Bug#407678: boinc-client: /etc/boinc-client files should be 640 root:boinc (passwd leakage)

Thibaut VARENE varenet at debian.org
Mon Jan 29 19:20:02 CET 2007

On 1/29/07, Frank S. Thomas <frank at thomas-alfeld.de> wrote:
> Hi,
> On Tuesday 23 January 2007, Thibaut VARENE wrote:
> > On 1/23/07, Steffen Moeller <moeller at inb.uni-luebeck.de> wrote:
> > > I did not like so much that you did your own customised boinc-clients
> > > rather than spending your energy on this Alioth project's code base.
> > > Wouldn't you
> >
> > I don't think my changes are of any interest to anyone else. What my
> > bastardized package does is installing boinc-client with customized
> > configuration files so that it automagically connects to my BAM
> > account through http proxy and fetches it's preference there. It's
> > intended for mass deployment over a specific network of machines,
> > certainly not something of use to anyone else :)
> What does it take to mass deploy BOINC clients which use the same account? We
> could maybe add instructions for this to boinc-client's README.Debian and/or
> tweak the package to make this procedure easier.

In order to mass-deploy boinc-client that would auto attach to a Boinc
Account Manager (namely bam.boincstats.com) I had to edit 3 files, 1
in /etc/boinc-client that would definitely have to be 640 as it
contains passwd data, and 2 in /var/lib/boinc-client. I did some ugly
hacks to postinst in order to achieve that. I'll try to prepare a
quick cookbook so that you can see how it works soon.

> > > like to join in as a developer? This smallish patch could be your first
> > > action.
> >
> > If you need more hands I could probably give you some help, though my
> > free time is gonna drop anytime soon (I'm in the process of finding a
> > job, in an area that has nothing to do with IT/Computer Science and
> > that is very time consumming) :)
> Help is really much appreciated! I'm currently in a situation where I can't
> invest as much time as I'd like in maintaining the BOINC packages. And that
> is also the reason why I didn't answer most of your recent emails for which
> I'm sorry, especially if this let you feel like an annoying punk. :-)

No problem. The other bugreport I'd be really happy to see getting
some coverage is the one fixing CPU info for a couple machines
(#406853 - actually I could also check how it works on sparc, don't
remember if that platform was already handled)

> BTW: I'm ok with changing the permission of gui_rpc_auth.cfg but I'm not so
> sure about the other files. IIRC there were plans to let the BOINC Manager
> (or other BOINC monitoring/controlling tools) edit the contents of these
> files and I want to ensure that this is possible for users without to much
> hassle. Maybe 640 root:boinc for the gui_rpc_auth.cfg file and 660
> boinc:boinc for the other files would be a good choice.

Actually I'd advocate to 640 all *.cfg files, so that's
gui_rpc_auth.cfg and remote_host.cfg (you don't want to hint nasty
users as to which machines can actually get control, do you?)


Thibaut VARENE

More information about the pkg-boinc-devel mailing list