http://opensolaris.org/os/community/arc/bestpractices/security-questions/ 10. Interface Taxonomy http://www.opensolaris.org/os/community/arc/policies/interface-taxonomy/ 11. Plugable Authentication Modules -- PAM http://opensolaris.org/os/community/arc/policies/PAM/ 12. Reusable Passwords In Command Line Arguments and Environment Variables http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/ 13. Storing Reusable Passwords on a Filesystem http://opensolaris.org/os/community/arc/bestpractices/passwords-files/ 14. Release Taxonomy http://opensolaris.org/os/community/arc/policies/release-taxonomy/ 15. Service Management Facility (SMF) usage http://opensolaris.org/os/community/arc/policies/SMF-policy/ Appendix B - Suggested case materials 1. man pages 2. SMF manifests 3. links to contracts Appendix C - Definitions Submitter an agent responsible for creation of an ARC project along with the materials describing that project. Owner the ARC agent responsible for shepherding the case through review and ensuring a formal opinion is written where required. Maintainer an agent responsible for releasing new versions of a program, typically the "main" contributor or person incharge of making Architectural decisions for the project Contributor an agent who make contributions to a project, typically has a voice in making Architectural decisions for the project Monitoring an agent who is only following the changes made in the community and has no Architectural input into the project Volatile* interfaces that are very fluid and typically follow the originating community. Typically these interfaces can not be imported by other projects. Uncommitted* interfaces that are still evolving but will most likely be present from release to release. Committed* interfaces that are stable and with Sun guaranteeing some level of compatibility from release to release. Project Private* interfaces that are exposed only to or intended to be used only by the project being reviewed. These interfaces can not be imported by other projects. Not-An-Interface* components that are not interfaces. Contracted* (interface modifier) - ARC review of Contract required interfaces that do not allow another project to import can be *Note: see http://opensolaris.org/os/community/arc/policies/interface-taxonomy/ for details