From caed968f500a7dc15eff5f439ae43524d6b50f19 Mon Sep 17 00:00:00 2001
From: Charlie Fenton <charlief@example.com>
Date: Thu, 17 Jan 2008 10:11:30 +0000
Subject: [PATCH] Mac Sandbox: make user boinc_master part of group
 boinc_project.

svn path=/trunk/boinc/; revision=14584
---
 checkin_notes                   | 11 +++++++++++
 client/check_security.C         | 15 ++++++++++++---
 clientgui/mac/SetupSecurity.cpp |  6 ++++++
 doc/sandbox.php                 |  2 +-
 4 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/checkin_notes b/checkin_notes
index d4faf39205..91d0789c3b 100644
--- a/checkin_notes
+++ b/checkin_notes
@@ -645,3 +645,14 @@ Rom    Jan 16 2008
     clientgui/
         AdvancedFrame.cpp
         sg_BoincSimpleGUI.cpp
+
+Charlie Jan 17 2008
+    Mac Sandbox: make user boinc_master part of group boinc_project.
+        
+    client/
+        check_security.C
+    clientgui/
+        mac/
+            SetupSecurity.cpp
+    doc/
+        sandbox.php
diff --git a/client/check_security.C b/client/check_security.C
index 7e1707a91d..01550152d0 100644
--- a/client/check_security.C
+++ b/client/check_security.C
@@ -81,11 +81,9 @@ int use_sandbox, int isManager
     ProcessSerialNumber ourPSN;
     ProcessInfoRec      pInfo;
     FSRef               ourFSRef;
-    char                *p;
 #endif
-#ifdef _MAC_INSTALLER
+    int                 i;
     char                *p;
-#endif
 
     useFakeProjectUserAndGroup = ! use_sandbox;
 #ifdef _DEBUG
@@ -203,6 +201,17 @@ int use_sandbox, int isManager
         if (grp == NULL)
             return -1011;                // Group boinc_project does not exist
         boinc_project_gid = grp->gr_gid;
+
+        i = 0;
+        while ((p = grp->gr_mem[i]) != NULL) {  // Step through all users in group admin
+            if (strcmp(p, boinc_master_user_name) == 0) {
+                // User boinc_master is a member of group boinc_project
+                break;
+            }
+            ++i;
+        }
+        if (p == NULL)
+            return -1012;       // user boinc_master is not a member of group boinc_project
     }
 
 #if (defined(__WXMAC__) || defined(_MAC_INSTALLER)) // If Mac BOINC Manager or installer
diff --git a/clientgui/mac/SetupSecurity.cpp b/clientgui/mac/SetupSecurity.cpp
index ce5656b3b9..22bb368ccb 100644
--- a/clientgui/mac/SetupSecurity.cpp
+++ b/clientgui/mac/SetupSecurity.cpp
@@ -92,6 +92,12 @@ int CreateBOINCUsersAndGroups() {
     err = CreateUserAndGroup(REAL_BOINC_PROJECT_NAME, REAL_BOINC_PROJECT_NAME);
     if (err != noErr)
         return err;
+        
+    // Add user boinc_master to group boinc_project
+    // "dscl . -merge /groups/boinc_project users user_name"
+    err = DoPrivilegedExec(dsclPath, ".", "-merge", "/groups/" REAL_BOINC_PROJECT_NAME, "users", REAL_BOINC_MASTER_NAME);
+    if (err)
+        return err;
     
     err = ResynchSystem();
     if (err != noErr)
diff --git a/doc/sandbox.php b/doc/sandbox.php
index 60be5ec95a..9864940836 100644
--- a/doc/sandbox.php
+++ b/doc/sandbox.php
@@ -82,7 +82,7 @@ These users and groups are created by the installation process.
 <li>User: <b>boinc_master</b>
 <ul>
 <li>Primary group: <b>boinc_master</b>
-<li>Supplementary groups: none
+<li>Supplementary groups: <b>boinc_project</b>
 </ul>
 <li>User: <b>boinc_project</b>
 <ul>