[Bug 1227092] New: network/boinc-client: Add WorkingDirectory= to unit file (and other possible unit file enhancements)
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1227092 Bug ID: 1227092 Summary: network/boinc-client: Add WorkingDirectory= to unit file (and other possible unit file enhancements) Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: All OS: openSUSE Tumbleweed Status: NEW Severity: Enhancement Priority: P5 - None Component: 3rd party software Assignee: chris@computersalat.de Reporter: timuzhti@gmail.com QA Contact: screening-team-bugs@suse.de CC: Sascha.Manns@outlook.de Target Milestone: --- Found By: --- Blocker: --- This is a pretty minor issue but without WorkingDirectory= set, the ExecStop= command (/usr/bin/boinccmd --quit) does not actually function because it can't find the gui_rpc_auth.cfg file. This causes the unit to report failure every time it's stopped. According to documentation, boinccmd checks three places for the password (it doesn't have a --datadir option). Changing the working directory to either /var/lib/boinc or ~ (which is the same thing by default) seems to be the easiest way to resolve this, since /etc/boinc-client/ and /var/lib/boinc-client are not used by default. I'm not really sure which of the two options would be better. Using the home directory of the boinc user would probably make it easier to reconfigure to another directory, but I'm not sure that's worth it. It might be even better to somehow pull $BOINC_BOINC_DIR into WorkingDirectory= but systemd doesn't seem to support this. Another quirk uncovered looking at the logs is that systemd apparently interprets /lockfile as part of the variable name, sample log message as follows: (rm): boinc-client.service: Invalid environment variable name evaluates to an empty string: BOINC_BOINC_DIR/lockfile This can be avoided by wrapping the variable name in braces, ExecStopPost=/bin/rm -f ${BOINC_BOINC_DIR}/lockfile though I'm not sure if this is actually a systemd issue. Finally, the upstream unit file at https://github.com/BOINC/boinc/blob/master/client/scripts/boinc-client.servi... includes a couple of systemd hardening options. Some of these are off by default because Atlas requires setuid root, but the three options limiting the read/write access of the unit to the boinc directory only might be worthwhile. ProtectSystem=full ProtectControlGroups=true ReadWritePaths=-/var/lib/boinc -/etc/boinc-client -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1227092
https://bugzilla.suse.com/show_bug.cgi?id=1227092#c1
Christian Wittmer
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1227092
https://bugzilla.suse.com/show_bug.cgi?id=1227092#c2
Christian Wittmer
This is a pretty minor issue but without WorkingDirectory= set, the ExecStop= command (/usr/bin/boinccmd --quit) does not actually function because it can't find the gui_rpc_auth.cfg file. This causes the unit to report failure every time it's stopped.
According to documentation, boinccmd checks three places for the password (it doesn't have a --datadir option). Changing the working directory to either /var/lib/boinc or ~ (which is the same thing by default) seems to be the easiest way to resolve this, since /etc/boinc-client/ and /var/lib/boinc-client are not used by default.
I'm not really sure which of the two options would be better. Using the home directory of the boinc user would probably make it easier to reconfigure to another directory, but I'm not sure that's worth it. It might be even better to somehow pull $BOINC_BOINC_DIR into WorkingDirectory= but systemd doesn't seem to support this.
Another quirk uncovered looking at the logs is that systemd apparently interprets /lockfile as part of the variable name, sample log message as follows:
(rm): boinc-client.service: Invalid environment variable name evaluates to an empty string: BOINC_BOINC_DIR/lockfile
This can be avoided by wrapping the variable name in braces, ExecStopPost=/bin/rm -f ${BOINC_BOINC_DIR}/lockfile though I'm not sure if this is actually a systemd issue.
Finally, the upstream unit file at https://github.com/BOINC/boinc/blob/master/client/scripts/boinc-client. service.in includes a couple of systemd hardening options. Some of these are off by default because Atlas requires setuid root, but the three options limiting the read/write access of the unit to the boinc directory only might be worthwhile.
ProtectSystem=full ProtectControlGroups=true ReadWritePaths=-/var/lib/boinc -/etc/boinc-client
Hi, you have a project in OBS here: https://build.opensuse.org/package/show/home:timuzhti/boinc-client Why didn't you just fix it and created a submit request ? -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com