Message boards : BOINC Manager : Mac OS X 10.6 (Snow Leopard) changes
Message board moderation
Author | Message |
---|---|
Send message Joined: 29 Aug 05 Posts: 15563 |
Charlie Fenton, Macintosh BOINC developer wrote: I've found another issue with Mac OS 10.6 Snow leopard that has necessitated additional changes in BOINC. I would appreciate feedback if anyone sees these changes as a problem. |
Send message Joined: 5 Sep 09 Posts: 9 |
>I suspect that relatively few Macs are set up with any non-admin users. Bad assumption. I advise all my clients to do just that as the single greatest way of dealing with malware attacks. So, you ought to deal with it, instead of rationalizing it away. > Of course, if the user running the Manager is a member of group boinc_master, then the setgid is not needed because the Manager would have permission to access the files anyway. You ought to call Apple support and ask how that is done on Snow Leopard. You will be surprised that it is either not possible or no one there knows. I suggest you modify your installation script, scan for all the users, display the list, ask the installer to select which users are included in group boinc_master. |
Send message Joined: 5 Sep 09 Posts: 9 |
I have a fix for group membership in boinc_master, to allow non administrator users access to BOINC's use of system space for data (A real Unix no no.). This will prevent BOINC from asking for the administrator's account name and password, each time the user attempts to start up BOINC. Note: Your user's short name is the name under /users/<short name>. CR = 'return key' 1) Logon as administrator 2) Open a "terminal" window, found in applications. 3) type "sudo dscl . -append /Groups/boinc_master GroupMembership <your user's short name> CR" 4) Respond to password prompt with administrator's password. 5) type "exit CR" 6) Exit terminal from the terminal menu bar at top of desktop. The next time you logon as <user> the BOINC prompt will not appear. |
Send message Joined: 17 Jul 06 Posts: 287 |
I use the following: "sudo dscl . -merge /groups/boinc_master users I'm not sure which is better. I don't understand what you mean about "BOINC's use of system space for data." The BOINC Data is stored in /Library/Application Data/ which is the location Apple recommends for application data which is to be shared by all users on a single Mac. Each user's personal settings for the Manager (column widths, Advanced View vs Simple View, etc.) are stored in that user's Preferences folder. Charlie Fenton BOINC / SETI@home Macintosh & Windows Programmer |
Send message Joined: 5 Sep 09 Posts: 9 |
In Unix any directory other than /Users/.... is reserved for root, the Unix kernal, or administrative functions. If any application is running, it should be running under some user. Therefore, data generated by that application would be stored, where it has permissions, under /Users/.... This conforms with Apple's development guidelines as well. The idea that any user, regardless of permissions level, should be allowed to alter, over write, or generally mutilate a file or directory reserved for the O.S. is a Microsoft invention and a PC mentality. It is by Bill Gates has brought such havoc on the personal computing by opening the door for any malware that happens along, to destroy anything the "user" is allowed to touch. |
Send message Joined: 5 Sep 09 Posts: 9 |
Now you have me stewing about the problem. Obviously, Snow Leopard took away 'setuid' to prevent violations of system space by rogue applications. So perhaps this might be a structural work around/change for future releases: The Boinc installer should create a user called "boinc_master". Everything, except preferences that relate to how a particular user wants the engine to present itself on screen, resides under /users/boinc_master/library/application_support/boinc/data_blah_blah. Except screen saver objects, which I believe Apple has a special place for in system space. The application has execute permissions for everyone. Administration (use 'getuid' to see who "me" is) (all admin accounts?) are automatically added to group "boinc_master" during installation. The account list is scanned for non administrative accounts. A file selection menu is presented during installation, asking for those accounts to be added to group "boinc_master". The phrasing would be; "Which account/users are authorized to run BOINC?". As a last resort, code ought to be added to the applications, on start up, to check if the present user (getuid I think), is a member of group "boinc_master". If not, a dialog appears, requiring admin's name/password to add the present user to the group. This may or may not work, because I noticed that I required the "sudo" command to add myself, even when logged on as Administrator, indicating that only root had the authority to edit the group file. |
Send message Joined: 17 Jul 06 Posts: 287 |
Thank you for your suggestions. I advise all my clients to do just that as the single greatest way of dealing with malware attacks.This puzzles me a bit. If I understand, you are saying that you advise Mac users to always run as a user without administrator privileges. Could you explain how this prevents or nullifies malware attacks? Charlie Fenton BOINC / SETI@home Macintosh & Windows Programmer |
Send message Joined: 11 Sep 09 Posts: 2 |
I'm interested in this thread as I also want to move my DOINC Data directory. My boot drive is a solid state disk so I minimize applications that make continuous writes to it. This is due to the nature of how SSDs work and the impact that built-in wear leveling has on disk performance after a period of time. I find no way to set the data directory. I created a link for the BOINC Data directory to point to a regular hard disk and BOInc won't start. I couldn't find a configuration file that permitted manual editing of the data path. Is there a resonable solution to moving the data directory? Thanks, Curry |
Send message Joined: 29 Aug 05 Posts: 15563 |
|
Send message Joined: 11 Sep 09 Posts: 2 |
Thanks. That ended up doing the trick. Somehow I missed that in my search through the forum. Curry |
Send message Joined: 5 Sep 09 Posts: 9 |
Malware attacks: Generally, they come in two forms. A rogue application is embedded in a web site or in email. The unsuspecting user opens/executes the program. Off it goes, identified as "user" with "user's" permissions, destroying whatever it can touch. Or, malware sneaks in through network administration. Network admin is a black art and I don't have a lot to offer there. On Windows PC's, there is no real differentiation between users, the system, files on the disk, or permissions to destroy just about anything. So, regardless of how malware gets on board, it can pretty much run amok. Mac OS is built on top of Unix. Unix, although not the best OS in the world, has a far superior notion of permissions and segregation of System space and User space on the disk. There are 3 levels. User, Groups that User belongs to, and Everyone. Root, or administrator, can go anywhere. But administrator is not really 'root' on Mac OS. If you take away a user/account's administrative abilities, you limit where that user may read/write to. On a Mac that is generally Mac HD/Users/<user>/.... Let's say a user gets infected (So far no one has tried because it is very difficult) with a virus, because they went to a web site or opened email. That malware has User's permissions. That means it can only read/write to the directory structure under /Users/<user>/ and nowhere else. If User protects their personal data, via something like a USB thin drive, then after an attack, that can easily be replaced. But that is not the end of it. The Malware can not install itself anywhere but under /Users/<user>, without invoking the Mac OS protection dialog asking for the name of the administrator and password. The User is immediately alerted to an attack. Neither can malware be added to the account start up list, even if saved under /Users/<user>, because the administrator controls accounts. So, to be as safe as possible, I recommend to my clients that they have a separate Administrator account that they use to install programs, do admin, etc. Then any use of the computer to connect regularly to the outside world, such as browsing, email, or interactive applications should be operated under a new account, <their name>, with administrator privileges removed. That actually would be the account that was automatically created when a person first fired up their Mac and was interviewed by the start up script. So, Administrator must be created, via system preferences->accounts. Then one logs on as Administrator, opens accounts, opens <themselves>, and unchecks the 'admin privileges' box. Done. While we are here, passwords. Most experts recommend separate passwords for different accounts. I realize we are all human and have limited memory, so I recommend one uncrackable super password for the important things, and whatever for everything else. So, use the same password for both User and Administrator. I suggest something you will never forget, but is not associated with you in any way on any document. For example a dead pet. I recommend upper/lower case letters and numbers. I would recommend special characters, but you will find most IT people are neanderthals and will not allow that. I.E. "mYluv4sQueEky" is pretty much uncrackable. |
Send message Joined: 12 Sep 09 Posts: 4 |
Nooooo!! Great. I just upgraded to Snow Leopard and now BOINC really doesn't work properly anymore. I'm a non-admin user. I only use my admin user for things that require admin rights, such as installing software or updating the OS. I thought that was what was recommended? So BOINC isn't going to work easily this way anymore? I'm not about to start running as admin and I'm not about to let it be daemon and be unsuspendable. :-( Oh, BTW, BOINC *used* to run as 64-bit app on Leopard. On Snow Leopard, it's running as 32-bit. Go figure! |
Send message Joined: 25 Nov 05 Posts: 1654 |
So BOINC isn't going to work easily this way anymore? This problem is "a work in progress". Please stay tuned for the next exiting instalment. Speaking of instalments, Caden, did you read the first post here, or any of the other threads about Snow Leopard? Charlie has apparently 'fixed' the problem in the latest version, which I think is still alpha. This thread has been diverted to discussing the correct way to provide the best security on Macs. |
Send message Joined: 29 Aug 05 Posts: 15563 |
After you upgraded to Snow Leopard, you will have to reinstall BOINC. |
Send message Joined: 5 Sep 09 Posts: 9 |
Look above to the previous posts. I give a work around to stop the dialog asking for permissions from administrator every time <user> tries to launch BOINC. Plus, I used to use it as a screen saver too. Through BOINC preferences, as user, you can tell it to run only when the machine is idle. You can set screen saver to "none". It will run in the back ground while you are not there. But, for now, you won't see any evidence of progress until you look at the log. The admin for BOINC promises a screen saver version soon. It seems to be in alpha mode right now. |
Send message Joined: 12 Sep 09 Posts: 4 |
[quote]Charlie has apparently 'fixed' the problem in the latest version, which I think is still alpha. I probably misread the first post. I thought he was saying he was fixing the problem in a way that would really only work for folks running as admin on Macs, UNLESS folks like me (who insist on running non-admin for daily use) wanted to run it as a daemon service, which I don't want to do (I think of BOINC as an App that I can control). Anyway, I'll follow this and see what happens. |
Send message Joined: 17 Jul 06 Posts: 287 |
You can easily enable it for non-admin users, as described in message 27105 and message 27188. Charlie Fenton BOINC / SETI@home Macintosh & Windows Programmer |
Send message Joined: 22 Sep 09 Posts: 1 |
If you're installing to /Library anyway, I assume you require the admin user & password to install the thing... So only people who know the admin username and password can install BOINC anyway. Kinda sucks for the others, but them's the breaks. They're not supposed to install stuff willy-nilly anyway. So, if you are installing as admin, though, you could create the boinc_master group at install time, scan for the list of users and display them, with checkboxes (and a select all & deselect all option), so that they could be added to that group. Those that get added will be able to run it without setgid and still control it. If anyone who can't asks for it, it is a simple task to add them to the group. Or have I missed the point (it wouldn't be the first time, and won't be the last time!). G> |
Send message Joined: 5 Sep 09 Posts: 9 |
To MrBungleBear, I covered the concept in 27252. MeinSanJose |
Send message Joined: 17 Jul 06 Posts: 287 |
With newer versions of BOINC, these commands will no longer do the trick. I've created a new AddRemove Usercommand-line utility just for this purpose. You can find it here. Be sure to give it your user's short name. Charlie Fenton BOINC / SETI@home Macintosh & Windows Programmer |
Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software Foundation.