delta1512
commented
7 years ago Locked the root account, created sudoer rules and added a large gui_rpc_auth to the boinc data directory
Open delta1512 opened 7 years ago
delta1512
commented
7 years ago Locked the root account, created sudoer rules and added a large gui_rpc_auth to the boinc data directory
tomasbrod
commented
7 years ago How you are solving the auth file? If I am not mistaken, BOINC generates random one on first startup. If you just include pre-generated file to image, then it will be same for all installations.
delta1512
commented
7 years ago @tomasbrod BOINC does generate a random auth file, however it is only done when I make the image and doesn't deviate between images that people download. This will be solved with an installer but as we have a raw, prepackaged image, it is difficult. The reason we need to do this is because an attacker can know the RPC password by simply downloading the BOINCOS image.
Off the top of my head I'm thinking of adding a systemd unit or something similar that will only run once and jumble up the auth file to something different when the OS is first booted. My current method and what I plan to do with what I just described is to simply feed a sha512 hash function with a bunch of random bits and place that in the user home and BOINC data directory.
tcblack
commented
6 years ago FWIW I would not encourage the firewall, unless it is easily disabled. I already have a network firewall and really don't want to have to debug problems related to both of them causing problems.
tcblack
commented
6 years ago Here's another thought: I have a custom gui_rpc_auth.cfg that I put on my clients already for remote access. Is there a way you can provide a directory accessible on the thumb drive for me to input such files as gui_rpc_auth.cfg, Acct_mgr_login.xml, etc?
delta1512
commented
6 years ago @tcblack Firewall is easily disabled through fwset on the minimal spin and the current version of the standard spin does not include a firewall.
As for the USB query, I have removed the ability to mount file systems as to completely isolate the BOINC OS system from any memory on the permanent system.
I believe the implemented permissions on the BOINC data directory are sufficient enough for importing those files. I typically use some sort of networking transfer using netcat or ftp but I understand that users may not run unix systems nor have access to a personal FTP server which is an obvious limitation to usability.
If you know of any way to allow mounting of only USB devices, your knowledge will be very much appreciated!
Current ideas that will be implemented with upcoming updates are:
Locking the root accountCreating strict sudo permissions that only allow for certain actions to be elevated without a passwordPossibly a firewall or boinc.service argument to prevent RPCs to the clientRandomisation on a per-OS basis:
gui_rpc_auth.cfgrandomisationSSH keys (if key-based auth enabled)
Possible solution is to add a script that runs and disables itself after running at bootForced password reset (consideration)
Any ideas posted here will be amended to this post and implemented in a future update.