Snow Leopard users: Turn off automatic date and time in System Preferences immediately

Anwar Shiekh wrote:

Things have moved to 4.2.8p1-RC1

---

(4.2.8p1-RC1) 2015/01/24 Released by Harlan Stenn <stenn@ntp.org>

* Start the RC for 4.2.8p1.

* [Bug 2187] Update version number generation scripts.

* [Bug 2617] Fix sntp Usage documentation section.

* [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed...

* [Bug 2736] Show error message if we cannot open the config file.

* Copyright update.

* Fix the package name.

Hmm, they changed a little more that that. Specifically all the ntp html documentation went from being in /usr/share/doc/ntp4 to the more "standard" (well where Apple always had it) in /usr/share/doc/ntp. This impacts my script a little. 😠 It installs everything a ntp build creates including the documentation. I need to go back in to handle this change since it maintains a list of what goes where in order to properly handle installations (by the script and package installers). It does however produce a conflict which I need to think about.

Thinking out loud...

When I change the script to handle 4.2.8p1-RC1 and presumably what comes beyond will be the same since they are up to a "release candidate" that would mean anything prior to that would have a problem since the previous stuff uses doc/ntp4 and not doc/ntp for its docs. Or maybe I can have both variants coexist (use doc/ntp4 for all versions up to ntp-4.2.8p1-beta5). Obviously that's a little bit more work and frankly I am not sure its worth it (other than the initial ever popular 4.2.8 stable release and the script's default couldn't be handled).

By the way, I did notice when I was coding this script, and had a bunch of comments about the fact that it was strange the ntp builds were placing their docs in docs/ntp4 and not docs/ntp (also the man pages in man8 and not man1). I did even consider just renaming docs/ntp4 to docs/ntp (and also the man pages). This is in a place were I do final cleanup of a build. So now that I am thinking of this that looks like a convenient place to handle this change and also let the older builds coexist. Specifically if see a docs/ntp4 directory just rename it to docs/ntp. That's just a few lines of change. But I think I will still leave the man pages alone for the time being.

Stay tuned.

Personally I'd not worry overtly about documentation, but rather plugging this vulnerability in the simplest way possible. A separate installer for 10.5 might be best, without a script to compile the code (I can send you the files you need).

A quote that may amuse

"I will always choose a lazy person to do a difficult job, because he will find an easy way to do it" - Bill Gates.

[I've bee off doing other things so the script "adjustments" got delayed a little.]

Anwar Shiekh wrote:

Personally I'd not worry overtly about documentation, but rather plugging this vulnerability in the simplest way possible. A separate installer for 10.5 might be best, without a script to compile the code (I can send you the files you need).

Sorry but I don't agree. When I download sources from places like sourceforge, ntp.org, and the like I prefer to build ALL that is built and if I agree with what the install phase creates (I always use configure --prefix to a private directory initially to check and verify what a build and subsequent install would actually install). I usually don't editorialize too much on what's created. In my option if it's worth doing, it is worth doing all of it.

In the case of ntp I think you do want the documentation particularly since sampling the ntpd.8 man page. It was dated "August 2, 2001". I think that's a bit old considering the current documentation for ntpd.8 is "January 24 2015". Not only that Apple apparently goofed on 10.6 installs because they installed a duplicate set of man pages in man1 which are even older ("2007-09-10"). I verified they are on my 10.6.4 installer dvd. That's not even the proper place to have man pages for this stuff. Man8 is.

At any rate I am not doing anything about the man1 mistake but I believe I solved all my problems with the documentation and other man pages. So I think I now have a version of my script ready for testing. It seems to work on my test boot (which I am using as I write this -- version ntp-4.2.8p1-RC1). It will be interesting to see how it behaves on 10.5, particularly the handling of ntpd-wrapper.

I posted the script on Zippyshare (a media sharing/file locker site, reasonably fast, no captcha's). Here's the link:

http://www63.zippyshare.com/v/FyFb7h1i/file.html

It's a zip file which you need to expand. I made sure that it downloads ok and it appears to keep its permissions across the upload/download. But in case it doesn't for you change the file to be executable.

Read the man page at the front of the file (hey, maybe you can proof it for me😉), give it a try, and let me know how it goes.

Thanks in advance.

I should have some time later today; it would actually be a lot easier if you had an email and I didn't need to clutter this forum.

Near the end of the man page (REPORTING BUGS).

Best to take that route till there are results to report.

Is turning automatic updates OFF the quick and easy fix just to have an immediate block to this exploit? That said, even if you had your time to update from Apple, it's still an issue (assming the exploit didn't happen if you had it set elsewhere).

I took the TenFourFox PPC binaries for 10.5 and put them into an installer; seems to work.

http://www.cubeowner.com/forums/index.php?s=&showtopic=14866&view=findpost&p=104 508