diff --git a/checkin_notes b/checkin_notes index e0b13a30c6..6126500aaa 100755 --- a/checkin_notes +++ b/checkin_notes @@ -7185,3 +7185,15 @@ David 2 July 2006 html/user/ am_set_info.php + +Charlie 3 July 2006 + - Mac: Mac sandbox: don't set S_ISUID bit for setprojectgrp helper + application. + + client/ + check_security.C + clientgui/ + mac/ + SetupSecurity.cpp + doc/ + sandbox.php diff --git a/client/check_security.C b/client/check_security.C index 17f59f71fa..e5c98bf8e5 100644 --- a/client/check_security.C +++ b/client/check_security.C @@ -355,7 +355,7 @@ char *bundlePath, char *dataPath if (sbuf.st_uid != boinc_master_uid) return -1043; - if ((sbuf.st_mode & 07777) != 06500) + if ((sbuf.st_mode & 07777) != 02500) return -1044; return 0; diff --git a/clientgui/mac/SetupSecurity.cpp b/clientgui/mac/SetupSecurity.cpp index 4bac236a8b..27033a141e 100644 --- a/clientgui/mac/SetupSecurity.cpp +++ b/clientgui/mac/SetupSecurity.cpp @@ -456,10 +456,10 @@ int SetBOINCDataOwnersGroupsAndPermissions() { return err; // Set permissions of setprojectgrp application - // chmod u=rsx,g=rsx,o= "/Library/Applications/BOINC Data/switcher/setprojectgrp" - // 06550 = S_ISUID | S_ISGID | S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP - // setuid-on-execution, setgid-on-execution plus read and execute permission for user only - err = DoPrivilegedExec(chmodPath, "u=rsx,g=s,o=", fullpath, NULL, NULL, NULL); + // chmod u=rx,g=rsx,o= "/Library/Applications/BOINC Data/switcher/setprojectgrp" + // 02500 = S_ISGID | S_IRUSR | S_IXUSR + // setgid-on-execution plus read and execute permission for user only + err = DoPrivilegedExec(chmodPath, "u=rx,g=s,o=", fullpath, NULL, NULL, NULL); if (err) return err; } // setprojectgrp application diff --git a/doc/sandbox.php b/doc/sandbox.php index b5a2905859..abc94663b7 100644 --- a/doc/sandbox.php +++ b/doc/sandbox.php @@ -26,7 +26,7 @@ function prot($user, $group, $perm) { } $pp0775 = prot('boinc_project', 'boinc_project', '0775'); -$mp6500 = prot('boinc_master', 'boinc_project', '0500+setuid+setgid'); +$mp2500 = prot('boinc_master', 'boinc_project', '0500+setgid'); $pp6551 = prot('boinc_project', 'boinc_project', '0551+setuid+setgid'); $mm0550 = prot('boinc_master', 'boinc_master', '0550'); $mm0770 = prot('boinc_master', 'boinc_master', '0770'); @@ -110,7 +110,7 @@ echo )), show_dir(1, 'switcher (directory)', $mm0550, array( show_file('switcher (executable)', $pp6551), - show_file('setprojectgrp (executable)', $mp6500) + show_file('setprojectgrp (executable)', $mp2500) )), show_dir(1, 'locale', $mm0550, array( show_dir(2, 'de', $mm0550, array(