Bug#514303: boinc-client: by default BOINC binds to all network adaptors

Sheridan Hutchinson sheridan at shezza.org
Fri Feb 6 02:48:23 UTC 2009 

Package: boinc-client
Version: 6.2.14-3
Severity: normal

Rather distrubingly, BOINC binds to all network adaptors rather than just localhost, despite the 
allow_remote_gui_rpc setting not being set.

As an end-user, I would have expected just for it to bind to the localhost for availability for the boinc-manager.

While there is not an explicity security issue here, because no hosts/ip's are listed in the remote authorisation 
file, there is an implicit one and that is if there is ever a buffer overflow against boinc then it's possible that 
is going to be exploited by other people.

Netstat output:
tcp        0      0 0.0.0.0:31416           0.0.0.0:*               LISTEN      20006/boinc
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      3126/cupsd

You can see where cupsd for example has bound locally and boinc has bound globally.

If I can be of any further assistance then please don't hesistate to let me know.

-- Package-specific info:
-- Contents of /etc/default/boinc-client:
# This file is /etc/default/boinc-client, it is a configuration file for the
# /etc/init.d/boinc-client init script.

# Set this to 1 to enable and to 0 to disable the init script.
ENABLED="1"

# Set this to 1 to enable advanced scheduling of the BOINC core client and
# all its sub-processes (reduces the impact of BOINC on the system's
# performance).
SCHEDULE="1"

# The BOINC core client will be started with the permissions of this user.
BOINC_USER="boinc"

# This is the data directory of the BOINC core client.
BOINC_DIR="/var/lib/boinc-client"

# This is the location of the BOINC core client, that the init script uses.
# If you do not want to use the client program provided by the boinc-client
# package, you can specify here an alternative client program.
#BOINC_CLIENT="/usr/local/bin/boinc"
BOINC_CLIENT="/usr/bin/boinc"

# Here you can specify additional options to pass to the BOINC core client.
# Type 'boinc --help' or 'man boinc' for a full summary of allowed options.
#BOINC_OPTS="--allow_remote_gui_rpc"
BOINC_OPTS=""

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages boinc-client depends on:
ii  adduser                3.110             add and remove users and groups
ii  ca-certificates        20080809          Common CA certificates
ii  debconf [debconf-2.0]  1.5.24            Debian configuration management sy
ii  libc6                  2.7-18            GNU C Library: Shared libraries
ii  libcurl3               7.18.2-8          Multi-protocol file transfer libra
ii  libssl0.9.8            0.9.8g-15         SSL shared libraries
ii  libstdc++6             4.3.2-1.1         The GNU Standard C++ Library v3
ii  lsb-base               3.2-20            Linux Standard Base 3.2 init scrip
ii  python                 2.5.2-3           An interactive high-level object-o
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

boinc-client recommends no packages.

Versions of packages boinc-client suggests:
pn  boinc-app-seti                <none>     (no description available)
ii  boinc-manager                 6.2.14-3   GUI to control and monitor the BOI
pn  schedtool                     <none>     (no description available)

-- debconf information excluded

More information about the pkg-boinc-devel mailing list