As a default, the SETI@Home port uses the user 'nobody' to run the setiathome application. This is not the proper usage of the 'nobody' account and is a security problem. The 'nobody' user was added as the account root is mapped to when sharing NFS mounts. The intention is to have a user who can access all files on a filesystem as the world can. That is, NO FILES SHOULD EVER BE OWNED OR GROUPED TO 'nobody.' Doing so breaks this security feature of NFS. Running setiathome creates a number of files in /var/db/setiathome owned by 'nobody.' This is a violation of the NFS security model. Fix: The default port install should not use 'nobody.' The best way to go is to add a dedicated user to run setiathome or ask if it should use an existing user, IMHO. Of course, the user should be prompted asking whether he wishes to add a user to the system. I can help with patches to the install process if the maintainer wants a hand fixing this. How-To-Repeat: Examine, /usr/ports/astro/setiathome/files/setiathome.sh. It contains the line, seti_user=nobody # user id to run as
hope this fill your needs. Index: pkg-install =================================================================== RCS file: /home/ncvs/ports/astro/setiathome/pkg-install,v retrieving revision 1.9 diff -u -r1.9 pkg-install --- pkg-install 28 Jul 2002 22:13:45 -0000 1.9 +++ pkg-install 13 Feb 2003 01:45:51 -0000 @@ -14,7 +14,7 @@ # override these variables in ${PREFIX}/etc/rc.setiathome.conf seti_wrkdir=/var/db/${PKG_NAME} # working directory -seti_user=nobody # user id to run under +seti_user=setiathome # user id to run under seti_maxprocs=$(sysctl -n hw.ncpu) # max. number of processes to start rcconf_dir=${PKG_PREFIX}/etc @@ -126,6 +126,9 @@ echo " to do so, but think about it twince before." else echo "**** SETI@home working directory and temporary files removed." + fi + if pw usershow "${seti_user}" 2>/dev/null 1>&2; then +echo "To permanently delete SETI@home user, use 'pw userdel ${seti_user}'" fi ;; Index: files/rc.setiathome.conf =================================================================== RCS file: /home/ncvs/ports/astro/setiathome/files/rc.setiathome.conf,v retrieving revision 1.4 diff -u -r1.4 rc.setiathome.conf --- files/rc.setiathome.conf 28 Jul 2002 22:13:45 -0000 1.4 +++ files/rc.setiathome.conf 13 Feb 2003 01:13:55 -0000 @@ -7,6 +7,7 @@ # seti_std_args=-email # command arguments for standard mode # seti_reg_args=-login # command arguments for register mode # seti_proxy_args= # proxy arguments -# seti_user=nobody # user id to run as +# seti_user=setiathome # user id to run as +# seti_group=${seti_user} # group id to run as # seti_nice=15 # nice level to run at # seti_maxprocs=$(sysctl -n hw.ncpu) # max. number of processes to start Index: files/setiathome.sh =================================================================== RCS file: /home/ncvs/ports/astro/setiathome/files/setiathome.sh,v retrieving revision 1.9 diff -u -r1.9 setiathome.sh --- files/setiathome.sh 28 Jul 2002 22:13:45 -0000 1.9 +++ files/setiathome.sh 13 Feb 2003 01:47:51 -0000 @@ -5,7 +5,12 @@ # Start or stop SETI@home, or set up working directory and register. # +case $0 in +/*) rc_dir=${0%/*} ;; + *) rc_dir=${PWD:-$(pwd)} ;; +esac rc_file=${0##*/} +rc_path=${rc_dir}/${rc_file} rc_arg=$1 # override these variables in ${PREFIX}/etc/rc.setiathome.conf @@ -13,11 +18,12 @@ seti_std_args=-email # command arguments for standard mode seti_reg_args=-login # command arguments for register mode seti_proxy_args= # proxy arguments -seti_user=nobody # user id to run as +seti_user=setiathome # user id to run as +seti_group=${seti_user} # group id to run as seti_nice=15 # nice level to run at seti_maxprocs=$(sysctl -n hw.ncpu) # max. number of processes to start -if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/${rc_file}\$"); then +if ! PREFIX=$(expr ${rc_path} : "\(/.*\)/etc/rc\.d/${rc_file}\$"); then echo "${rc_file}: Cannot determine PREFIX." >&2 echo "Please use the complete pathname." >&2 exit 64 @@ -102,10 +108,39 @@ "unable to register: ${program_path} is missing." >&2 exit 72 fi + if pw group show "${seti_group}" 2>/dev/null; then + echo "You already have a group \"${seti_group}\"," \ + "so I will use it." + elif pw groupadd ${seti_group} -h -; then + echo "Added group \"${seti_group}\"." + else + echo "Adding group \"${seti_group}\" failed..." + echo "Please create it, and try again." + exit 1 + fi + if pw user show "${seti_user}" 2>/dev/null; then + echo "You already have a user \"${seti_user}\"," \ + "so I will use it." + if pw usermod ${seti_user} -d ${seti_wrkdir}; then + echo "Changed home directory of \"${seti_user}\"" \ + "to \"${seti_wrkdir}\"" + else + echo "Changing home directory of \"${seti_user}\"" \ + "to \"${setu_wrkdir}\" failed..." + exit 1 + fi + elif pw useradd ${seti_user} -g ${seti_group} -h - \ + -d ${seti_wrkdir} -s /sbin/nologin -c "SETI at home Daemon"; then + echo "Added user \"${seti_user}\"." + else + echo "Adding user \"${seti_user}\" failed..." + echo "Please create it, and try again." + exit 1 + fi # Create or update primary working directory (in case the uid changed) - mkdir -p ${seti_wrkdir} - chown ${seti_user} ${seti_wrkdir} - chmod u=Xrw,g=Xr,o=Xr ${seti_wrkdir} + mkdir -p ${seti_wrkdir} || exit + chown -Rh ${seti_user}:${seti_group} ${seti_wrkdir} || exit + chmod u=Xrw,g=Xr,o=Xr ${seti_wrkdir} || exit seti_dontlogin=no if [ -f ${seti_wrkdir}/user_info.sah ]; then echo " It seems you have already registered with" \ Cyrille. -- Cyrille Lefevre mailto:cyrille.lefevre@laposte.net
Index: Makefile =================================================================== RCS file: /home/ncvs/ports/astro/setiathome/Makefile,v retrieving revision 1.33 diff -u -r1.33 Makefile --- Makefile 28 Dec 2002 01:40:54 -0000 1.33 +++ Makefile 13 Feb 2003 02:39:22 -0000 @@ -6,7 +6,7 @@ PORTNAME= setiathome PORTVERSION?= 3.03 -PORTREVISION?= 5 +PORTREVISION?= 6 CATEGORIES?= astro MASTER_SITES= ftp://ftp.cdrom.com/pub/setiathome/ \ ftp://alien.ssl.berkeley.edu/pub/ Cyrille. -- Cyrille Lefevre mailto:cyrille.lefevre@laposte.net
State Changed From-To: open->closed Just committed maintainer provided patches to switch to a "setiathome" user. See PR 50739.