From a05c03f10127d6911507f89744766264fe3af152 Mon Sep 17 00:00:00 2001
From: Charlie Fenton <charlief@example.com>
Date: Wed, 3 Oct 2007 07:00:34 +0000
Subject: [PATCH] Mac SCR: Create a new tiny utility gfx_switcher for use by
 screensaver to safely launch and kill gfx apps with user, group boinc_project

svn path=/trunk/boinc/; revision=13759
---
 checkin_notes                | 4 +++-
 mac_build/Mac_SA_Insecure.sh | 8 ++++----
 mac_build/Mac_SA_Secure.sh   | 8 ++++----
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/checkin_notes b/checkin_notes
index 6535855be9..a3e747afd1 100755
--- a/checkin_notes
+++ b/checkin_notes
@@ -9059,7 +9059,7 @@ David  2 Oct 2007
         client_state.C
         switcher.C
 
-Charlie 1 Oct 2007
+Charlie 2 Oct 2007
     - Mac SCR: Create a new tiny utility gfx_switcher and put it inside 
         screensaver's bundle instead of a copy of switcher.  It sets real 
         user ID, saved set_user-ID, real group ID and saved set_group-ID 
@@ -9081,3 +9081,5 @@ Charlie 1 Oct 2007
     mac_build/
         boinc.xcodeproj/
             project.pbxproj
+        Mac_SA_Insecure.sh
+        Mac_SA_Secure.sh
diff --git a/mac_build/Mac_SA_Insecure.sh b/mac_build/Mac_SA_Insecure.sh
index adb7838b5d..9d47c7078e 100755
--- a/mac_build/Mac_SA_Insecure.sh
+++ b/mac_build/Mac_SA_Insecure.sh
@@ -43,7 +43,7 @@
 # the --insecure option.
 # NOTE: running BOINC with security disabled is not recommended.
 #
-# Last updated 9/19/07
+# Last updated 10/2/07
 
 function remove_boinc_users() {
     name=$(dscl . search /users RecordName boinc_master | cut -f1 -s)
@@ -120,9 +120,9 @@ if [ -x /Applications/BOINCManager.app/Contents/Resources/boinc ] ; then
 fi
 
 # Version 6 screensaver has its own embedded switcher application, but older versions don't.
-if [ -x "/Library/Screen Savers/BOINCSaver.saver/Contents/Resources/switcher" ] ; then 
-    chown ${user}:${group} "/Library/Screen Savers/BOINCSaver.saver/Contents/Resources/switcher"
-    chmod -R u+r-ws,g+r-ws,o+r-ws "/Library/Screen Savers/BOINCSaver.saver/Contents/Resources/switcher"
+if [ -x "/Library/Screen Savers/BOINCSaver.saver/Contents/Resources/gfx_switcher" ] ; then 
+    chown ${user}:${group} "/Library/Screen Savers/BOINCSaver.saver/Contents/Resources/gfx_switcher"
+    chmod -R u+r-ws,g+r-ws,o+r-ws "/Library/Screen Savers/BOINCSaver.saver/Contents/Resources/gfx_switcher"
 fi
 
 remove_boinc_users
diff --git a/mac_build/Mac_SA_Secure.sh b/mac_build/Mac_SA_Secure.sh
index 60fc7a5e86..3fbbe44dbb 100755
--- a/mac_build/Mac_SA_Secure.sh
+++ b/mac_build/Mac_SA_Secure.sh
@@ -64,7 +64,7 @@
 # sudo dscl . -delete /groups/boinc_master users mary
 # 
 
-# Last updated 10/2/07 for BOINC version 5.10.21
+# Last updated 10/2/07 for BOINC version 5.10.21 and later
 # WARNING: do not use this script with older versions of BOINC
 
 function make_boinc_user() {
@@ -231,9 +231,9 @@ fi
 # Version 6 screensaver has its own embedded switcher application, but older versions don't.
 # We don't allow unauthorized users to run the switcher application in the BOINC Data directory 
 # because they could use it to run as user & group boinc_project and damage project files.
-# The screensaver's switcher application runs as user and group "nobody" to avoid this risk.
-if [ -x "/Library/Screen Savers/BOINCSaver.saver/Contents/Resources/switcher" ] ; then 
-    set_perm "/Library/Screen Savers/BOINCSaver.saver/Contents/Resources/switcher" nobody nobody 6555
+# The screensaver's switcher application has very limited functionality to avoid this risk.
+if [ -x "/Library/Screen Savers/BOINCSaver.saver/Contents/Resources/gfx_switcher" ] ; then 
+    set_perm "/Library/Screen Savers/BOINCSaver.saver/Contents/Resources/gfx_switcher" root boinc_master 4551
 fi