Posts by meinsanjose

1) Message boards : Questions and problems : BOINC 6.10 released to the public (Message 28408)
Posted 31 Oct 2009 by meinsanjose
Post:
I have Snow Leopard, 10.6. Very professional installation this time around. I selected all users, to admin Boinc. It works as expected.

For those out there, with an Administrator account and limited user accounts, who do not want to execute Boinc as Administrator do the very simple steps below, logged on as Administrator:
1) Open System Preferences->Screen Saver. Deselect BOINC and reselect the screen saver you used to use as Administrator.
2) System Preferences->Accounts, Select 'Login Items' tab. Select Boinc manager. Check '-' below.

As each user, you will find the same account settings. Leave them as is, for users you want to run Boinc.
2) Message boards : Questions and problems : A Question that's been bothering me (Message 27645)
Posted 29 Sep 2009 by meinsanjose
Post:
I think the way you phrased your question: "Does the small contribution to science outweigh the small usage of energy that my PC uses to continue running when I would normally turn it off?"; is the wrong way to ask. And because it is phrased as it is, is how we get into this horrendous diatribe's, without answers, generated by the Eco-extremists among us. Because the underlying premise poses the real question, "Is human life worth, the particular questioner's measure of resource value?". Or, in more blunt words, Since the questioner chooses to play God, they are assuming His role as ultimate judge. Ultimately a futile and dead premise.
The correct premises to start with are:
a) We humans are here, either by accident or by design, get over it and learn to live with it.
b) It takes energy to live and pursue any and all human activity.
c) So the real question to "energy versus anything" should be, "How can we generate energy in sufficient quantities that people can live & thrive?". And, "How can we generate energy cleanly and with the least impact on our environment, so as to leave our nest clean, so to speak?".

Well, neither of those questions are really germane to this forum.

Now, since we are here in this forum. Since we have the power to make a difference, via the personal computing equipment that we now possess. If we have the economic resources to enable us to act (pay the electric bill), then my response is, do you want to contribute to your fellow human's benefit or not?
3) Message boards : BOINC Manager : Mac OS X 10.6 (Snow Leopard) changes (Message 27540)
Posted 23 Sep 2009 by meinsanjose
Post:
To MrBungleBear,

I covered the concept in 27252.

MeinSanJose
4) Message boards : BOINC Manager : Mac OS X 10.6 (Snow Leopard) changes (Message 27352)
Posted 13 Sep 2009 by meinsanjose
Post:
Look above to the previous posts. I give a work around to stop the dialog asking for permissions from administrator every time <user> tries to launch BOINC. Plus, I used to use it as a screen saver too. Through BOINC preferences, as user, you can tell it to run only when the machine is idle. You can set screen saver to "none". It will run in the back ground while you are not there. But, for now, you won't see any evidence of progress until you look at the log.
The admin for BOINC promises a screen saver version soon. It seems to be in alpha mode right now.
5) Message boards : BOINC Manager : Mac OS X 10.6 (Snow Leopard) changes (Message 27321)
Posted 12 Sep 2009 by meinsanjose
Post:
Malware attacks:

Generally, they come in two forms. A rogue application is embedded in a web site or in email. The unsuspecting user opens/executes the program. Off it goes, identified as "user" with "user's" permissions, destroying whatever it can touch. Or, malware sneaks in through network administration.
Network admin is a black art and I don't have a lot to offer there.
On Windows PC's, there is no real differentiation between users, the system, files on the disk, or permissions to destroy just about anything. So, regardless of how malware gets on board, it can pretty much run amok. Mac OS is built on top of Unix. Unix, although not the best OS in the world, has a far superior notion of permissions and segregation of System space and User space on the disk. There are 3 levels. User, Groups that User belongs to, and Everyone. Root, or administrator, can go anywhere. But administrator is not really 'root' on Mac OS. If you take away a user/account's administrative abilities, you limit where that user may read/write to. On a Mac that is generally Mac HD/Users/<user>/....
Let's say a user gets infected (So far no one has tried because it is very difficult) with a virus, because they went to a web site or opened email. That malware has User's permissions. That means it can only read/write to the directory structure under /Users/<user>/ and nowhere else. If User protects their personal data, via something like a USB thin drive, then after an attack, that can easily be replaced.
But that is not the end of it. The Malware can not install itself anywhere but under /Users/<user>, without invoking the Mac OS protection dialog asking for the name of the administrator and password.
The User is immediately alerted to an attack. Neither can malware be added to the account start up list, even if saved under /Users/<user>, because the administrator controls accounts.
So, to be as safe as possible, I recommend to my clients that they have a separate Administrator account that they use to install programs, do admin, etc. Then any use of the computer to connect regularly to the outside world, such as browsing, email, or interactive applications should be operated under a new account, <their name>, with administrator privileges removed. That actually would be the account that was automatically created when a person first fired up their Mac and was interviewed by the start up script. So, Administrator must be created, via system preferences->accounts. Then one logs on as Administrator, opens accounts, opens <themselves>, and unchecks the 'admin privileges' box. Done.
While we are here, passwords. Most experts recommend separate passwords for different accounts. I realize we are all human and have limited memory, so I recommend one uncrackable super password for the important things, and whatever for everything else. So, use the same password for both User and Administrator. I suggest something you will never forget, but is not associated with you in any way on any document. For example a dead pet. I recommend upper/lower case letters and numbers. I would recommend special characters, but you will find most IT people are neanderthals and will not allow that. I.E. "mYluv4sQueEky" is pretty much uncrackable.
6) Message boards : BOINC Manager : Mac OS X 10.6 (Snow Leopard) changes (Message 27252)
Posted 10 Sep 2009 by meinsanjose
Post:
Now you have me stewing about the problem. Obviously, Snow Leopard took away 'setuid' to prevent violations of system space by rogue applications. So perhaps this might be a structural work around/change for future releases:

The Boinc installer should create a user called "boinc_master". Everything, except preferences that relate to how a particular user wants the engine to present itself on screen, resides under /users/boinc_master/library/application_support/boinc/data_blah_blah. Except screen saver objects, which I believe Apple has a special place for in system space.
The application has execute permissions for everyone. Administration (use 'getuid' to see who "me" is) (all admin accounts?) are automatically added to group "boinc_master" during installation. The account list is scanned for non administrative accounts. A file selection menu is presented during installation, asking for those accounts to be added to group "boinc_master". The phrasing would be; "Which account/users are authorized to run BOINC?".
As a last resort, code ought to be added to the applications, on start up, to check if the present user (getuid I think), is a member of group "boinc_master". If not, a dialog appears, requiring admin's name/password to add the present user to the group. This may or may not work, because I noticed that I required the "sudo" command to add myself, even when logged on as Administrator, indicating that only root had the authority to edit the group file.
7) Message boards : BOINC Manager : Mac OS X 10.6 (Snow Leopard) changes (Message 27194)
Posted 9 Sep 2009 by meinsanjose
Post:
In Unix any directory other than /Users/.... is reserved for root, the Unix kernal, or administrative functions. If any application is running, it should be running under some user. Therefore, data generated by that application would be stored, where it has permissions, under /Users/.... This conforms with Apple's development guidelines as well.
The idea that any user, regardless of permissions level, should be allowed to alter, over write, or generally mutilate a file or directory reserved for the O.S. is a Microsoft invention and a PC mentality. It is by Bill Gates has brought such havoc on the personal computing by opening the door for any malware that happens along, to destroy anything the "user" is allowed to touch.
8) Message boards : BOINC Manager : Mac OS X 10.6 (Snow Leopard) changes (Message 27105)
Posted 6 Sep 2009 by meinsanjose
Post:
I have a fix for group membership in boinc_master, to allow non administrator users access to BOINC's use of system space for data (A real Unix no no.). This will prevent BOINC from asking for the administrator's account name and password, each time the user attempts to start up BOINC.

Note: Your user's short name is the name under /users/<short name>.
CR = 'return key'

1) Logon as administrator
2) Open a "terminal" window, found in applications.
3) type "sudo dscl . -append /Groups/boinc_master GroupMembership <your user's short name> CR"
4) Respond to password prompt with administrator's password.
5) type "exit CR"
6) Exit terminal from the terminal menu bar at top of desktop.

The next time you logon as <user> the BOINC prompt will not appear.
9) Message boards : BOINC Manager : Mac OS X 10.6 (Snow Leopard) changes (Message 27099)
Posted 6 Sep 2009 by meinsanjose
Post:
>I suspect that relatively few Macs are set up with any non-admin users.

Bad assumption. I advise all my clients to do just that as the single greatest way of dealing with malware attacks. So, you ought to deal with it, instead of rationalizing it away.

> Of course, if the user running the Manager is a member of group boinc_master, then the setgid is not needed because the Manager would have permission to access the files anyway.

You ought to call Apple support and ask how that is done on Snow Leopard. You will be surprised that it is either not possible or no one there knows. I suggest you modify your installation script, scan for all the users, display the list, ask the installer to select which users are included in group boinc_master.




Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.