Commit ccca6db3 authored by Charlie Fenton's avatar Charlie Fenton

ss_app: Under sandbox security, set boincscr permissions the same as for BOINC Manager

svn path=/trunk/boinc/; revision=17255
parent e5928007
......@@ -1540,3 +1540,23 @@ David 12 Feb 2009
sim.h
lib/
prefs.cpp
Charlie 13 Feb 2009
- ss_app: Under sandbox security, set boincscr permissions the same as
for BOINC Manager: setgid to boinc_master but do not setuid; this
allows the screensaver coordinator to kill boincscr but still gives
boincscr access to GUI RPC password file and so to all GUI RPCs.
- SS: On Windows, add code to get paths to BOINC data and executable
directories from Windows registry; expects boincscr in BOINC
executable directory and ss-config.xml in BOINC data directory.
client/
check_security.cpp
clientgui/
mac/
SetupSecurity.cpp
clientscr/
screensaver.cpp
screensaver_win.cpp,.h
mac_build/
Mac_SA_Secure.sh
......@@ -485,10 +485,10 @@ int use_sandbox, int isManager
return -1056;
#ifdef _DEBUG
if ((sbuf.st_mode & 07777) != 06775)
if ((sbuf.st_mode & 07777) != 02775)
return -1057;
#else
if ((sbuf.st_mode & 07777) != 06555)
if ((sbuf.st_mode & 07777) != 02555)
return -1058;
#endif
} // Screensaver executable file boincscr exists
......
......@@ -173,7 +173,7 @@ int SetBOINCAppOwnersGroupsAndPermissions(char *path) {
#ifdef _DEBUG
// chmod u=rwx,g=rwsx,o=rx path/BOINCManager.app/Contents/MacOS/BOINCManager
// 02775 = S_ISGID | S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IWGRP | S_IXGRP | S_IROTH | S_IXOTH
// setgid-on-execution plus read, write and execute permission for user, group & others
// setgid-on-execution plus read, write and execute permission for user & group, read & execute for others
err = DoPrivilegedExec(chmodPath, "u=rwx,g=rwsx,o=rx", fullpath, NULL, NULL, NULL);
#else
// chmod u=rx,g=rsx,o=rx path/BOINCManager.app/Contents/MacOS/BOINCManager
......@@ -584,15 +584,15 @@ int SetBOINCDataOwnersGroupsAndPermissions() {
// Set permissions of executable file boincscr
#ifdef _DEBUG
// chmod u=rwsx,g=rwsx,o=rx path/BOINCManager.app/Contents/Resources/boinc
// 06775 = S_ISUID | S_ISGID | S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IWGRP | S_IXGRP | S_IROTH | S_IXOTH
// setuid-on-execution, setgid-on-execution plus read, write and execute permission for user & group, read & execute for others
err = DoPrivilegedExec(chmodPath, "u=rwsx,g=rwsx,o=rx", fullpath, NULL, NULL, NULL);
// chmod u=rwx,g=rwsx,o=rx /Library/Application Support/BOINC Data/boincscr
// 02775 = S_ISGID | S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IWGRP | S_IXGRP | S_IROTH | S_IXOTH
// setgid-on-execution plus read, write and execute permission for user & group, read & execute for others
err = DoPrivilegedExec(chmodPath, "u=rwx,g=rwsx,o=rx", fullpath, NULL, NULL, NULL);
#else
// chmod u=rsx,g=rsx,o=rx path/BOINCManager.app/Contents/Resources/boinc
// 06555 = S_ISUID | S_ISGID | S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH
// setuid-on-execution, setgid-on-execution plus read and execute permission for user, group & others
err = DoPrivilegedExec(chmodPath, "u=rsx,g=rsx,o=rx", fullpath, NULL, NULL, NULL);
// chmod u=rx,g=rsx,o=rx /Library/Application Support/BOINC Data/boincscr
// 02555 = S_ISGID | S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH
// setgid-on-execution plus read and execute permission for user, group & others
err = DoPrivilegedExec(chmodPath, "u=rx,g=rsx,o=rx", fullpath, NULL, NULL, NULL);
#endif
if (err)
return err;
......
......@@ -225,7 +225,7 @@ if [ -f ss_config.xml ] ; then
fi
if [ -f boincscr ] ; then
set_perm boincscr boinc_master boinc_master 6555
set_perm boincscr boinc_master boinc_master 2555
fi
if [ -x /Applications/BOINCManager.app/Contents/MacOS/BOINCManager ] ; then
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment