Package: boinc-client Version: 5.4.11-4 Severity: normal boinc-client default install sets the following modes on /etc/boinc-client/gui_rpc_auth.cfg: -rw-r--r-- 1 boinc boinc 8 Jan 14 01:01 gui_rpc_auth.cfg
By default it doesn't contain any password, but if an admin adds one without checking the permissions, this password will be available to any user on the system (allowing them to control the boinc daemon, and potentially detach/attach projects, etc). Also, given the owner of this file is user 'boinc', the boinc daemon itself could overwrite the contents of this file. An attacker finding a programing flaw in the software could take advantage of this as well. This also applies to a lesser extent to the other files in the /etc/boinc-client directory. Thus, it seems to me that the files in the /etc/boinc-client directory should be 640 root:boinc instead of 644 boinc:boinc HTH T-Bone -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing') Architecture: powerpc (ppc) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.19-ck2 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages boinc-client depends on: ii adduser 3.101 Add and remove users and groups ii debconf 1.5.11 Debian configuration management sy ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error description library ii libcurl3 7.15.5-1 Multi-protocol file transfer libra ii libgcc1 1:4.1.1-19 GCC support library ii libidn11 0.6.5-1 GNU libidn library, implementation ii libkrb53 1.4.4-6 MIT Kerberos runtime libraries ii libssl0. 0.9.8c-4 SSL shared libraries ii libstdc+ 4.1.1-19 The GNU Standard C++ Library v3 ii lsb-base 3.1-22 Linux Standard Base 3.1 init scrip ii python 2.4.4-2 An interactive high-level object-o ii zlib1g 1:1.2.3-13 compression library - runtime boinc-client recommends no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
