http://bugzilla.opensuse.org/show_bug.cgi?id=1036505 Bug ID: 1036505 Summary: NTP postinstall script may remove trusted keys from ntp.conf Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: All OS: openSUSE 42.2 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: Ulrich.Windl@rz.uni-regensburg.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 722919 --> http://bugzilla.opensuse.org/attachment.cgi?id=722919&action=edit Set of patches to fix the postinstall script of NTP (based on the version in SLES11 SP4) In a configuration where "ntp.keys" has a non-standard location (actually there is no default), the post-install script of NTP will use a newly created key file instead (and key settings). For example if you use /etc/ntp/ntp.keys as key file, the key file will be /etc/ntp.keys after updating NTP. While this is the main issue, there are other issues, also: If you had trusted keys, but not control or requestkey, the list of trusted keys will be replaced by "trustedkey 1" (i.e. only trust key ID 1). If you had a key ID 1 used for time exchange, that key ID will be used as control and request key. The script was quite inflexible when to add additional lines. Most of the time it did too much. starting with "rpm -q --scripts ntp" in SLES 11 SP4 I started to fix the postinstall script (see attachment). There the first three patches are missing, because they are merely extracting and splitting the scripts. Patch #4 defines and uses a NTP_KEYS variable for the NTP key file to use. Patch #5 extracts "requestkey", "controlkey", and "trustedkey" list from the NTP configuration file to create only missing keys and directives. Patch #6 updates the "trustedkey" list if needed. Before a directive was always added. Also this patch uses a key ID that seems unused so far (derived from trustedkey list). Patch #7 adds and uses function log() for logging to stdout, pointing out what the script does (or did). The patches may apply to newer releases with some fuzz. Specifically I should have used the RPM spec file as base... -- You are receiving this mail because: You are on the CC list for the bug.