From 76178d3b037aa626cad8fdf7fa21f435e38c101c Mon Sep 17 00:00:00 2001 From: Charlie Fenton Date: Fri, 21 Mar 2008 11:55:12 +0000 Subject: [PATCH] Mac: More sandbox security changes for symlinks: lchown is not available under OS 10.3.9 svn path=/trunk/boinc/; revision=14955 --- checkin_notes | 16 +++++++++++++++- client/check_security.C | 2 +- client/setprojectgrp.C | 24 +++++++++++++++++++----- clientgui/mac/SetupSecurity.cpp | 4 ++-- 4 files changed, 37 insertions(+), 9 deletions(-) diff --git a/checkin_notes b/checkin_notes index 5545615001..0e020aa48d 100644 --- a/checkin_notes +++ b/checkin_notes @@ -2590,9 +2590,23 @@ Charlie Mar 20 2008 mac/ SetupSecurity.cpp -Charlie Mar 20 2008 +Charlie Mar 21 2008 - Mac: Another sandbox security update for symlinks: setprojectgrp calls lchown() instead of chown(). client/ setprojectgrp.C + +Charlie Mar 21 2008 + - Mac: More sandbox security changes for symlinks: lchown is not available + under OS 10.3.9, so don't use it. The system ignores ownership and + permissions of symbolic links, so setprojectgrp does nothing if it is + called for a symbolic link. + Also make additional changes to check_security and SetupSecurity. + + client/ + check_security.C + setprojectgrp.C + clientgui/ + mac/ + SetupSecurity.cpp diff --git a/client/check_security.C b/client/check_security.C index 628b698384..eb509c202e 100644 --- a/client/check_security.C +++ b/client/check_security.C @@ -497,7 +497,7 @@ static int CheckNestedDirectories(char * basepath, int depth, int use_sandbox) { isDirectory = S_ISDIR(sbuf.st_mode); - if (!S_ISLNK(sbuf.st_mode)) { + if (!S_ISLNK(sbuf.st_mode)) { // The system ignores ownership & permissions of symbolic links if (depth > 1) { // files and subdirectories created by projects may have owner boinc_master or boinc_project if ( (sbuf.st_uid != boinc_master_uid) && (sbuf.st_uid != boinc_project_uid) ) { diff --git a/client/setprojectgrp.C b/client/setprojectgrp.C index 0f0f4e6d3f..6c8e521c24 100644 --- a/client/setprojectgrp.C +++ b/client/setprojectgrp.C @@ -29,10 +29,12 @@ #include #include #include +#include int main(int argc, char** argv) { gid_t project_gid; - int retval; + int retval = 0; + struct stat sbuf; project_gid = getegid(); @@ -41,9 +43,21 @@ int main(int argc, char** argv) { fflush(stderr); #endif - retval = lchown(argv[1], (uid_t)-1, project_gid); - if (retval) - fprintf(stderr, "lchown(%s, -1, %d) failed: errno=%d\n", argv[1], project_gid, errno); - + // chown() doesn't change ownershp of symbolic links; it follows the link and + // changes the file is not available in OS 10.3.9. + // + // But we don't really need to worry about this, because the system ignores + // ownership & permissions of symbolic links anyway. + // + // Also, the target of a symbolic link may not be present if the slot containing + // the link is no longer in use. + // + if (lstat(argv[1], &sbuf) == 0) { + if (!S_ISLNK(sbuf.st_mode)) { + retval = chown(argv[1], (uid_t)-1, project_gid); + if (retval) + fprintf(stderr, "chown(%s, -1, %d) failed: errno=%d\n", argv[1], project_gid, errno); + } + } return retval; } diff --git a/clientgui/mac/SetupSecurity.cpp b/clientgui/mac/SetupSecurity.cpp index cf5983178d..303e9ea28e 100644 --- a/clientgui/mac/SetupSecurity.cpp +++ b/clientgui/mac/SetupSecurity.cpp @@ -346,7 +346,7 @@ int SetBOINCDataOwnersGroupsAndPermissions() { // Set owner and group of projects directory's contents sprintf(buf1, "%s:%s", boinc_master_user_name, boinc_project_group_name); // chown -R boinc_master:boinc_project "/Library/Application Support/BOINC Data/projects" - err = DoPrivilegedExec(chownPath, "-R", buf1, fullpath, NULL, NULL); + err = DoPrivilegedExec(chownPath, "-Rh", buf1, fullpath, NULL, NULL); if (err) return err; @@ -391,7 +391,7 @@ int SetBOINCDataOwnersGroupsAndPermissions() { // Set owner and group of slots directory's contents sprintf(buf1, "%s:%s", boinc_master_user_name, boinc_project_group_name); // chown -R boinc_master:boinc_project "/Library/Application Support/BOINC Data/slots" - err = DoPrivilegedExec(chownPath, "-R", buf1, fullpath, NULL, NULL); + err = DoPrivilegedExec(chownPath, "-Rh", buf1, fullpath, NULL, NULL); if (err) return err;