Linux install script: safety upgrade - Githubissues

BOINC / boinc

Open-source software for volunteer computing and grid computing.

https://boinc.berkeley.edu

GNU Lesser General Public License v3.0

2.03k stars 449 forks source link

Linux install script: safety upgrade #5810

Closed RichardHaselgrove closed 1 month ago

RichardHaselgrove commented 1 month ago

Describe the bug The new install script places the data directory at '/var/lib/boinc': previous repository installations have often used '/var/lib/boinc-client'.

I have now come across a project application - Quantum Chemistry at GPUGrid - which has the boinc-client version hard-coded in its cuda compile script. That's stupid, of course, but not under our direct control. The tasks fail with:

FileNotFoundError: [Errno 2] No such file or directory: '/var/lib/boinc-client/.cupy', from https://www.gpugrid.net/results.php?hostid=625407&offset=0&show_names=0&state=5&appid=47

Suggestion Many of the distro repo versions created a folder redirect entry at '/var/lib/boinc', to catch similar errors and redirect them to boinc-client. We should do the same in reverse - catching boinc-client and redirecting it to plain boinc. I have done that on the failing machine, and it is producing valid completions now.

System Information

OS: Linux (all versions)
BOINC Version: 8.0.4+

AenBleidd commented 1 month ago

But that is a valid error: no project application should ever access any other folder except 'projects' and 'slots/N'. That is GPUGrid who violates security rules. You should redirect this error to them, and they should fix their application to not depend on any BOINC installation directory.

RichardHaselgrove commented 1 month ago

I disagree. It is good programming etiquette to anticipate potential errors, and mitigate their potential effect.

Especially when making changes to established custom and practice ...

AenBleidd commented 1 month ago

A good etiquette is to create a software that doesn't violate security, and here GPUGrid obviously failed. Why we should follow their path and violate security too?

RichardHaselgrove commented 1 month ago

So that we can contribute positively to scientific research?

AenBleidd commented 1 month ago

Ok to follow your logic: why we are running BOINC on Linux under special 'boinc' user with limited permissions if we can allow running it with sudo? That's not a good way for our users. Every project MUST create secure software and follow security guidelines.

RichardHaselgrove commented 1 month ago

Many private (non-commercial) volunteers do that already. They have to have sudo access, because they don't have the backup of a professional sysadmin service to do it for them.

AenBleidd commented 1 month ago

I am very sorry but I don't support this. The issue you reported us not an issue on our side but it uncovered a hidden issue of GPUGrid. Please report this to them. This is something they need to fix in a proper way.

AenBleidd commented 1 month ago

Just as a reference: https://www.ncsc.gov.uk/information/secure-default#

RichardHaselgrove commented 1 month ago

Well, you can see what you think of https://www.gpugrid.net/forum_thread.php?id=5428&nowrap=true#61811

Closing this conversation for now - my domestic electricity supply is about to be turned off (for an upgrade - not because I haven't paid my bill!)