Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Snow Leopard users: Turn off automatic date and time in System Preferences immediately

http://arstechnica.com/apple/2014/12/apple-automatically-patches-macs-to-fix-sev ere-ntp-security-flaw/


When exploited, the NTP flaw can cause buffer overflows that allow remote attackers to execute code on your system.

What this means is that, if you allow date and time to be set automatically by outside servers, you risk having your computer taken over.


This is a critical issue, it's being exploited as we speak, and Apple has not provided the update to Snow Leopard users, only to 10.8/Mountain Lion and above. I strongly doubt Apple will ever get around to issuing an update for Snow Leopard, or they would have already. Chances of that happening are close to zero

Posted on Dec 23, 2014 4:34 PM

Reply
175 replies

Jan 21, 2015 4:40 PM in response to xyzzy-xyzzy

Some news; I reinstalled 10.5 and found


/usr/bin/ntp-keygen

/usr/bin/ntpq

/usr/bin/sntp

/usr/sbin/ntpd

/usr/sbin/ntpdate

/usr/sbin/ntpdc

/usr/sbin/ntptrace

/usr/libexec/ntpd-wrapper

/System/Library/LaunchDaemons/org.ntp.ntpd.plist


were present; and from what I can see, the NTP make file produces all but the last 2, so I may modify my installer accordingly (i.e. to leave the last 2 files alone)

Jan 21, 2015 11:28 PM in response to Anwar Shiekh

Anwar Shiekh wrote:


Some news; I reinstalled 10.5 and found


/usr/bin/ntp-keygen

/usr/bin/ntpq

/usr/bin/sntp

/usr/sbin/ntpd

/usr/sbin/ntpdate

/usr/sbin/ntpdc

/usr/sbin/ntptrace

/usr/libexec/ntpd-wrapper

/System/Library/LaunchDaemons/org.ntp.ntpd.plist


were present; and from what I can see, the NTP make file produces all but the last 2, so I may modify my installer accordingly (i.e. to leave the last 2 files alone)


First: org.ntp.ntpd.plist, ntpd-wrapper, and one you don't mention on your list, i.e., ntp-restrict.conf are apple specific. A "standard" ntp build know nothing about these three files. But we need them for ntp to work in 10.5 to 10.7.


Second, org.ntp.ntpd.plist is the launch deamon and nothing needs changing nor reinstalling. It's sole goal in life is to launch ntpd-wrapper. So it is correct to leave that file alone. However,


Third, if you had been following the discussions in this thread I pointed out that ntpd-wrapper does need to be changed, Specifically its call to sntp. Here's the two lines that need to be changed as previously discussed.

for server in $(awk '/^server/ {print $NF}' /etc/ntp.conf); do

if sntp -K /dev/null -s ${server} &> ${LOG}; then

If you don't do this the sntp call that exists in the original ntpd-wrapper will fail (look at the system.log) when it tries to do its sntp call since it uses an option (-v) no longer valid with the new ntp build of sntp.


Also discussed earlier (but I guess you could consider as optional since this is to address suppressing some system.log messages) is apple's ntp-restrict.conf. That is the conf file passed to ntpd in ntpd-wrapper. I modified the following two llines:


restrict default kod limited nomodify notrap nopeer noquery

restrict -6 default kod limited nomodify notrap nopeer noquer

This stops some warnings in the system log about not having limited with kod.


Also added to ntp-restrict.conf is the line (and this was also previously discussed):


rlimit memlock 0


This stops ntpd from attempting to use mlockall() in its code which is not supported on our systems and thus results in yet another system.log message. By stopping its use with the rlimit we stop the log message

Jan 21, 2015 11:41 PM in response to xyzzy-xyzzy

On 10.5 ntpd-wrapper is just


#!/bin/sh
PATH=/usr/sbin:/usr/bin:/bin

ipconfig waitall
ntpdate -bvs

# Un-comment the following line to run ntp with a sandbox profile.
# Sandbox profiles restrict processes from performing unauthorized
# operations; so it may be necessary to update the profile
# (/usr/share/sandbox/ntpd.sb) if any changes are made to the ntp
# configuration (/etc/ntp.conf).
#sb=/usr/bin/sandbox-exec -f /usr/share/sandbox/ntpd.sb

exec $sb /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift

Jan 22, 2015 12:11 AM in response to Anwar Shiekh

Hmm, ok. The additions I see in my 10.6 ntpd-wrapper to call sntp must have first started appearing in 10.6 and they appear in all following systems However I think those changes wouldn't hurt if they ran in a 10.5 environment (but don't hold me to that, see below). So for 10.5 at least I guess you could ignore ntpd-wrapper but my comments about ntp-restrict.conf are still valid (unless that too is radically different from 10.6 and beyond from what's on 10.5).


If I had 10.5 I think it would be an interesting experiment to try to use an appropriately updated ntpd-wrapper just to see what happens. I think any one of the ntpd-wrapper's you can grab from the apple mountain lion, yosemite, or mavericks ntp updaters is good enough for such an experiment. I certainly would like to know in order to possibly make some tweaks to my build/package installer creation script.

Jan 23, 2015 3:43 AM in response to Anwar Shiekh

Thanks for posting that ntpd-wrapper above (can I assume it it's in /usr/libexec just like 10.6?). I've decided to tweak my build script to not touch that file if building/installing/backing up/restoring into a 10.5 system.


For the sake of completeness, however, and just to be sure there aren't any more 10.5-specific surprises, can you please post your /private/etc/ntp-restrict.conf?


Thanks in advance.

Jan 23, 2015 5:16 AM in response to xyzzy-xyzzy

Yes, everything is in the same place; and here is /private/etc/ntp-restrict.conf from 10.5.8


# Access restrictions documented in ntp.conf(5) and

# http://support.ntp.org/bin/view/Support/AccessRestrictions

# Limit network machines to time queries only



restrict default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery



# localhost is unrestricted

restrict 127.0.0.1

restrict -6 ::1



includefile /private/etc/ntp.conf

Jan 23, 2015 11:48 AM in response to baltwo

Good point, and I might just do that; I think I have a spare firewire drive that could stand in.


It is great how there is a PPC Bash installer for that bug, and hopefully soon also one for NTP for us still on PPC Macs. It would need universal binaries and I can compile the PPC binaries for anyone that might need them; I think the 4.2.8 NTP code is up to beta 5 of patch 1 at the moment, and this compiles without trouble on a PPC Mac running 10.5

Jan 23, 2015 1:44 PM in response to Anwar Shiekh

Anwar Shiekh wrote:


My problem is that the G5 PPC Mac is my main machine at home, so I can't afford to experiment on it; as a result I cannot be of much help. Hopefully you have access to a machine running 10.5


Nope. I don't. I was hoping that maybe when I do my final tests on my script you could test it for me on 10.5.


I'm using 10.6.7 on a 2010 Mac Pro so I have multiple internal drives available. Since my boot drive is separate from my home directory drive and can simply switch boot to another copy of my boot drive drive for testing without fear of any annoying disasters.


It is great how there is a PPC Bash installer for that bug, and hopefully soon also one for NTP for us still on PPC Macs. It would need universal binaries and I can compile the PPC binaries for anyone that might need them; I think the 4.2.8 NTP code is up to beta 5 of patch 1 at the moment, and this compiles without trouble on a PPC Mac running 10.5


FWIW, here's my initial summary comments from my script's "man page" (just part of the comments in the script) describing what it does (or tries to do until I complete my testing): [I had a little problem formatting this for this post -- there's a horizontal scroll bar at the end of the post -- weird]


#  build-ntp is a bash shell script to build a version ntp from the www.ntp.org archives (http://archive.ntp.org/ntp4/ntp-4.2/).
#  The specified ntp version (e.g., "ntp-4.2.8", "ntp-4.2.8p1-beta2", etc.) in the archives is downloaded and built. The choices
#  of what to do with the download include building (--build), installing a build on the host system (--install), building an
#  OS X installer package of the built ntp or a backup of ntp (--[build-]pkg), backing up (--backup) the current host ntp files,
#  or restoring (installing) a backup into the host machine (--restore).
#
#  Builds are permitted for the ppc, i386, and x86_64 architectures.  One or more may be specified to build single or universal
#  ("fat)" binaries.  The default is to build for the host machine.


Although I test on a totally expendable copy of my boot drive I sort of got a little "carried away" adding features like backup/restore. That would let me flip various versions of ntp in and out for experimentation without having to fully dup the experimental boot drive again (at least that's the plan, I haven't rebooted to test this stuff out at the time I am writing this, not really in any hurry, have other things to do). I also had in the back of my mind your situation where you would have to take extra steps to create a experimental boot drive so you could simply restore from a backup of the original ntp files if you weren't happy with an update (although I assume you should always have full separate backups).


Since I had to tweak it for 10.5 (i.e., not clobber the 10.5 ntpd-wrapper) I was hoping you might test on your machine when I complete this script. Now that you posted your 10.5 version of ntp-restrict.conf (thanks for doing that) I see there are no surprises with that so I think my 10.5 tweaks are complete.


---


Note, building, package creation, creating backups are all tested. I just haven't rebooted to test restoring or using the installer packages yet.

Snow Leopard users: Turn off automatic date and time in System Preferences immediately

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.