Ubuntu
boinc package

boinc manager password is empty by default

Bug #328477 reported by Evgeny Kapun
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
boinc (Ubuntu)
Won't Fix
Low
Unassigned

Bug Description

I am using Ubuntu 8.10 and boinc-client 6.2.12-1.
When user installs BOINC client RPC password is empty unless user manually edits /etc/boinc-client/gui_rpc_auth.cfg. I think that installer should generate some random password to make system more secure.

Revision history for this message
Nicolás Alvarez (nicolas-alvarez) wrote :

This is a serious security bug. It allows any local user to run arbitrary code under the 'boinc' user by attaching his own project.

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

I don't see this as an issue.

Any local user is able to run arbitrary code... that can't leave the boinc confines...
On a default install a normal user without boinc would be able to run arbitrary code not restricted to the boinc locked down user account.

Counter-Thoughts?

Changed in boinc (Ubuntu):
status: New → Incomplete
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

An empty password is never secure by default

Changed in boinc (Ubuntu):
status: Incomplete → New
Revision history for this message
Daniel Hahler (blueyed) wrote :

I agree with Bryan: it allows local access only and any local user would be able to execute code.
If you want to lock it down so that others do not attach projects you do not want to run, you're free to add a password.
Considering usability and the common use case (single user setup / trusted peers), I am closing this as "Won't fix".

Please note however, that you can still ask upstream (via http://boinc.berkeley.edu/trac/) about changing this.
However, we might change it back to "no password" in Ubuntu then though.. ;)

Changed in boinc (Ubuntu):
importance: Undecided → Low
status: New → Won't Fix
Revision history for this message
Skip Guenter (skip) wrote :

As I recall, many moons ago it had a random gen'd password and it the end users complained about it until it was removed. Been here, did this.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.