diff --git a/clientgui/mac/SetupSecurity.cpp b/clientgui/mac/SetupSecurity.cpp
index d11015f3cb..2e1085d306 100644
--- a/clientgui/mac/SetupSecurity.cpp
+++ b/clientgui/mac/SetupSecurity.cpp
@@ -243,7 +243,7 @@ int SetBOINCAppOwnersGroupsAndPermissions(char *path) {
// chmod u=rsx,g=rx,o=rx "/Library/Screen Savers/BOINCSaver.saver/Contents/Resources/gfx_switcher"
// 04055 = S_ISUID | S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH
- // setuid-on-execution, setgid-on-execution plus read and execute permission for user, group & others
+ // setuid-on-execution plus read and execute permission for user, group & others
err = DoPrivilegedExec(chmodPath, "u=rsx,g=rx,o=rx", fullpath, NULL, NULL, NULL);
if (err)
return err;
diff --git a/doc/sandbox.php b/doc/sandbox.php
index c21eb02316..b2dbadfb43 100644
--- a/doc/sandbox.php
+++ b/doc/sandbox.php
@@ -27,7 +27,8 @@ function prot($user, $group, $perm) {
$pp06640775 = prot('boinc_project', 'boinc_project', '0664 or 0775');
$mp2500 = prot('boinc_master', 'boinc_project', '0500+setgid');
-$pp6551 = prot('boinc_project', 'boinc_project', '0551+setuid+setgid');
+$rm4050 = prot('root', 'boinc_master', '0050+setuid');
+$rm4055 = prot('root', 'boinc_master', '0055+setuid');
$mm0550 = prot('boinc_master', 'boinc_master', '0550');
$mm0440 = prot('boinc_master', 'boinc_master', '0440');
$mm0660 = prot('boinc_master', 'boinc_master', '0660');
@@ -112,7 +113,7 @@ echo
))
)),
show_dir(1, 'switcher (directory)', $mm0550, array(
- show_file('switcher (executable)', $pp6551),
+ show_file('switcher (executable)', $rm4050),
show_file('setprojectgrp (executable)', $mp2500)
)),
show_dir(1, 'locale', $mm0550, array(
@@ -134,7 +135,10 @@ echo "
";
echo
show_dir(0, 'BOINC executables', $ua0555, array(
show_file('BOINC Manager', $mm2555),
- show_file('BOINC Client', $mm6555)
+ show_file('BOINC Client', $mm6555),
+ show_dir(1, 'screensaver (directory)', $ua0555, array(
+ show_file('gfx_switcher (executable)', $rm4055)
+ )),
));
echo "
@@ -148,16 +152,70 @@ set project and slot files and directories to group boinc_project.
BOINC Client does not directly execute project applications.
It runs the helper application switcher,
passing the request in the argument list.
-switcher runs setuid boinc_project and setgid
-boinc_project,
+switcher runs setuid root and immediately changes its real and
+effective user ID and group ID to boinc_project,
so all project applications inherit user and group boinc_project.
This blocks project applications from accessing unauthorized files.
+In most cases, it is best to avoid running setuid root because
+it can present a security risk. In this case, however, this is necessary to
+reduce the risk because only the superuser can change the real
+user and group of a process. This prevents a malicious or malfunctioning
+application from reverting to the user and group who launched BOINC, since any
+process can change its user and group back to the real user and
+group IDs.
+BOINC's use of setuid root for the switcher application is
+safe because:
+
+- The switcher application is inside the switcher directory.
+This directory is accessible only by user and group boinc_master,
+so that project applications cannot modify the switcher
+application's permissions or code. This also prevents unauthorized users
+from using switcher to damage or manipulate project files.
+
- The switcher application is readable and executable only by
+group boinc_master; all other access is forbidden.
+
- When it is run, the switcher application immediately changes
+its real and effective user ID and group ID to boinc_project, disabling
+its superuser privileges.
+
BOINC Manager runs setgid to group boinc_master.
It can access all files in group boinc_master.
It runs as the user who launched it,
which is necessary for a number of GUI features to work correctly.
Although this means that BOINC Manager cannot modify files
created by project applications, there is no need for it to do so.
+Starting with BOINC version 6.0, project science applications use a
+separate companion application to display graphics. These graphics
+applications are launched by the BOINC Manager when the user clicks on
+the Show Graphics button. Running the graphics application
+with the BOINC Manager's user and group would be a security risk, so
+BOINC Manager uses the switcher application to launch them as
+user and group boinc_project.
+The screensaver also can run the graphics applications. The Macintosh
+screensaver is launched by the operating system, so it runs as the
+currently logged in user and group. Since running the science projects' graphics applications
+with this user and group would be a security risk, the screensaver has
+its own embedded helper application gfx_switcher which it uses to
+launch the graphics applications.
+Like the switcher application, gfx_switcher runs setuid
+root and immediately changes its real and effective user ID and
+group ID to boinc_project
+The BOINC screensaver's use of setuid root for the
+gfx_switcher application is safe because:
+
+- When it is run, the gfx_switcher application immediately changes
+its real and effective user ID and group ID to boinc_project, disabling
+its superuser privileges.
+
- The gfx_switcher application has very limited functionality. It
+accepts only two commands as its first argument:.
+
+- launch_gfx: the second argument is the slot number. It looks for
+a soft-link named graphics_app in the specified slot directory and launches
+the referenced graphics application.
+
- kill_gfx: the second argument is the process ID. It kills the
+application with the process ID; since it is running as user and group
+boinc_project, it can affect only processes belonging to that user.
+
+
BOINC Manager and BOINC Client set their umasks to 002,
which is inherited by all child applications.
The default permissions for all files and directories they create prevent
@@ -166,11 +224,6 @@ Because files are world-readable, BOINC Client can read files written by project
Third-party add-ons can also read BOINC data files.
Non-admin users cannot directly modify BOINC or project files.
They can modify these files only by running the BOINC Manager and Client.
-The switcher application is inside the switcher directory.
-This directory is accessible only by user and group boinc_master,
-so that project applications cannot modify the switcher
-application's permissions or code. This also prevents unauthorized users
-from using switcher to damage project files.
Users with admin access are members of groups boinc_master
and boinc_project so that they do have
direct access to all BOINC and project files
@@ -185,10 +238,10 @@ Attach to Project, Detach from Project, Reset Project, Abort Task,
Abort Transfer, Update Account Manager.
If an unauthorized user requests these functions,
the Manager requires password authentication.
-On Macintosh computers, the actual directory structure
-of the BOINC Manager application bundle is more complex
-than implied by the box BOINC executables in the BOINC
-tree diagram shown above.
+On Macintosh computers, the actual directory structures
+of the BOINC Manager application bundle and the screensaver bundle are
+more complex than implied by the box BOINC executables in the
+BOINC tree diagram shown above.
Some Macintosh system administrators may wish to limit which users
can perform BOINC Manager functions (Activity Menu, etc.).
This can be done by moving BOINC Manager out of the