Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 37327 - foldingathome 3.24 should not run as root
Summary: foldingathome 3.24 should not run as root
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Science Related Packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-01-05 12:37 UTC by Andreas Schwarz
Modified: 2011-10-30 22:39 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
patch for foldingathome 3.24 (foldingathome-noroot.patch,1.04 KB, patch)
2004-01-09 09:11 UTC, Andreas Schwarz
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schwarz 2004-01-05 12:37:06 UTC
It makes no sense that the foldingathome client is run as root. Patch attached.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Actual Results:  
foldingathome runs as root

Expected Results:  
foldingathome should not run as root

--- folding-init.d.old  2004-01-05 21:32:36.000000000 +0100
+++ folding-init.d      2004-01-05 21:34:32.000000000 +0100
@@ -7,7 +7,7 @@
 
        ebegin "Starting Folding@home"
        cd /opt/foldingathome
-       nice -n 19 ./foldingathome >&/dev/null&
+       nice -n 19 sudo -u foldingathome ./foldingathome >&/dev/null&
        eend $?
 }

--- foldingathome-3.24.ebuild.old       2004-01-05 21:31:22.000000000 +0100
+++ foldingathome-3.24.ebuild   2004-01-05 21:32:23.000000000 +0100
@@ -30,6 +30,8 @@
 src_install() {
        exeinto ${I} ; doexe foldingathome
        exeinto /etc/init.d ; newexe ${FILESDIR}/folding-init.d foldingathome
+       adduser foldingathome
+       chown -R foldingathome:nobody /opt/foldingathome
 }
 
 pkg_postinst() {
Comment 1 Andreas Schwarz 2004-01-09 09:11:50 UTC
Created attachment 23487 [details, diff]
patch for foldingathome 3.24
Comment 2 Andreas Schwarz 2004-01-09 09:12:23 UTC
please see the attached patch
Comment 3 Michael Garrett 2004-02-18 05:21:23 UTC
excellent patch.  Perhaps the process should also be chrooted?  It would also be nice to automatically set up the client.cfg file to have the Gentoo group as default. 
Comment 4 Andreas Schwarz 2004-02-29 06:20:46 UTC
Is really no one of the gentoo people interested in this patch? If you think it's wise to have a software automatically download code from the net and execute it as root, go ahaed - I think it isn't, especially if there is absolutely no need for it!
Comment 5 Patrick Kursawe (RETIRED) gentoo-dev 2004-03-01 05:20:37 UTC
-r1 is in CVS now, a little different from yours (don't like the sudo dependency). There are also a few other changes, please test if it works for you.

Andreas, if we thought this was no issue, we would have closed it as WONTFIX :-)