Code, Computers & Random Junk

Upgrading NTP on OS X

Apple released an extra security update for the NTP bug »». Unfortunately, not for OS X 10.6 and 10.7, since they are not supported anymore. Understandable, though I think that just these kind of extra security (critical) updates should involve these 2 since there are still quite many people using them. Some need 10.6 for Rosetta, and another reason might be because of hardware limits.

Anyway, there are a few options you can upgrade NTP. Manually or by using package managers like MacPorts or HomeBrew etc.

I chose to upgrade manually. Here are my notes…


Go to NTP > Download and download:


There is a patch we need to apply, or make will throw an error. It’s from MacPorts. You’ll find it here:

In: ntp-4.2.8/ntpd/ntp_io.c, ~ line: 3453-3473 there are 4 lines to edit. Final result looks like this:

    if (AF_INET6 == itf->family) {
        DPRINTF(1, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n",

    if (   AF_INET6 == itf->family
        && IN6_IS_ADDR_LOOPBACK(&(rb->recv_srcadr.sa6.sin6_addr))
        && !IN6_IS_ADDR_LOOPBACK(&(itf->sin.sa6.sin6_addr))
       ) {
        DPRINTF(1, ("DROPPING that packet\n"));
        return buflen;
    DPRINTF(1, ("processing that packet\n"));


To install it, run:

./configure --prefix=/usr/local --enable-ipv6


sudo make install

That will configure and install everything in: /usr/local/{sbin,bin,etc...}.

Since one still can hope for Apple to make a release for 10.6/7 it’s a good place to put it and we don’t overwrite the original files.

Post-fixes and settings

Ok, no OS X files were overwritten, and a few of the we can use as before. But there are a couple of files that needs to be edited.

First, backup these 2 files:

sudo cp /etc/ntp-restrict.conf{,.orig}
sudo cp /usr/libexec/ntpd-wrapper{,.orig}

In the file: /etc/ntp-restrict.conf

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

Add limited to the line, else there will be an error msg in about KOD needs limited:

restrict default limited kod nomodify notrap nopeer noquery
restrict -6 default limited kod nomodify notrap nopeer noquery

Read more about the config options for that.

In the file: /usr/libexec/ntpd-wrapper

The line with PATH:


Add the /user/local...:


Last line:

exec /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ -f /var/db/ntp.drift

Change the path to ntpd:

exec /usr/local/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ -f /var/db/ntp.drift

More on PATH

In your: ~/.bashrc or ~/.bash_profile. Make sure /usr/local/{sbin,bin} is in your PATH.

export PATH="/usr/local/sbin:/usr/local/bin:$PATH"


The LaunchDaemon is the same as before. No need to change anything in there.


To restart ntpd:

sudo launchctl unload -w /System/Library/LaunchDaemons/org.ntp.ntpd.plist
sudo launchctl load -w /System/Library/LaunchDaemons/org.ntp.ntpd.plist

Check for errors

Even if everything works - in Console, check for errors and messages to find out if theres anything odd or wrong.

I get one message.

ntpd: mlockall(): Function not implemented
ntpd[60]: mlockall(): Function not implemented

I’m still trying to read more about it. When I look at the code there are checkpoints for that - if mlockall is installed or not, and what code to use instead. So, I assume this is just a message (confirming) that it’s not.

The message only appear once when ntpd is starting.

Fix the old files.

Just to make sure that the old files can’t be run. I’ve backed up all original files, and removed the permission to execute.

The “run down”:

# Enter /usr/sbin
cd /usr/sbin

# List the files
ls -Ahl | grep ntp

sudo cp ntpd{,.orig}
sudo cp ntpdate{,.orig}
sudo cp ntpdc{,.orig}
sudo cp ntptrace{,.orig}

# All copied?
ls -Ahl | grep ntp

# Symlinks and permissions

sudo ln -sf /usr/local/sbin/ntpd .
sudo chmod -x ntpd.orig

sudo ln -sf /usr/local/sbin/ntpdate .
sudo chmod -x ntpdate.orig

sudo ln -sf /usr/local/sbin/ntpdc .
sudo chmod -x ntpdc.orig

sudo ln -sf /usr/local/sbin/ntptrace .
sudo chmod -x ntptrace.orig

# Switch to /usr/bin
cd ../bin

# List the files
ls -Ahl | grep ntp

sudo cp ntp-keygen{,.orig}
sudo cp ntpq{,.orig}
sudo cp sntp{,.orig}

# All copied?
ls -Ahl | grep ntp

# Symlinks and permissions

sudo ln -sf /usr/local/sbin/ntp-keygen .
sudo chmod -x ntp-keygen.orig

sudo ln -sf /usr/local/sbin/ntpq .
sudo chmod -x ntpq.orig

sudo ln -sf /usr/local/sbin/sntp .
sudo chmod -x sntp.orig

In that way we keep the original files, incase we need to revert, and they can’t be run. In place there are symlinks to our new install even if the PATH is correct in the files - just in case someone tries to run a command with: /usr/sbin/ntpd.

Comments and suggestions on improvements are appreciated.