Your message dated Sun, 23 Oct 2016 20:58:09 +0000 with message-id <[email protected]> and subject line Bug#841665: fixed in boinc 7.6.33+dfsg-2 has caused the Debian Bug report #841665, regarding boinc-client: The boinc-client init script has a badly constructed parameter for xhost to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 841665: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841665 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: boinc-client Version: 7.6.33+dfsg-1~bpo8+1 Severity: grave Tags: security Justification: user security hole Dear Maintainers, boinc-client shell script is used by init/systemd to start the boinc client daemon (typically running as user=boinc) In order for boinc to access GPU hardware - xhost is used to grant access to boinc. At line 109-110 ------------------------------------------------------------------------------------------- # grant the boinc client to perform GPU computing xhost local:boinc || echo -n "xhost error ignored, GPU computing may not be possible" -------------------------------------------------------------------------------------------- the correct syntax stould be xhost +si:localuser:boinc or more correctly for the this script xhost +si:localuser:$BOINC_USER The impact of using this incorrect syntax - is not to error, but grant ALL local users access. (This could be a very old or different maybe BSD syntax) The intention of the script to grant ONLY user=boinc access, instead all local users have access. For example a little test. agentb@dejon:/etc/init.d$ xhost access control enabled, only authorized clients can connect SI:localuser:agentb agentb@dejon:/etc/init.d$ xhost local:random-string non-network local connections being added to access control list agentb@dejon:/etc/init.d$ xhost access control enabled, only authorized clients can connect LOCAL: SI:localuser:boinc SI:localuser:agentb Hope this is clear, and thank you for maintaining boinc! Cheers Mike -- Package-specific info: -- Contents of /etc/default/boinc-client: # This file is /etc/default/boinc-client, it is a configuration file for the # /etc/init.d/boinc-client init script. # Set this to 1 to enable and to 0 to disable the init script. ENABLED="1" # Set this to 1 to enable advanced scheduling of the BOINC core client and # all its sub-processes (reduces the impact of BOINC on the system's # performance). SCHEDULE="1" # The BOINC core client will be started with the permissions of this user. BOINC_USER="boinc" # This is the data directory of the BOINC core client. BOINC_DIR="/var/lib/boinc-client" # This is the location of the BOINC core client, that the init script uses. # If you do not want to use the client program provided by the boinc-client # package, you can specify here an alternative client program. #BOINC_CLIENT="/usr/local/bin/boinc" BOINC_CLIENT="/usr/bin/boinc" # Here you can specify additional options to pass to the BOINC core client. # Type 'boinc --help' or 'man boinc' for a full summary of allowed options. #BOINC_OPTS="--allow_remote_gui_rpc" BOINC_OPTS="" # Scheduling options # Set SCHEDULE="0" if prefering to run with upstream default priority # settings. # Nice levels. When systems are truly busy, e.g. because of too many active # scientific applications started by the boinc client, there is a chance for # the boinc client not to be granted sufficient opportunity to check for # scientific applications to be alive and make the (wrong) decision to # terminate the scientific app. This is particularly an issue with many # apps started in parallel on modern multi-core systems and extra overheads # for the download and uploads of files with the project servers. Another # concern is the latency for scientific applications to communicate with the # graphics card, which should be low. All such values should be set and # controled from within the BOINC client. The Debian init script also sets # extra constrains via chrt on real time performance and via ionice on # I/O performance, which is beyond the regular BOINC client. It then was # too easy to use that code to also constrain minimal nice levels. We still # think about how to best distinguish GPU applications from regular apps. BOINC_NICE_CLIENT=10 BOINC_NICE_APP_DEFAULT=19 #BOINC_NICE_APP_GPU=5 # not yet used # ionice classes. See manpage of ionice (1) in the util-linux package. BOINC_IONICE_CLIENT=3 # idle #BOINC_IONICE_APP_DEFAULT=3 # idle, not yet used #BOINC_IONICE_APP_GPU=2 # best effort, not yet used -- System Information: Debian Release: 8.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages boinc-client depends on: ii adduser 3.113+nmu3 ii ca-certificates 20141019+deb8u1 ii debconf [debconf-2.0] 1.5.56 ii init-system-helpers 1.22 ii libboinc7 7.6.33+dfsg-1~bpo8+1 ii libc6 2.19-18+deb8u6 ii libcurl3 7.38.0-4+deb8u4 ii libgcc1 1:4.9.2-10 ii libstdc++6 4.9.2-10 ii libx11-6 2:1.6.2-3 ii libxss1 1:1.2.2-1 ii python 2.7.9-1 ii zlib1g 1:1.2.8.dfsg-2+b1 boinc-client recommends no packages. Versions of packages boinc-client suggests: pn boinc-client-fglrx <none> pn boinc-client-nvidia-cuda <none> pn boinc-client-opencl <none> ii boinc-manager 7.6.33+dfsg-1~bpo8+1 ii x11-xserver-utils 7.7+3+b1 -- Configuration Files: /etc/boinc-client/cc_config.xml changed [not included] /etc/boinc-client/global_prefs_override.xml changed [not included] -- debconf information excluded
--- End Message ---
--- Begin Message ---Source: boinc Source-Version: 7.6.33+dfsg-2 We believe that the bug you reported is fixed in the latest version of boinc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gianfranco Costamagna <[email protected]> (supplier of updated boinc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 05 Sep 2016 08:24:58 +0200 Source: boinc Binary: boinc boinc-client-nvidia-cuda boinc-client-opencl boinc-client-fglrx boinc-client boinc-screensaver boinc-manager boinc-dev libboinc-app-dev libboinc-app7 libboinc7 Architecture: source Version: 7.6.33+dfsg-2 Distribution: unstable Urgency: high Maintainer: Debian BOINC Maintainers <[email protected]> Changed-By: Gianfranco Costamagna <[email protected]> Description: boinc - metapackage for the BOINC client and the manager boinc-client - core client for the BOINC distributed computing infrastructure boinc-client-fglrx - metapackage for AMD/ATI fglrx-savvy BOINC client and manager boinc-client-nvidia-cuda - metapackage for CUDA-savvy BOINC client and manager boinc-client-opencl - metapackage for AMD/ATI OpenCL-savvy BOINC client and manager boinc-dev - development files to build applications for BOINC projects (trans boinc-manager - GUI to control and monitor the BOINC core client boinc-screensaver - screen saver auto-controlling volunteer computing libboinc-app-dev - development files to build applications for BOINC projects libboinc-app7 - libraries for BOINC's scientific applications libboinc7 - libraries of BOINC the client depends on Closes: 841665 Changes: boinc (7.6.33+dfsg-2) unstable; urgency=high . [ Gianfranco Costamagna ] * Upload to unstable * Switch to unversioned php* packages. . [ Mike Brennan <[email protected]> ] * Fix xhost syntax. (Closes: #841665) Checksums-Sha1: 131e977a035ba700a4214c61f0df549026c33bc5 3159 boinc_7.6.33+dfsg-2.dsc ce1278a938fc908d649e22edf05d01b9afa18b1a 455720 boinc_7.6.33+dfsg-2.debian.tar.xz Checksums-Sha256: 72f2a9f3e6b76f8cfad571e8a23b510a3eb71ea6ad67a4c862eab607798154ed 3159 boinc_7.6.33+dfsg-2.dsc c4f2d0c38495431955a2654dfffc09549565195b9ef27f5ca5a663de1a4e8fbc 455720 boinc_7.6.33+dfsg-2.debian.tar.xz Files: e3e8233a7aa2ac0973c6effcc8f4de3a 3159 net optional boinc_7.6.33+dfsg-2.dsc 0801845d9a9c1d9aa8ec62769869c146 455720 net optional boinc_7.6.33+dfsg-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYC0SsAAoJEPNPCXROn13ZDMEP/R3TrlOFkdyfjh+MUK1k1exX khWlGdokoFkHdoSivt31DIbWKkh87A/NU7nSRFSX22aB5So3WZmpJLfE/BdSjONh q5psaR+SY6J1SMlqurNwGhdIWzKWmlQWqgjCZzdP5CYToDifLuSvNYXOvcopUB1i 8axLqvQO2mA42zRXRxTn2cowL4ONVpAxCA0e55vZptCldPjSknHw/NFPD2eLT0x/ QWa51XPtAmzXJDpeQgS/75bdxgvQU32bcMGATO2byu/d7j5PptU9qCtXUcX4PBDA zKgbGAX3O6eEQChRUSM7hLhLuzau9Sb0aL7ZX0g+E1ni927haG5xR+tyRrUZd8kH NoAYdqFIgd75hjSgNft3/CGF8v7LP7F0JS3E1+tP2ezBjcwNhGT0D9r3rX0pitsa Tbx1xv5LfF/TV2VV3Pxy6crQQdq+xnQ/a8aCGK1LnuKWMLxyIswDvzOm+TZZ/vgP jbuuxq11fZLZKT7oUM9Vvi8FYTZdhKDVxYroCr0sVC5y/exZbNqW8K/HsQUsNXYq Ur+SF18jJSkV1Wavs/x/gXYLmrYGstmp9Z4XNJ4RreXSiatRiF6KXOElg+y59SNI yyfW1fWkoUZyFfY2eB/elMLBWKhuJU+fGg2BksI1FIC/IGdvEcFu7tg0oEfm+XYi r6urpn9M4Qso0UXHyu6N =Tboa -----END PGP SIGNATURE-----
--- End Message ---
