Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 37327

Summary: foldingathome 3.24 should not run as root
Product: Gentoo Security Reporter: Andreas Schwarz <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Science Related Packages <sci>
Status: RESOLVED FIXED    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments:
Description Flags
patch for foldingathome 3.24 none

Description Andreas Schwarz 2004-01-05 12:37:06 UTC 
It makes no sense that the foldingathome client is run as root. Patch attached.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Actual Results:  
foldingathome runs as root

Expected Results:  
foldingathome should not run as root

--- folding-init.d.old  2004-01-05 21:32:36.000000000 +0100
+++ folding-init.d      2004-01-05 21:34:32.000000000 +0100
@@ -7,7 +7,7 @@
 
        ebegin "Starting Folding@home"
        cd /opt/foldingathome
-       nice -n 19 ./foldingathome >&/dev/null&
+       nice -n 19 sudo -u foldingathome ./foldingathome >&/dev/null&
        eend $?
 }

--- foldingathome-3.24.ebuild.old       2004-01-05 21:31:22.000000000 +0100
+++ foldingathome-3.24.ebuild   2004-01-05 21:32:23.000000000 +0100
@@ -30,6 +30,8 @@
 src_install() {
        exeinto ${I} ; doexe foldingathome
        exeinto /etc/init.d ; newexe ${FILESDIR}/folding-init.d foldingathome
+       adduser foldingathome
+       chown -R foldingathome:nobody /opt/foldingathome
 }
 
 pkg_postinst() {
Comment 1 Andreas Schwarz 2004-01-09 09:11:50 UTC 
Created attachment 23487 [details, diff]
patch for foldingathome 3.24
Comment 2 Andreas Schwarz 2004-01-09 09:12:23 UTC 
please see the attached patch
Comment 3 Michael Garrett 2004-02-18 05:21:23 UTC 
excellent patch.  Perhaps the process should also be chrooted?  It would also be nice to automatically set up the client.cfg file to have the Gentoo group as default.
Comment 4 Andreas Schwarz 2004-02-29 06:20:46 UTC 
Is really no one of the gentoo people interested in this patch? If you think it's wise to have a software automatically download code from the net and execute it as root, go ahaed - I think it isn't, especially if there is absolutely no need for it!
Comment 5 Patrick Kursawe (RETIRED) gentoo-dev 2004-03-01 05:20:37 UTC 
-r1 is in CVS now, a little different from yours (don't like the sudo dependency). There are also a few other changes, please test if it works for you.

Andreas, if we thought this was no issue, we would have closed it as WONTFIX :-)