Bug#841665: boinc-client: The boinc-client init script has a badly constructed parameter for xhost

[Mike Brennan]

Package: boinc-client
Version: 7.6.33+dfsg-1~bpo8+1
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainers,

boinc-client shell script is used by init/systemd to start the boinc client 
daemon (typically running as user=boinc)

In order for boinc to access GPU hardware -  xhost is used to grant access to 
boinc.

At line 109-110
-------------------------------------------------------------------------------------------
# grant the boinc client to perform GPU computing
       xhost local:boinc || echo -n "xhost error ignored, GPU computing may not 
be possible"
--------------------------------------------------------------------------------------------

the correct syntax stould be 
       xhost +si:localuser:boinc
or more correctly for the this script
       xhost +si:localuser:$BOINC_USER

The impact of using this incorrect syntax - is not to error, but grant ALL 
local users access.  
(This could be a very old or different maybe BSD syntax)

The intention of the script to grant ONLY user=boinc access, instead all local 
users have access.

For example a little test.

agentb@dejon:/etc/init.d$ xhost
access control enabled, only authorized clients can connect
SI:localuser:agentb

agentb@dejon:/etc/init.d$ xhost local:random-string
non-network local connections being added to access control list

agentb@dejon:/etc/init.d$ xhost
access control enabled, only authorized clients can connect
LOCAL:
SI:localuser:boinc
SI:localuser:agentb

Hope this is clear, and thank you for maintaining boinc!

Cheers
Mike


-- Package-specific info:
-- Contents of /etc/default/boinc-client:
# This file is /etc/default/boinc-client, it is a configuration file for the
# /etc/init.d/boinc-client init script.

# Set this to 1 to enable and to 0 to disable the init script.
ENABLED="1"

# Set this to 1 to enable advanced scheduling of the BOINC core client and
# all its sub-processes (reduces the impact of BOINC on the system's
# performance).
SCHEDULE="1"

# The BOINC core client will be started with the permissions of this user.
BOINC_USER="boinc"

# This is the data directory of the BOINC core client.
BOINC_DIR="/var/lib/boinc-client"

# This is the location of the BOINC core client, that the init script uses.
# If you do not want to use the client program provided by the boinc-client
# package, you can specify here an alternative client program.
#BOINC_CLIENT="/usr/local/bin/boinc"
BOINC_CLIENT="/usr/bin/boinc"

# Here you can specify additional options to pass to the BOINC core client.
# Type 'boinc --help' or 'man boinc' for a full summary of allowed options.
#BOINC_OPTS="--allow_remote_gui_rpc"
BOINC_OPTS=""

# Scheduling options

# Set SCHEDULE="0" if prefering to run with upstream default priority
# settings.

# Nice levels. When systems are truly busy, e.g. because of too many active
# scientific applications started by the boinc client, there is a chance for
# the boinc client not to be granted sufficient opportunity to check for
# scientific applications to be alive and make the (wrong) decision to
# terminate the scientific app. This is particularly an issue with many
# apps started in parallel on modern multi-core systems and extra overheads
# for the download and uploads of files with the project servers. Another
# concern is the latency for scientific applications to communicate with the
# graphics card, which should be low. All such values should be set and
# controled from within the BOINC client. The Debian init script also sets
# extra constrains via chrt on real time performance and via ionice on 
# I/O performance, which is beyond the regular BOINC client. It then was
# too easy to use that code to also constrain minimal nice levels. We still
# think about how to best distinguish GPU applications from regular apps.
BOINC_NICE_CLIENT=10
BOINC_NICE_APP_DEFAULT=19
#BOINC_NICE_APP_GPU=5        # not yet used

# ionice classes. See manpage of ionice (1) in the util-linux package.
BOINC_IONICE_CLIENT=3        # idle
#BOINC_IONICE_APP_DEFAULT=3  # idle, not yet used
#BOINC_IONICE_APP_GPU=2      # best effort, not yet used


-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages boinc-client depends on:
ii  adduser                3.113+nmu3
ii  ca-certificates        20141019+deb8u1
ii  debconf [debconf-2.0]  1.5.56
ii  init-system-helpers    1.22
ii  libboinc7              7.6.33+dfsg-1~bpo8+1
ii  libc6                  2.19-18+deb8u6
ii  libcurl3               7.38.0-4+deb8u4
ii  libgcc1                1:4.9.2-10
ii  libstdc++6             4.9.2-10
ii  libx11-6               2:1.6.2-3
ii  libxss1                1:1.2.2-1
ii  python                 2.7.9-1
ii  zlib1g                 1:1.2.8.dfsg-2+b1

boinc-client recommends no packages.

Versions of packages boinc-client suggests:
pn  boinc-client-fglrx        <none>
pn  boinc-client-nvidia-cuda  <none>
pn  boinc-client-opencl       <none>
ii  boinc-manager             7.6.33+dfsg-1~bpo8+1
ii  x11-xserver-utils         7.7+3+b1

-- Configuration Files:
/etc/boinc-client/cc_config.xml changed [not included]
/etc/boinc-client/global_prefs_override.xml changed [not included]

-- debconf information excluded