Bug#407678: boinc-client: /etc/boinc-client files should be 640 root:boinc (passwd leakage)

Steffen Moeller moeller at inb.uni-luebeck.de
Sat Jan 20 16:26:56 CET 2007 

Hi Thibaut,

you made a good point from how I see it. I could imagine a group of users that 
is assigned to the boinc group for editing the files. Should the permission 
then not rather be 660 ?

Many greetings

Steffen (who has collected 490 credits since you pointed him to boincsimap)

On Saturday 20 January 2007 13:28, Thibaut VARENE wrote:
> Package: boinc-client
> Version: 5.4.11-4
> Severity: normal
>
> boinc-client default install sets the following modes on
> /etc/boinc-client/gui_rpc_auth.cfg:
> -rw-r--r-- 1 boinc boinc   8 Jan 14 01:01 gui_rpc_auth.cfg
>
> By default it doesn't contain any password, but if an admin adds one
> without checking the permissions, this password will be available to any
> user on the system (allowing them to control the boinc daemon, and
> potentially detach/attach projects, etc).
>
> Also, given the owner of this file is user 'boinc', the boinc daemon
> itself could overwrite the contents of this file. An attacker finding a
> programing flaw in the software could take advantage of this as well.
>
> This also applies to a lesser extent to the other files in the
> /etc/boinc-client directory.
>
> Thus, it seems to me that the files in the /etc/boinc-client directory
> should be 640 root:boinc instead of 644 boinc:boinc
>
> HTH
>
> T-Bone
>
> -- System Information:
> Debian Release: 4.0
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: powerpc (ppc)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.19-ck2
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>
> Versions of packages boinc-client depends on:
> ii  adduser  3.101                           Add and remove users and
> groups ii  debconf  1.5.11                          Debian configuration
> management sy ii  libc6    2.3.6.ds1-8                     GNU C Library:
> Shared libraries ii  libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error
> description library ii  libcurl3 7.15.5-1                       
> Multi-protocol file transfer libra ii  libgcc1  1:4.1.1-19                 
>     GCC support library
> ii  libidn11 0.6.5-1                         GNU libidn library,
> implementation ii  libkrb53 1.4.4-6                         MIT Kerberos
> runtime libraries ii  libssl0. 0.9.8c-4                        SSL shared
> libraries
> ii  libstdc+ 4.1.1-19                        The GNU Standard C++ Library
> v3 ii  lsb-base 3.1-22                          Linux Standard Base 3.1
> init scrip ii  python   2.4.4-2                         An interactive
> high-level object-o ii  zlib1g   1:1.2.3-13                     
> compression library - runtime
>
> boinc-client recommends no packages.
>
> -- debconf information excluded

-- 

Dr. Steffen Möller
University of Lübeck
Institute of Neuro- and Bioinformatics
Ratzeburger Allee 160
23538 Lübeck
Germany
T: +49 451 500 5504
F: +49 451 500 5502
moeller at inb.uni-luebeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-boinc-devel/attachments/20070120/678bac92/attachment.pgp

More information about the pkg-boinc-devel mailing list