From f32e42e1bba498181ee00e7b9f25571f9f9f951b Mon Sep 17 00:00:00 2001 From: Charlie Fenton Date: Fri, 12 Oct 2007 05:11:04 +0000 Subject: [PATCH] Update sandbox security documentation svn path=/trunk/boinc/; revision=13839 --- clientgui/mac/SetupSecurity.cpp | 2 +- doc/sandbox.php | 81 +++++++++++++++++++++++++++------ 2 files changed, 68 insertions(+), 15 deletions(-) diff --git a/clientgui/mac/SetupSecurity.cpp b/clientgui/mac/SetupSecurity.cpp index d11015f3cb..2e1085d306 100644 --- a/clientgui/mac/SetupSecurity.cpp +++ b/clientgui/mac/SetupSecurity.cpp @@ -243,7 +243,7 @@ int SetBOINCAppOwnersGroupsAndPermissions(char *path) { // chmod u=rsx,g=rx,o=rx "/Library/Screen Savers/BOINCSaver.saver/Contents/Resources/gfx_switcher" // 04055 = S_ISUID | S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH - // setuid-on-execution, setgid-on-execution plus read and execute permission for user, group & others + // setuid-on-execution plus read and execute permission for user, group & others err = DoPrivilegedExec(chmodPath, "u=rsx,g=rx,o=rx", fullpath, NULL, NULL, NULL); if (err) return err; diff --git a/doc/sandbox.php b/doc/sandbox.php index c21eb02316..b2dbadfb43 100644 --- a/doc/sandbox.php +++ b/doc/sandbox.php @@ -27,7 +27,8 @@ function prot($user, $group, $perm) { $pp06640775 = prot('boinc_project', 'boinc_project', '0664 or 0775'); $mp2500 = prot('boinc_master', 'boinc_project', '0500+setgid'); -$pp6551 = prot('boinc_project', 'boinc_project', '0551+setuid+setgid'); +$rm4050 = prot('root', 'boinc_master', '0050+setuid'); +$rm4055 = prot('root', 'boinc_master', '0055+setuid'); $mm0550 = prot('boinc_master', 'boinc_master', '0550'); $mm0440 = prot('boinc_master', 'boinc_master', '0440'); $mm0660 = prot('boinc_master', 'boinc_master', '0660'); @@ -112,7 +113,7 @@ echo )) )), show_dir(1, 'switcher (directory)', $mm0550, array( - show_file('switcher (executable)', $pp6551), + show_file('switcher (executable)', $rm4050), show_file('setprojectgrp (executable)', $mp2500) )), show_dir(1, 'locale', $mm0550, array( @@ -134,7 +135,10 @@ echo "

"; echo show_dir(0, 'BOINC executables', $ua0555, array( show_file('BOINC Manager', $mm2555), - show_file('BOINC Client', $mm6555) + show_file('BOINC Client', $mm6555), + show_dir(1, 'screensaver (directory)', $ua0555, array( + show_file('gfx_switcher (executable)', $rm4055) + )), )); echo " @@ -148,16 +152,70 @@ set project and slot files and directories to group boinc_project.
  • BOINC Client does not directly execute project applications. It runs the helper application switcher, passing the request in the argument list. -switcher runs setuid boinc_project and setgid -boinc_project, +switcher runs setuid root and immediately changes its real and +effective user ID and group ID to boinc_project, so all project applications inherit user and group boinc_project. This blocks project applications from accessing unauthorized files. +
  • In most cases, it is best to avoid running setuid root because +it can present a security risk. In this case, however, this is necessary to +reduce the risk because only the superuser can change the real +user and group of a process. This prevents a malicious or malfunctioning +application from reverting to the user and group who launched BOINC, since any +process can change its user and group back to the real user and +group IDs. +
  • BOINC's use of setuid root for the switcher application is +safe because: +
  • BOINC Manager runs setgid to group boinc_master. It can access all files in group boinc_master. It runs as the user who launched it, which is necessary for a number of GUI features to work correctly. Although this means that BOINC Manager cannot modify files created by project applications, there is no need for it to do so. +
  • Starting with BOINC version 6.0, project science applications use a +separate companion application to display graphics. These graphics +applications are launched by the BOINC Manager when the user clicks on +the Show Graphics button. Running the graphics application +with the BOINC Manager's user and group would be a security risk, so +BOINC Manager uses the switcher application to launch them as +user and group boinc_project. +
  • The screensaver also can run the graphics applications. The Macintosh +screensaver is launched by the operating system, so it runs as the +currently logged in user and group. Since running the science projects' graphics applications +with this user and group would be a security risk, the screensaver has +its own embedded helper application gfx_switcher which it uses to +launch the graphics applications. +Like the switcher application, gfx_switcher runs setuid +root and immediately changes its real and effective user ID and +group ID to boinc_project +
  • The BOINC screensaver's use of setuid root for the +gfx_switcher application is safe because: +
  • BOINC Manager and BOINC Client set their umasks to 002, which is inherited by all child applications. The default permissions for all files and directories they create prevent @@ -166,11 +224,6 @@ Because files are world-readable, BOINC Client can read files written by project Third-party add-ons can also read BOINC data files.
  • Non-admin users cannot directly modify BOINC or project files. They can modify these files only by running the BOINC Manager and Client. -
  • The switcher application is inside the switcher directory. -This directory is accessible only by user and group boinc_master, -so that project applications cannot modify the switcher -application's permissions or code. This also prevents unauthorized users -from using switcher to damage project files.
  • Users with admin access are members of groups boinc_master and boinc_project so that they do have direct access to all BOINC and project files @@ -185,10 +238,10 @@ Attach to Project, Detach from Project, Reset Project, Abort Task, Abort Transfer, Update Account Manager. If an unauthorized user requests these functions, the Manager requires password authentication. -
  • On Macintosh computers, the actual directory structure -of the BOINC Manager application bundle is more complex -than implied by the box BOINC executables in the BOINC -tree diagram shown above. +
  • On Macintosh computers, the actual directory structures +of the BOINC Manager application bundle and the screensaver bundle are +more complex than implied by the box BOINC executables in the +BOINC tree diagram shown above.
  • Some Macintosh system administrators may wish to limit which users can perform BOINC Manager functions (Activity Menu, etc.). This can be done by moving BOINC Manager out of the