Re: [gentoo-user] BOINC on a hardened system?
On Friday 28 Jul 2017 09:38:58 Peter Humphrey wrote: > It looks as though it has to run as root, which doesn't bode well. I'll > experiment with running BOINC with the default ownerships, though. Well, what do you know? Reverting to the default root:boinc enables it to run. I can't use the local GUI but I can connect to it with the one on this box, which has prh:prh set. So all's well that ends well. -- Regards Peter
Re: [gentoo-user] BOINC on a hardened system?
On Friday 28 Jul 2017 15:23:05 Gregory Woodbury wrote: > By default, BOINC daemon is started by root and supposedly drops > permissions after a bit. However, the CERNVM VirtualBox application > cannot run as root, so they recommend running BOINC from a user > account that has virtualbox permissions; VirtualBox, on the other > hand, will not run as root for security reasons. > > I got around this by making BOINC as "user" and moving its $HOME to > /home/boinc/ and I don't think I had to change anything (except the > /etc/conf.d/boinc file.) I run it as me in its own partition, under /home/prh/boinc/. I also had to change /usr/share/applications/boincmgr.desktop so that I could run the GUI. > I am not using any hardening in the kernel, so that may complicate things. It does. Everything worked just fine until I hardened the kernel. I don't know yet whether BOINC can run at all on a hardened system. Whence my question. > I currently run some 11 projects, including SETI, CERN, Einstein, and > World Community Grid. Everything works fine for me. Yes, I run seven projects, including all those except WCG. -- Regards Peter
Re: [gentoo-user] BOINC on a hardened system?
By default, BOINC daemon is started by root and supposedly drops permissions after a bit. However, the CERNVM VirtualBox application cannot run as root, so they recommend running BOINC from a user account that has virtualbox permissions; VirtualBox, on the other hand, will not run as root for security reasons. I got around this by making BOINC as "user" and moving its $HOME to /home/boinc/ and I don't think I had to change anything (except the /etc/conf.d/boinc file.) I am not using any hardening in the kernel, so that may complicate things. I currently run some 11 projects, including SETI, CERN, Einstein, and World Community Grid. Everything works fine for me. -- G.Wolfe Woodbury redwo...@gmail.com
Re: [gentoo-user] BOINC on a hardened system?
On Thursday 27 Jul 2017 11:02:45 Gregory Woodbury wrote: > Depending on which BOINC projects you choose to run, BOINC may or may > not need continual access to the Internet. > Most of the projects I run only need intermittent access to upload and > receive new workunits, but CERN projects need > continuous access while running. It's only the incoming access from the Big Bad World that would be shut most of the time, only opened for particular purposes. > Also, BOINC will run if the certificates are not owned by BOINC, but > will complain in the logs when they are updated, and then > you could update them by hand. I haven't experienced that so far. But I get lots of "gr-sec: denied following symlink /home/prh/boinc/ca- bundle.crt since owner 1000 does not match target owner 0" errors. Also, today I see "denied untrusted exec (due to being in untrusted group and file in non-root-owned directory)" errors as well. (I hope I've transcribed those right.) It looks as though it has to run as root, which doesn't bode well. I'll experiment with running BOINC with the default ownerships, though. > So far as I know, there have not been any vectors propagated via BOINC. That's good - thanks. -- Regards Peter
Re: [gentoo-user] BOINC on a hardened system?
Depending on which BOINC projects you choose to run, BOINC may or may not need continual access to the Internet. Most of the projects I run only need intermittent access to upload and receive new workunits, but CERN projects need continuous access while running. Also, BOINC will run if the certificates are not owned by BOINC, but will complain in the logs when they are updated, and then you could update them by hand. So far as I know, there have not been any vectors propagated via BOINC. -- G.Wolfe Woodbury redwo...@gmail.com
[gentoo-user] BOINC on a hardened system?
Hello list, I have a small box as a web development host, running hardened-sources, which I'll also want to expose to the Internet for odd periods. As that load is so light, I thought it might be a good idea to put the spare CPU to some use by running BOINC. The startup script, however, changes the entire boinc directory's ownership to the user nominated in /etc/conf.d/boinc. The problem is that, on a hardened system, the ca-bundle.crt file must be owned by root. This could be fixed with a small addition to the startup script, but before I open a bug, does the panel think I ought to be running BOINC on an exposed system? I don't know any of its history to argue one way or the other, but the team does try to avoid security lapses. -- Regards Peter
