mirror of https://github.com/BOINC/boinc.git
57 lines
2.0 KiB
HTML
57 lines
2.0 KiB
HTML
|
<h3>Notes on server security</h3>
|
||
|
<p>
|
||
|
BOINC scheduling servers, data servers, and web servers
|
||
|
must be accessible via HTTP (port 80)
|
||
|
and therefore are potential targets for network attacks.
|
||
|
The possibility exists that BOINC software could
|
||
|
have vulnerabilities to such attacks.
|
||
|
|
||
|
<h3>Scheduling server</h3>
|
||
|
<p>
|
||
|
All network input to the scheduling server is read by calls of the form
|
||
|
<pre>fgets(buf, 256, stdin);</pre>
|
||
|
where buf is a 256-byte buffer.
|
||
|
There is no possibility of a buffer overrun from these calls.
|
||
|
In some cases data is copied out of the buffer to a second buffer;
|
||
|
this is done using functions
|
||
|
(<pre>parse_str()</pre>, <pre>parse_attr()</pre> and <pre>strncpy()</pre>)
|
||
|
that take a buffer-length argument,
|
||
|
so again there can be no buffer overruns.
|
||
|
<p>
|
||
|
The scheduling server doesn't run any secondary programs.
|
||
|
<p>
|
||
|
The scheduling server creates disk files in which it stores
|
||
|
request and reply messages.
|
||
|
These files have names of the form
|
||
|
PATH/sched_req_PID
|
||
|
where PATH is a compiled-in directory name (e.g. /tmp)
|
||
|
and PID is the server process ID.
|
||
|
There is no possibility of the server creating
|
||
|
executable files, or files in other directories.
|
||
|
|
||
|
<h3>File upload handler</h3>
|
||
|
<p>
|
||
|
The file upload handler parses its input
|
||
|
in the same way as the scheduling servers,
|
||
|
except for file data.
|
||
|
This data is read using fread() in fixed-sized increments.
|
||
|
So there are no buffer overruns.
|
||
|
<p>
|
||
|
The file upload handler reads and writes
|
||
|
files with names of the form BOINC_UPLOAD_DIR/filename,
|
||
|
where BOINC_UPLOAD_DIR is a compiled constant
|
||
|
for the directory where data files are stored.
|
||
|
"filename" is checked for ".." and such requests are ignored.
|
||
|
Hence files outside the directory cannot be read or written.
|
||
|
<p>
|
||
|
The only place where files are created (in copy_socket_to_file())
|
||
|
is a call "fopen(path, "wb");".
|
||
|
Hence no executable files or links are created.
|
||
|
|
||
|
|
||
|
<h3>PHP files</h3>
|
||
|
<p>
|
||
|
The PHP files in the participant and administrative
|
||
|
web directories (html_user and html_ops)
|
||
|
make no calls that access local files or run programs.
|