Bug#841665: boinc-client: The boinc-client init script has a badly constructed parameter for xhost

Preston Maness aspensmonster at riseup.net
Sat Oct 22 00:34:32 UTC 2016 

Howdy,

So far as I know, the systemd init system uses the .service file, which
doesn't use the old boinc init script:

/etc/systemd/system/multi-user.target.wants/boinc-client.service

The current method for granting access to the Xserver for boinc is to
drop a file here:

/etc/X11/Xsession.d/36x11-common_xhost-boinc

which does follow the recommended xhost command format:

```
BOINC_USER=boinc

if type xhost >/dev/null 2>&1; then
  id -u $BOINC_USER >/dev/null 2>&1 && xhost +SI:localuser:$BOINC_USER || :
fi
```

That file is sourced and ran whenever a display manager invokes an Xorg
session. On my machine with systemd, this is my xhost output:

```
$ xhost
access control enabled, only authorized clients can connect
SI:localuser:boinc
SI:localuser:preston
$
```

I'm guessing that non-systemd users are probably still using the init
script though, so we should still address this in any case.

Cheers,

Preston Maness

On 10/21/2016 03:42 PM, Mike Brennan wrote:
> Package: boinc-client
> Version: 7.6.33+dfsg-1~bpo8+1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Dear Maintainers,
> 
> boinc-client shell script is used by init/systemd to start the boinc client daemon (typically running as user=boinc)
> 
> In order for boinc to access GPU hardware -  xhost is used to grant access to boinc.
> 
> At line 109-110
> -------------------------------------------------------------------------------------------
> # grant the boinc client to perform GPU computing
>        xhost local:boinc || echo -n "xhost error ignored, GPU computing may not be possible"
> --------------------------------------------------------------------------------------------
> 
> the correct syntax stould be 
>        xhost +si:localuser:boinc
> or more correctly for the this script
>        xhost +si:localuser:$BOINC_USER
> 
> The impact of using this incorrect syntax - is not to error, but grant ALL local users access.  
> (This could be a very old or different maybe BSD syntax)
> 
> The intention of the script to grant ONLY user=boinc access, instead all local users have access.
> 
> For example a little test.
> 
> agentb at dejon:/etc/init.d$ xhost
> access control enabled, only authorized clients can connect
> SI:localuser:agentb
> 
> agentb at dejon:/etc/init.d$ xhost local:random-string
> non-network local connections being added to access control list
> 
> agentb at dejon:/etc/init.d$ xhost
> access control enabled, only authorized clients can connect
> LOCAL:
> SI:localuser:boinc
> SI:localuser:agentb
> 
> Hope this is clear, and thank you for maintaining boinc!
> 
> Cheers
> Mike
> 
> 
> -- Package-specific info:
> -- Contents of /etc/default/boinc-client:
> # This file is /etc/default/boinc-client, it is a configuration file for the
> # /etc/init.d/boinc-client init script.
> 
> # Set this to 1 to enable and to 0 to disable the init script.
> ENABLED="1"
> 
> # Set this to 1 to enable advanced scheduling of the BOINC core client and
> # all its sub-processes (reduces the impact of BOINC on the system's
> # performance).
> SCHEDULE="1"
> 
> # The BOINC core client will be started with the permissions of this user.
> BOINC_USER="boinc"
> 
> # This is the data directory of the BOINC core client.
> BOINC_DIR="/var/lib/boinc-client"
> 
> # This is the location of the BOINC core client, that the init script uses.
> # If you do not want to use the client program provided by the boinc-client
> # package, you can specify here an alternative client program.
> #BOINC_CLIENT="/usr/local/bin/boinc"
> BOINC_CLIENT="/usr/bin/boinc"
> 
> # Here you can specify additional options to pass to the BOINC core client.
> # Type 'boinc --help' or 'man boinc' for a full summary of allowed options.
> #BOINC_OPTS="--allow_remote_gui_rpc"
> BOINC_OPTS=""
> 
> # Scheduling options
> 
> # Set SCHEDULE="0" if prefering to run with upstream default priority
> # settings.
> 
> # Nice levels. When systems are truly busy, e.g. because of too many active
> # scientific applications started by the boinc client, there is a chance for
> # the boinc client not to be granted sufficient opportunity to check for
> # scientific applications to be alive and make the (wrong) decision to
> # terminate the scientific app. This is particularly an issue with many
> # apps started in parallel on modern multi-core systems and extra overheads
> # for the download and uploads of files with the project servers. Another
> # concern is the latency for scientific applications to communicate with the
> # graphics card, which should be low. All such values should be set and
> # controled from within the BOINC client. The Debian init script also sets
> # extra constrains via chrt on real time performance and via ionice on 
> # I/O performance, which is beyond the regular BOINC client. It then was
> # too easy to use that code to also constrain minimal nice levels. We still
> # think about how to best distinguish GPU applications from regular apps.
> BOINC_NICE_CLIENT=10
> BOINC_NICE_APP_DEFAULT=19
> #BOINC_NICE_APP_GPU=5        # not yet used
> 
> # ionice classes. See manpage of ionice (1) in the util-linux package.
> BOINC_IONICE_CLIENT=3        # idle
> #BOINC_IONICE_APP_DEFAULT=3  # idle, not yet used
> #BOINC_IONICE_APP_GPU=2      # best effort, not yet used
> 
> 
> -- System Information:
> Debian Release: 8.6
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages boinc-client depends on:
> ii  adduser                3.113+nmu3
> ii  ca-certificates        20141019+deb8u1
> ii  debconf [debconf-2.0]  1.5.56
> ii  init-system-helpers    1.22
> ii  libboinc7              7.6.33+dfsg-1~bpo8+1
> ii  libc6                  2.19-18+deb8u6
> ii  libcurl3               7.38.0-4+deb8u4
> ii  libgcc1                1:4.9.2-10
> ii  libstdc++6             4.9.2-10
> ii  libx11-6               2:1.6.2-3
> ii  libxss1                1:1.2.2-1
> ii  python                 2.7.9-1
> ii  zlib1g                 1:1.2.8.dfsg-2+b1
> 
> boinc-client recommends no packages.
> 
> Versions of packages boinc-client suggests:
> pn  boinc-client-fglrx        <none>
> pn  boinc-client-nvidia-cuda  <none>
> pn  boinc-client-opencl       <none>
> ii  boinc-manager             7.6.33+dfsg-1~bpo8+1
> ii  x11-xserver-utils         7.7+3+b1
> 
> -- Configuration Files:
> /etc/boinc-client/cc_config.xml changed [not included]
> /etc/boinc-client/global_prefs_override.xml changed [not included]
> 
> -- debconf information excluded
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-boinc-devel/attachments/20161021/6efa6958/attachment.sig>

More information about the pkg-boinc-devel mailing list