Bug#407678: boinc-client: /etc/boinc-client files should be 640 root:boinc (passwd leakage)

Thibaut VARENE varenet at debian.org
Sat Jan 20 13:28:42 CET 2007 

Package: boinc-client
Version: 5.4.11-4
Severity: normal

boinc-client default install sets the following modes on
/etc/boinc-client/gui_rpc_auth.cfg:
-rw-r--r-- 1 boinc boinc   8 Jan 14 01:01 gui_rpc_auth.cfg

By default it doesn't contain any password, but if an admin adds one
without checking the permissions, this password will be available to any
user on the system (allowing them to control the boinc daemon, and
potentially detach/attach projects, etc).

Also, given the owner of this file is user 'boinc', the boinc daemon
itself could overwrite the contents of this file. An attacker finding a
programing flaw in the software could take advantage of this as well.

This also applies to a lesser extent to the other files in the
/etc/boinc-client directory.

Thus, it seems to me that the files in the /etc/boinc-client directory
should be 640 root:boinc instead of 644 boinc:boinc

HTH

T-Bone

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: powerpc (ppc)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.19-ck2
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages boinc-client depends on:
ii  adduser  3.101                           Add and remove users and groups
ii  debconf  1.5.11                          Debian configuration management sy
ii  libc6    2.3.6.ds1-8                     GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error description library
ii  libcurl3 7.15.5-1                        Multi-protocol file transfer libra
ii  libgcc1  1:4.1.1-19                      GCC support library
ii  libidn11 0.6.5-1                         GNU libidn library, implementation
ii  libkrb53 1.4.4-6                         MIT Kerberos runtime libraries
ii  libssl0. 0.9.8c-4                        SSL shared libraries
ii  libstdc+ 4.1.1-19                        The GNU Standard C++ Library v3
ii  lsb-base 3.1-22                          Linux Standard Base 3.1 init scrip
ii  python   2.4.4-2                         An interactive high-level object-o
ii  zlib1g   1:1.2.3-13                      compression library - runtime

boinc-client recommends no packages.

-- debconf information excluded

More information about the pkg-boinc-devel mailing list