Bug#407678: boinc-client: /etc/boinc-client files should be 640
root:boinc (passwd leakage)
Thibaut VARENE
varenet at debian.org
Sat Jan 20 13:28:42 CET 2007
Package: boinc-client
Version: 5.4.11-4
Severity: normal
boinc-client default install sets the following modes on
/etc/boinc-client/gui_rpc_auth.cfg:
-rw-r--r-- 1 boinc boinc 8 Jan 14 01:01 gui_rpc_auth.cfg
By default it doesn't contain any password, but if an admin adds one
without checking the permissions, this password will be available to any
user on the system (allowing them to control the boinc daemon, and
potentially detach/attach projects, etc).
Also, given the owner of this file is user 'boinc', the boinc daemon
itself could overwrite the contents of this file. An attacker finding a
programing flaw in the software could take advantage of this as well.
This also applies to a lesser extent to the other files in the
/etc/boinc-client directory.
Thus, it seems to me that the files in the /etc/boinc-client directory
should be 640 root:boinc instead of 644 boinc:boinc
HTH
T-Bone
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: powerpc (ppc)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.19-ck2
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages boinc-client depends on:
ii adduser 3.101 Add and remove users and groups
ii debconf 1.5.11 Debian configuration management sy
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error description library
ii libcurl3 7.15.5-1 Multi-protocol file transfer libra
ii libgcc1 1:4.1.1-19 GCC support library
ii libidn11 0.6.5-1 GNU libidn library, implementation
ii libkrb53 1.4.4-6 MIT Kerberos runtime libraries
ii libssl0. 0.9.8c-4 SSL shared libraries
ii libstdc+ 4.1.1-19 The GNU Standard C++ Library v3
ii lsb-base 3.1-22 Linux Standard Base 3.1 init scrip
ii python 2.4.4-2 An interactive high-level object-o
ii zlib1g 1:1.2.3-13 compression library - runtime
boinc-client recommends no packages.
-- debconf information excluded
More information about the pkg-boinc-devel
mailing list