12 년 전 · ea4e888c76
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -8,7 +8,7 @@
 
				   * Firewire SBP-2 module is blacklisted to prevent Firewire RAM access
			
 
				   * Reduced the number of SUID binaries via POSIX.1e capabilities
			
 
				 
			
 
				-  * Replaced htpdate with tlsdate for time synchronization
			
 
				+  * Replaced htpdate with NTP for time synchronization
			
 
				   * Added "gentoo=obfs" boot parameter for obfsproxy Tor bridges
			
 
				   * Added "gentoo=xkms" boot parameter for forcing X modesetting driver
			
 
				   * More robust Xorg autoconfiguration
			
--- a/doc/info.txt
+++ b/doc/info.txt
@@ -22,7 +22,7 @@ HKP(S)
 
				   + [alt: x-hkp://pool.sks-keyservers.net]
			
 
				   + [alt: x-hkp://keys.gnupg.net]
			
 
				 
			
 
				-NTP [disabled]
			
 
				+NTP
			
 
				   + [0-3].pool.ntp.org
			
 
				 
			
 
				 
			
--- a/src/etc/NetworkManager/dispatcher.d/01-ntp
+++ b/src/etc/NetworkManager/dispatcher.d/01-ntp
@@ -10,7 +10,7 @@ case ${action} in
 
				         # ntpd gracefully adds/removes interfaces
			
 
				         if ! /etc/init.d/ntpd -q status; then
			
 
				             logger -p 6 -t nm.dispatch "Starting NTP service (${iface})"
			
 
				-            /etc/init.d/ntpd -q start
			
 
				+            /etc/init.d/ntpd -qS start
			
 
				         fi
			
 
				         ;;
			
 
				 esac
			
--- a/src/etc/dhcpcd.conf
+++ b/src/etc/dhcpcd.conf
@@ -1,10 +1,13 @@
 
				 # Options for direct use of dhcpcd (via /lib/dhcpcd/dhcpcd-run-hooks)
			
 
				 # NetworkManager uses /usr/libexec/nm-dhcp-client.action instead
			
 
				+
			
 
				 # NOTE: dhcpcd still insists on putting a "search" in /etc/resolv.conf
			
 
				 option domain_name_servers
			
 
				-# option ntp_servers
			
 
				 # option interface_mtu
			
 
				 
			
 
				+# /lib/dhcpcd/dhcpcd-hooks/50-ntp.conf, not supported by NetworkManager
			
 
				+# option ntp_servers
			
 
				+
			
 
				 # don't send a hostname to register in DNS
			
 
				 # hostname
			
 
				 
			
--- a/src/etc/portage/sets/basic
+++ b/src/etc/portage/sets/basic
@@ -59,6 +59,7 @@ net-misc/networkmanager-pptp
 
				 net-misc/networkmanager-openvpn
			
 
				 net-misc/networkmanager-vpnc
			
 
				 gnome-extra/nm-applet
			
 
				+net-misc/ntp
			
 
				 net-misc/tlsdate
			
 
				 net-misc/tor
			
 
				 net-misc/connect
			
--- a/src/root/config/rootfs.excludes
+++ b/src/root/config/rootfs.excludes
@@ -51,6 +51,7 @@
 
				 /usr/share/i18n/
			
 
				 /usr/share/icu/
			
 
				 /usr/share/NetworkManager/
			
 
				+/usr/share/ntp/
			
 
				 /usr/share/openrc/
			
 
				 /usr/share/readline/
			
 
				 /usr/share/vala/
			
@@ -130,6 +131,9 @@
 
				 /usr/bin/sensors-conf-convert
			
 
				 # gnome-base/libglade: old versions ui upgrade
			
 
				 /usr/bin/libglade-convert
			
 
				+# net-misc/ntp: servers chain tracer, ntpq loop wrapper
			
 
				+/usr/bin/ntptrace
			
 
				+/usr/bin/ntp-wait
			
 
				 # dev-util/strace: nice strace output
			
 
				 /usr/bin/strace-graph
			
 
				 # app-text/aspell: old dictionaries import
			
--- a/src/usr/local/sbin/fw-reload
+++ b/src/usr/local/sbin/fw-reload
@@ -84,10 +84,10 @@ iptables -A OUTPUT -p icmp --icmp-type echo-reply   -m state --state ESTABLISHED
 
				 # --- Loopback ---
			
 
				 # NOTE: owner match doesn't work with the INPUT chain
			
 
				 
			
 
				-# NTP server [disabled] modification permission to ntpd user only (or root in pre-DNS phase)
			
 
				-# iptables -A OUTPUT -o lo -p udp -m owner --uid-owner root -d 127.0.0.1 --dport ntp -j ACCEPT
			
 
				-# iptables -A OUTPUT -o lo -p udp -m owner --uid-owner ntp  -d 127.0.0.1 --dport ntp -j ACCEPT
			
 
				-# iptables -A OUTPUT -o lo -p udp                           -d 127.0.0.1 --dport ntp -j LOGREJECT
			
 
				+# NTP server modification permission to ntpd user only (or root in pre-DNS phase)
			
 
				+iptables -A OUTPUT -o lo -p udp -m owner --uid-owner root -d 127.0.0.1 --dport ntp -j ACCEPT
			
 
				+iptables -A OUTPUT -o lo -p udp -m owner --uid-owner ntp  -d 127.0.0.1 --dport ntp -j ACCEPT
			
 
				+iptables -A OUTPUT -o lo -p udp                           -d 127.0.0.1 --dport ntp -j LOGREJECT
			
 
				 
			
 
				 # Hidden service server access only for Tor
			
 
				 iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner tor      --syn -d 127.0.0.1 --dport 9080 -j ACCEPT
			
@@ -114,13 +114,16 @@ iptables -A OUTPUT -o lo -j ACCEPT
 
				 
			
 
				 # --- External Communications ---
			
 
				 
			
 
				-# DHCP and NTP client [disabled] communication
			
 
				+# DHCP and NTP client communication
			
 
				 iptables -A OUTPUT -p udp                              --sport bootpc --dport bootps -j ACCEPT
			
 
				-# iptables -A OUTPUT -p udp                              --sport ntp    --dport ntp    -j ACCEPT
			
 
				+iptables -A OUTPUT -p udp                              --sport ntp    --dport ntp    -j ACCEPT
			
 
				 
			
 
				-# DNS use for NTP server [disabled, resolves as root] and non-firewalled user.
			
 
				-# NOTE: uid-owner does not work for dns with nscd
			
 
				+# DNS use for NTP server [resolves as root] and non-firewalled user.
			
 
				+# NetworkManager applet also resolved VPN hostnames as root (via D-Bus)
			
 
				+# NOTE: NTP will possibly resolve as uid=ntp starting with 4.2.7
			
 
				+iptables -A OUTPUT -p udp -m owner --uid-owner root          --dport domain -j ACCEPT
			
 
				 iptables -A OUTPUT -p udp -m owner --uid-owner ${nofw}       --dport domain -j ACCEPT
			
 
				+iptables -A OUTPUT -p tcp -m owner --uid-owner root    --syn --dport domain -j ACCEPT
			
 
				 iptables -A OUTPUT -p tcp -m owner --uid-owner ${nofw} --syn --dport domain -j ACCEPT
			
 
				 
			
 
				 # In "noanon" profile, Privoxy can use DNS