Patch: ntpdate option -p deprecated

list Roland Rosenfeld
Mon, 12 Feb 2024 10:08:09 +0100
Message-Id: <user-0028f2c269e0@xymon.invalid>

Hi Brian!

On Mon, 12 Feb 2024, Brian Scott wrote:

The -p 1 option is still desirable for standard ntpd. The default is
to do 4 probes which is overkill for xymon.

You are right, but I'm not sure, whether there are still current
systems using the original ntpd.

I have just checked a fresh install of ntpsec from source and can't see
ntpdate being installed. Found this on the ntpsec site under Security
Improvements:

 * The deprecated and vulnerability-prone ntpdate program has been
   replaced with a shell wrapper around ntpdig. Its -e and -p options
   are not implemented. It is no longer documented, but can be found in
   the attic/ directory of the source distribution.

I notice that in the script the behaviour when it finds the -p option is to
simply warn and ignore it:

p) echo "ntpdate: -p is no longer supported." >&2;;

So it's just a neatness thing. The script is undocumented (debian may have
pinched their man page from standard ntp) and unlikely to ever be updated.

Not sure where this leaves us. I know others had similar problems when
distros moved to chrony for ntp. Maybe we need a more generalised approach
to different ntp implementations going forward.

Maybe the best way for ntpsec users is to replace the ntpdate call
with a final ntpdig call (which saves one shell script call).
As far as I can see "ntpdate -u -q foo" with ntpsec-ntpdate wrapper
simply calls "ntpdig -t 1 foo", so why not directly use this?

The attached rewritten patch implements this.

Greetings
Roland

Attachments (1)

attachment.patch application/octet-stream · 1.2 KB