Bug#407678: boinc-client: /etc/boinc-client files should be 640 root:boinc (passwd leakage)

Thibaut VARENE varenet at debian.org
Sun Mar 4 04:26:11 CET 2007

On 1/29/07, Thibaut VARENE <varenet at debian.org> wrote:
> On 1/29/07, Frank S. Thomas <frank at thomas-alfeld.de> wrote:
> > Hi,
> >
> > On Tuesday 23 January 2007, Thibaut VARENE wrote:
> > > On 1/23/07, Steffen Moeller <moeller at inb.uni-luebeck.de> wrote:
> >
> > > > I did not like so much that you did your own customised boinc-clients
> > > > rather than spending your energy on this Alioth project's code base.
> > > > Wouldn't you
> > >
> > > I don't think my changes are of any interest to anyone else. What my
> > > bastardized package does is installing boinc-client with customized
> > > configuration files so that it automagically connects to my BAM
> > > account through http proxy and fetches it's preference there. It's
> > > intended for mass deployment over a specific network of machines,
> > > certainly not something of use to anyone else :)
> >
> > What does it take to mass deploy BOINC clients which use the same account? We
> > could maybe add instructions for this to boinc-client's README.Debian and/or
> > tweak the package to make this procedure easier.
> In order to mass-deploy boinc-client that would auto attach to a Boinc
> Account Manager (namely bam.boincstats.com) I had to edit 3 files, 1
> in /etc/boinc-client that would definitely have to be 640 as it
> contains passwd data, and 2 in /var/lib/boinc-client. I did some ugly
> hacks to postinst in order to achieve that. I'll try to prepare a
> quick cookbook so that you can see how it works soon.

With a little delay, here's a hand edited (some files contained
passwords and other personal strings, I edited those with identifiable
'XXX WHATEVER XXX' strings, but the general idea is preserved) diff
that should be pretty self explanatory (I used 5.4.11-3~bpo.1 as base
package to diff against since I was targeting sarge machines).

The intent of this hack is to have a client that automagically
registers itself to BAM BoincStats using a network proxy.

This patch doesn't contain the acct_mgr_url.xml file which contains
credential information for the client to identify itself on the BAM.

Finally this patch has the '640 security enforcement' change I crafted.

Feel free to ask me for details ;)



Thibaut VARENE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cookdiff.patch
Type: text/x-diff
Size: 4041 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-boinc-devel/attachments/20070304/e40cf83f/cookdiff.bin

More information about the pkg-boinc-devel mailing list