WZZZ

Q: Snow Leopard users: Turn off automatic date and time in System Preferences immediately

http://arstechnica.com/apple/2014/12/apple-automatically-patches-macs-to-fix-sev ere-ntp-security-flaw/

 

When exploited, the NTP flaw can cause buffer overflows that allow remote attackers to execute code on your system.

What this means is that, if you allow date and time to be set automatically by outside servers, you risk having your computer taken over.

 

This is a critical issue, it's being exploited as we speak, and Apple has not provided the update to Snow Leopard users, only to 10.8/Mountain Lion and above. I strongly doubt Apple will ever get around to issuing an update for Snow Leopard, or they would have already. Chances of that happening are close to zero

Posted on Dec 23, 2014 4:37 PM

Close

Q: Snow Leopard users: Turn off automatic date and time in System Preferences immediately

  • All replies
  • Helpful answers

first Previous Page 10 of 12 last Next
  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 11, 2015 8:26 PM in response to Anwar Shiekh
    Level 1 (10 points)
    Jan 11, 2015 8:26 PM in response to Anwar Shiekh

    My questions were not what 10.5 doesn't need.  If it's using the "standard"™, as we presently know it, configuration, then I am not suggesting any of the current ntp install be removed even if some files aren't needed.  I was asking whether files like org.ntp.ntpd.plist and ntpd-wrapper ever existed in 10.5.  Because if they didn't I would feel somewhat uneasy suggesting to someone installing this ntp stuff in such a system.  Based on you saying it works in 10.5 I was assuming those files did already previously exist, in which case, fine.  But in a 10.4 (got my version number right this time) I know they don't exist and thus 10.4 should not be a candidate for updating.  Even though you could update the code files there is no guarantee the command line options to these files are compatible with such a system (unless it can be proven otherwise).

     

    Personally I am not worried about any installers since I have my own ntp build script to handle any of the ntp source bases from ntp.org -- fat/universal or single arch, direct install and/or pkg install.  I just got too much free time (I'm retired) so I was simply screwing around and embellishing my script so if I ever made it public it would ensure to not allow installing into systems for which it didn't apply.  So that's simply where my original question came from, i.e., what versions of OS X should be permitted to allow an install.  Presently it looks to me like the test should be for 10.5 to 10.7.

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 12, 2015 7:54 AM in response to xyzzy-xyzzy
    Level 1 (5 points)
    Jan 12, 2015 7:54 AM in response to xyzzy-xyzzy

    Why not use Apple's PackageMaker (part of XCode) for the installer? there it is easy to put in install requirements.

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 12, 2015 11:17 AM in response to Anwar Shiekh
    Level 1 (10 points)
    Jan 12, 2015 11:17 AM in response to Anwar Shiekh

    Which is essentially exactly what I do.   The additional test is for the InstallationCheck.

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 21, 2015 4:40 PM in response to xyzzy-xyzzy
    Level 1 (5 points)
    Jan 21, 2015 4:40 PM in response to xyzzy-xyzzy

    Some news; I reinstalled 10.5 and found

     

      /usr/bin/ntp-keygen

      /usr/bin/ntpq

      /usr/bin/sntp

      /usr/sbin/ntpd

      /usr/sbin/ntpdate

      /usr/sbin/ntpdc

      /usr/sbin/ntptrace

      /usr/libexec/ntpd-wrapper

      /System/Library/LaunchDaemons/org.ntp.ntpd.plist

     

    were present; and from what I can see, the NTP make file produces all but the last 2, so I may modify my installer accordingly (i.e. to leave the last 2 files alone)

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 21, 2015 11:28 PM in response to Anwar Shiekh
    Level 1 (10 points)
    Jan 21, 2015 11:28 PM in response to Anwar Shiekh

    Anwar Shiekh wrote:

     

    Some news; I reinstalled 10.5 and found

     

      /usr/bin/ntp-keygen

      /usr/bin/ntpq

      /usr/bin/sntp

      /usr/sbin/ntpd

      /usr/sbin/ntpdate

      /usr/sbin/ntpdc

      /usr/sbin/ntptrace

      /usr/libexec/ntpd-wrapper

      /System/Library/LaunchDaemons/org.ntp.ntpd.plist

     

    were present; and from what I can see, the NTP make file produces all but the last 2, so I may modify my installer accordingly (i.e. to leave the last 2 files alone)

     

    First: org.ntp.ntpd.plist, ntpd-wrapper, and one you don't mention on your list, i.e., ntp-restrict.conf are apple specific.  A "standard" ntp build know nothing about these three files.  But we need them for ntp to work in 10.5 to 10.7.

     

    Second, org.ntp.ntpd.plist is the launch deamon and nothing needs changing nor reinstalling.  It's sole goal in life is to launch ntpd-wrapper.  So it is correct to leave that file alone.  However,

     

    Third, if you had been following the discussions in this thread I pointed out that ntpd-wrapper does need to be changed,  Specifically its call to sntp.  Here's the two lines that need to be changed as previously discussed.

    for server in $(awk '/^server/ {print $NF}' /etc/ntp.conf); do

       if sntp -K /dev/null -s ${server} &> ${LOG}; then

    If you don't do this the sntp call that exists in the original ntpd-wrapper will fail (look at the system.log) when it tries to do its sntp call since it uses an option (-v) no longer valid with the new ntp build of sntp.

     

    Also discussed earlier (but I guess you could consider as optional since this is to address suppressing some system.log messages) is apple's ntp-restrict.conf.  That is the conf file passed to ntpd in ntpd-wrapper.  I modified the following two llines:

     

    restrict default kod limited nomodify notrap nopeer noquery

    restrict -6 default kod limited nomodify notrap nopeer noquer

    This stops some warnings in the system log about not having limited with kod.

     

    Also added to ntp-restrict.conf is the line (and this was also previously discussed):

     

    rlimit memlock 0

     

    This stops ntpd from attempting to use mlockall() in its code which is not supported on our systems and thus results in yet another system.log message.  By stopping its use with the rlimit we stop the log message

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 21, 2015 11:41 PM in response to xyzzy-xyzzy
    Level 1 (5 points)
    Jan 21, 2015 11:41 PM in response to xyzzy-xyzzy

    On 10.5 ntpd-wrapper is just

     

    #!/bin/sh
    PATH=/usr/sbin:/usr/bin:/bin

    ipconfig waitall
    ntpdate -bvs

    # Un-comment the following line to run ntp with a sandbox profile.
    # Sandbox profiles restrict processes from performing unauthorized
    # operations; so it may be necessary to update the profile
    # (/usr/share/sandbox/ntpd.sb) if any changes are made to the ntp
    # configuration (/etc/ntp.conf).
    #sb=/usr/bin/sandbox-exec -f /usr/share/sandbox/ntpd.sb

    exec $sb /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 22, 2015 12:11 AM in response to Anwar Shiekh
    Level 1 (10 points)
    Jan 22, 2015 12:11 AM in response to Anwar Shiekh

    Hmm, ok.  The additions I see in my 10.6 ntpd-wrapper to call sntp must have first started appearing in 10.6 and they appear in all following systems  However I think those changes wouldn't hurt if they ran in a 10.5 environment (but don't hold me to that, see below).  So for 10.5 at least I guess you could ignore ntpd-wrapper but my comments about ntp-restrict.conf are still valid (unless that too is radically different from 10.6 and beyond from what's on 10.5).

     

    If I had 10.5 I think it would be an interesting experiment to try to use an appropriately updated ntpd-wrapper just to see what happens.  I think any one of the ntpd-wrapper's you can grab from the apple mountain lion, yosemite, or mavericks ntp updaters is good enough for such an experiment.  I certainly would like to know in order to possibly make some tweaks to my build/package installer creation script.

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 22, 2015 5:24 AM in response to xyzzy-xyzzy
    Level 1 (5 points)
    Jan 22, 2015 5:24 AM in response to xyzzy-xyzzy

    You are right, I am seeing the

     

    org.ntp.ntpd[63] restrict default: KOD does nothing without LIMITED.

    ntpd[63]: setsockopt IPV6_MULTICAST_IF 0 for fe80::214:51ff:feea:dcc7%7 fails: Can't assign requested address

     

    issues in 10.5, so that needs fixing

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 22, 2015 12:54 PM in response to xyzzy-xyzzy
    Level 1 (5 points)
    Jan 22, 2015 12:54 PM in response to xyzzy-xyzzy

    Now, I finally begin to appreciate why Apple themselves did not update to 4.2.8 for 10.8-10.10; for the moment I just revert to the original NTP on 10.5.8, which can be done by installing the combo update. Hopefully someone will figure this all out.

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 23, 2015 3:43 AM in response to Anwar Shiekh
    Level 1 (10 points)
    Jan 23, 2015 3:43 AM in response to Anwar Shiekh

    Thanks for posting that ntpd-wrapper above (can I assume it it's in /usr/libexec just like 10.6?).  I've decided to tweak my build script to not touch that file if building/installing/backing up/restoring into a 10.5 system. 

     

    For the sake of completeness, however, and just to be sure there aren't any more 10.5-specific surprises, can you please post your /private/etc/ntp-restrict.conf?

     

    Thanks in advance.

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 23, 2015 5:16 AM in response to xyzzy-xyzzy
    Level 1 (5 points)
    Jan 23, 2015 5:16 AM in response to xyzzy-xyzzy

    Yes, everything is in the same place; and here is /private/etc/ntp-restrict.conf from 10.5.8

     

    # Access restrictions documented in ntp.conf(5) and

    # http://support.ntp.org/bin/view/Support/AccessRestrictions

    # Limit network machines to time queries only

     

     

    restrict default kod nomodify notrap nopeer noquery

    restrict -6 default kod nomodify notrap nopeer noquery

     

     

    # localhost is unrestricted

    restrict 127.0.0.1

    restrict -6 ::1

     

     

    includefile /private/etc/ntp.conf

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 23, 2015 11:22 AM in response to Anwar Shiekh
    Level 1 (5 points)
    Jan 23, 2015 11:22 AM in response to Anwar Shiekh

    My problem is that the G5 PPC Mac is my main machine at home, so I can't afford to experiment on it; as a result I cannot be of much help. Hopefully you have access to a machine running 10.5

  • by baltwo,

    baltwo baltwo Jan 23, 2015 11:34 AM in response to Anwar Shiekh
    Level 9 (62,256 points)
    Jan 23, 2015 11:34 AM in response to Anwar Shiekh

    Clone your boot volume to an ext FWHD and experiment with that volume.

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 23, 2015 11:48 AM in response to baltwo
    Level 1 (5 points)
    Jan 23, 2015 11:48 AM in response to baltwo

    Good point, and I might just do that; I think I have a spare firewire drive that could stand in.

     

    It is great how there is a PPC Bash installer for that bug, and hopefully soon also one for NTP for us still on PPC Macs. It would need universal binaries and I can compile the PPC binaries for anyone that might need them; I think the 4.2.8 NTP code is up to beta 5 of patch 1 at the moment, and this compiles without trouble on a PPC Mac running 10.5

  • by baltwo,

    baltwo baltwo Jan 23, 2015 11:46 AM in response to Anwar Shiekh
    Level 9 (62,256 points)
    Jan 23, 2015 11:46 AM in response to Anwar Shiekh

    thumbsup.gif

first Previous Page 10 of 12 last Next