30701 – setiathome port misuses the 'nobody' user

Bug 30701 - setiathome port misuses the 'nobody' user

Summary: setiathome port misuses the 'nobody' user

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-ports-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2001-09-21 03:50 UTC by Crist J. Clark
Modified:	2003-04-09 06:09 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Crist J. Clark 2001-09-21 03:50:00 UTC

	As a default, the SETI@Home port uses the user 'nobody' to run
the setiathome application. This is not the proper usage of the
'nobody' account and is a security problem.

	The 'nobody' user was added as the account root is mapped to
when sharing NFS mounts. The intention is to have a user who can
access all files on a filesystem as the world can. That is, NO FILES
SHOULD EVER BE OWNED OR GROUPED TO 'nobody.' Doing so breaks this
security feature of NFS.

	Running setiathome creates a number of files in
/var/db/setiathome owned by 'nobody.' This is a violation of the NFS
security model.

Fix: 

The default port install should not use 'nobody.' The best way
to go is to add a dedicated user to run setiathome or ask if it should
use an existing user, IMHO. Of course, the user should be prompted
asking whether he wishes to add a user to the system. I can help with
patches to the install process if the maintainer wants a hand fixing
this.
How-To-Repeat: 	Examine, /usr/ports/astro/setiathome/files/setiathome.sh. It
contains the line,

  seti_user=nobody                        # user id to run as

Comment 1 Cyrille Lefevre 2003-02-13 01:52:35 UTC

hope this fill your needs.

Index: pkg-install
===================================================================
RCS file: /home/ncvs/ports/astro/setiathome/pkg-install,v
retrieving revision 1.9
diff -u -r1.9 pkg-install
--- pkg-install	28 Jul 2002 22:13:45 -0000	1.9
+++ pkg-install	13 Feb 2003 01:45:51 -0000
@@ -14,7 +14,7 @@
 
 # override these variables in ${PREFIX}/etc/rc.setiathome.conf
 seti_wrkdir=/var/db/${PKG_NAME}		# working directory
-seti_user=nobody			# user id to run under
+seti_user=setiathome			# user id to run under
 seti_maxprocs=$(sysctl -n hw.ncpu)	# max. number of processes to start
 
 rcconf_dir=${PKG_PREFIX}/etc
@@ -126,6 +126,9 @@
 echo "      to do so, but think about it twince before."
 	else
 echo "****  SETI@home working directory and temporary files removed."
+	fi
+	if pw usershow "${seti_user}" 2>/dev/null 1>&2; then
+echo "To permanently delete SETI@home user, use 'pw userdel ${seti_user}'"
 	fi
 	;;
 
Index: files/rc.setiathome.conf
===================================================================
RCS file: /home/ncvs/ports/astro/setiathome/files/rc.setiathome.conf,v
retrieving revision 1.4
diff -u -r1.4 rc.setiathome.conf
--- files/rc.setiathome.conf	28 Jul 2002 22:13:45 -0000	1.4
+++ files/rc.setiathome.conf	13 Feb 2003 01:13:55 -0000
@@ -7,6 +7,7 @@
 # seti_std_args=-email			# command arguments for standard mode
 # seti_reg_args=-login			# command arguments for register mode
 # seti_proxy_args=			# proxy arguments
-# seti_user=nobody			# user id to run as
+# seti_user=setiathome			# user id to run as
+# seti_group=${seti_user}		# group id to run as
 # seti_nice=15				# nice level to run at
 # seti_maxprocs=$(sysctl -n hw.ncpu)	# max. number of processes to start
Index: files/setiathome.sh
===================================================================
RCS file: /home/ncvs/ports/astro/setiathome/files/setiathome.sh,v
retrieving revision 1.9
diff -u -r1.9 setiathome.sh
--- files/setiathome.sh	28 Jul 2002 22:13:45 -0000	1.9
+++ files/setiathome.sh	13 Feb 2003 01:47:51 -0000
@@ -5,7 +5,12 @@
 # Start or stop SETI@home, or set up working directory and register.
 #
 
+case $0 in
+/*) rc_dir=${0%/*} ;;
+ *) rc_dir=${PWD:-$(pwd)} ;;
+esac
 rc_file=${0##*/}
+rc_path=${rc_dir}/${rc_file}
 rc_arg=$1
 
 # override these variables in ${PREFIX}/etc/rc.setiathome.conf
@@ -13,11 +18,12 @@
 seti_std_args=-email			# command arguments for standard mode
 seti_reg_args=-login			# command arguments for register mode
 seti_proxy_args=			# proxy arguments
-seti_user=nobody			# user id to run as
+seti_user=setiathome			# user id to run as
+seti_group=${seti_user}			# group id to run as
 seti_nice=15				# nice level to run at
 seti_maxprocs=$(sysctl -n hw.ncpu)	# max. number of processes to start
 
-if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/${rc_file}\$"); then
+if ! PREFIX=$(expr ${rc_path} : "\(/.*\)/etc/rc\.d/${rc_file}\$"); then
 	echo "${rc_file}: Cannot determine PREFIX." >&2
 	echo "Please use the complete pathname." >&2
 	exit 64
@@ -102,10 +108,39 @@
 			"unable to register: ${program_path} is missing." >&2
 		exit 72
 	fi
+	if pw group show "${seti_group}" 2>/dev/null; then
+		echo "You already have a group \"${seti_group}\"," \
+		     "so I will use it."
+	elif pw groupadd ${seti_group} -h -; then
+		echo "Added group \"${seti_group}\"."
+	else
+		echo "Adding group \"${seti_group}\" failed..."
+		echo "Please create it, and try again."
+		exit 1
+	fi
+	if pw user show "${seti_user}" 2>/dev/null; then
+		echo "You already have a user \"${seti_user}\"," \
+		     "so I will use it."
+		if pw usermod ${seti_user} -d ${seti_wrkdir}; then
+			echo "Changed home directory of \"${seti_user}\"" \
+			     "to \"${seti_wrkdir}\""
+		else
+			echo "Changing home directory of \"${seti_user}\"" \
+			     "to \"${setu_wrkdir}\" failed..."
+			exit 1
+		fi
+	elif pw useradd ${seti_user} -g ${seti_group} -h - \
+		-d ${seti_wrkdir} -s /sbin/nologin -c "SETI at home Daemon"; then
+		echo "Added user \"${seti_user}\"."
+	else
+		echo "Adding user \"${seti_user}\" failed..."
+		echo "Please create it, and try again."
+		exit 1
+	fi
 	# Create or update primary working directory (in case the uid changed)
-	mkdir -p ${seti_wrkdir}
-	chown ${seti_user} ${seti_wrkdir}
-	chmod u=Xrw,g=Xr,o=Xr ${seti_wrkdir}
+	mkdir -p ${seti_wrkdir} || exit
+	chown -Rh ${seti_user}:${seti_group} ${seti_wrkdir} || exit
+	chmod u=Xrw,g=Xr,o=Xr ${seti_wrkdir} || exit
 	seti_dontlogin=no
 	if [ -f ${seti_wrkdir}/user_info.sah ]; then
 		echo    "      It seems you have already registered with" \

Cyrille.
-- 
Cyrille Lefevre                 mailto:cyrille.lefevre@laposte.net

Comment 2 Cyrille Lefevre 2003-02-13 02:47:52 UTC

Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/astro/setiathome/Makefile,v
retrieving revision 1.33
diff -u -r1.33 Makefile
--- Makefile	28 Dec 2002 01:40:54 -0000	1.33
+++ Makefile	13 Feb 2003 02:39:22 -0000
@@ -6,7 +6,7 @@
 
 PORTNAME=	setiathome
 PORTVERSION?=	3.03
-PORTREVISION?=	5
+PORTREVISION?=	6
 CATEGORIES?=	astro
 MASTER_SITES=	ftp://ftp.cdrom.com/pub/setiathome/ \
 		ftp://alien.ssl.berkeley.edu/pub/

Cyrille.
-- 
Cyrille Lefevre                 mailto:cyrille.lefevre@laposte.net

Comment 3 Crist J. Clark freebsd_committer

2003-04-09 06:07:56 UTC

State Changed
From-To: open->closed

Just committed maintainer provided patches to switch to a "setiathome" 
user. See PR 50739.