| $name $prot |
";
for ($i=0; $i$prot
";
}
echo "
Our design uses two users and two groups,
both specially created for use by BOINC.
These users and groups are created by the installation process.
- Group: boinc_master
- Group: boinc_project
- User: boinc_master
- Primary group: boinc_master
- Supplementary groups: none
- User: boinc_project
- Primary group: boinc_project
- Supplementary groups: none
On Mac OS X, boinc_project and boinc_master
are added to the Supplementary Groups Lists of those other users
who are members of group admin.
This gives admin users full access to all BOINC and project files.
The following diagram shows user, group and permissions
for the BOINC file and directory tree:
";
echo
show_dir(0, 'BOINC data', $mm0775, array(
show_dir(1, 'projects', $mm0775, array(
show_dir(2, 'setiathome.berkeley.edu', $mp0775, array(
show_file('files created by BOINC Client', $mp06640775),
show_file('files created by project apps', $pp06640775)
))
)),
show_dir(1, 'slots', $mm0775, array(
show_dir(2, '0', $mp0775, array(
show_file('files created by BOINC Client', $mp06640775),
show_file('files created by project apps', $pp06640775)
))
)),
show_dir(1, 'switcher (directory)', $mm0550, array(
show_file('switcher (executable)', $rm4050),
show_file('setprojectgrp (executable)', $mp2500)
)),
show_dir(1, 'locale', $mm0550, array(
show_dir(2, 'de', $mm0550, array(
show_file('BOINC Manager.mo', $mm0440),
show_file('wxstd.mo', $mm0440)
))
)),
show_file('account_*.xml', $mm0664),
show_file('acct_mgr_login.xml', $mm0664),
show_file('client_state.xml', $mm0664),
show_file('gui_rpc_auth.cfg', $mm0660),
show_file('sched_reply*', $mm0664),
show_file('sched_request*', $mm0664)
));
echo "
";
echo
show_dir(0, 'BOINC executables', $ua0555, array(
show_file('BOINC Manager', $mm2555),
show_file('BOINC Client', $mm6555),
show_dir(1, 'screensaver (directory)', $ua0555, array(
show_file('gfx_switcher (executable)', $rm4055)
)),
));
echo "
Implementation notes:
- BOINC Client runs setuid and setgid to boinc_master:boinc_master.
- BOINC Client uses the helper application setprojectgrp to
set project and slot files and directories to group boinc_project.
- BOINC Client does not directly execute project applications.
It runs the helper application switcher,
passing the request in the argument list.
switcher runs setuid root and immediately changes its real and
effective user ID and group ID to boinc_project,
so all project applications inherit user and group boinc_project.
This blocks project applications from accessing unauthorized files.
- In most cases, it is best to avoid running setuid root because
it can present a security risk. In this case, however, this is necessary to
reduce the risk because only the superuser can change the real
user and group of a process. This prevents a malicious or malfunctioning
application from reverting to the user and group who launched BOINC, since any
process can change its user and group back to the real user and
group IDs.
- BOINC's use of setuid root for the switcher application is
safe because:
- The switcher application is inside the switcher directory.
This directory is accessible only by user and group boinc_master,
so that project applications cannot modify the switcher
application's permissions or code. This also prevents unauthorized users
from using switcher to damage or manipulate project files.
- The switcher application is readable and executable only by
group boinc_master; all other access is forbidden.
- When it is run, the switcher application immediately changes
its real and effective user ID and group ID to boinc_project, disabling
its superuser privileges.
- BOINC Manager runs setgid to group boinc_master.
It can access all files in group boinc_master.
It runs as the user who launched it,
which is necessary for a number of GUI features to work correctly.
Although this means that BOINC Manager cannot modify files
created by project applications, there is no need for it to do so.
- Starting with BOINC version 6.0, project science applications use a
separate companion application to display graphics. These graphics
applications are launched by the BOINC Manager when the user clicks on
the Show Graphics button. Running the graphics application
with the BOINC Manager's user and group would be a security risk, so
BOINC Manager uses the switcher application to launch them as
user and group boinc_project.
- The screensaver also can run the graphics applications. The Macintosh
screensaver is launched by the operating system, so it runs as the
currently logged in user and group. Since running the science projects' graphics applications
with this user and group would be a security risk, the screensaver has
its own embedded helper application gfx_switcher which it uses to
launch the graphics applications.
Like the switcher application, gfx_switcher runs setuid
root and immediately changes its real and effective user ID and
group ID to boinc_project
- The BOINC screensaver's use of setuid root for the
gfx_switcher application is safe because:
- When it is run, the gfx_switcher application immediately changes
its real and effective user ID and group ID to boinc_project, disabling
its superuser privileges.
- The gfx_switcher application has very limited functionality. It
accepts only two commands as its first argument:.
- launch_gfx: the second argument is the slot number. It looks for
a soft-link named graphics_app in the specified slot directory and launches
the referenced graphics application.
- kill_gfx: the second argument is the process ID. It kills the
application with the process ID; since it is running as user and group
boinc_project, it can affect only processes belonging to that user.
- BOINC Manager and BOINC Client set their umasks to 002,
which is inherited by all child applications.
The default permissions for all files and directories they create prevent
modification outside the user and group.
Because files are world-readable, BOINC Client can read files written by projects.
Third-party add-ons can also read BOINC data files.
- Non-admin users cannot directly modify BOINC or project files.
They can modify these files only by running the BOINC Manager and Client.
- Users with admin access are members of groups boinc_master
and boinc_project so that they do have
direct access to all BOINC and project files
to simplify maintenance and administration.
- The RPC password file gui_rpc_auth.cfg
is accessible only by user and group boinc_master.
In other words, only BOINC Manager, BOINC Client and
authorized administrative users can read or modify it,
limiting access to most BOINC RPC functions.
- BOINC Manager restricts certain functions to authorized users:
Attach to Project, Detach from Project, Reset Project, Abort Task,
Abort Transfer, Update Account Manager.
If an unauthorized user requests these functions,
the Manager requires password authentication.
- On Macintosh computers, the actual directory structures
of the BOINC Manager application bundle and the screensaver bundle are
more complex than implied by the box BOINC executables in the
BOINC tree diagram shown above.
- Some Macintosh system administrators may wish to limit which users
can perform BOINC Manager functions (Activity Menu, etc.).
This can be done by moving BOINC Manager out of the
/Applications directory into a directory with restricted access.
";
page_tail();
?>
|