BOINC requires access to /dev/input/event9

Message boards : BOINC client : BOINC requires access to /dev/input/event9
Message board moderation

To post messages, you must log in.

AuthorMessage
Germano

Send message
Joined: 21 May 16
Posts: 37
Italy
Message 69948 - Posted: 3 Jun 2016, 21:54:26 UTC

Hi, I am the Fedora's BOINC co-maintainer.
BOINC > 7.4.x wants to access to /dev/input/event9 that corresponds to user's keyboard
https://bugzilla.redhat.com/show_bug.cgi?id=1337607
I would need to know why it tries to read from that device. To detect user inactivity time?
As BOINC co-maintainers we have been asked (by SELinux maintainers) to decide if SELinux should allow such readings or not.
ID: 69948 · Report as offensive
ChristianB
Volunteer developer
Volunteer tester

Send message
Joined: 4 Jul 12
Posts: 321
Germany
Message 69953 - Posted: 4 Jun 2016, 10:03:25 UTC

Yes, this is part of user inactivity detection. I don't see much discussion in the bug mentioned. Is the concern that the BOINC Client would act as a keylogger?
ID: 69953 · Report as offensive
Germano

Send message
Joined: 21 May 16
Posts: 37
Italy
Message 69991 - Posted: 5 Jun 2016, 21:10:30 UTC - in response to Message 69953.  
Last modified: 5 Jun 2016, 21:13:26 UTC

Is the concern that the BOINC Client would act as a keylogger?


Yeah exactly
ID: 69991 · Report as offensive
ChristianB
Volunteer developer
Volunteer tester

Send message
Joined: 4 Jul 12
Posts: 321
Germany
Message 69996 - Posted: 6 Jun 2016, 8:47:10 UTC

Well then options are limited unless you come up with a better way to detect user idleness.
ID: 69996 · Report as offensive
SekeRob2

Send message
Joined: 6 Jul 10
Posts: 585
Italy
Message 69997 - Posted: 6 Jun 2016, 10:41:06 UTC - in response to Message 69996.  
Last modified: 6 Jun 2016, 10:42:10 UTC

Any program, free or paid, could be a keylogger, for all I know my MS Office 365 does this, except my firewall is not recording any suspect outgoing traffic.

WCG (IBM) actually security audits the source code before [is in development of doing this for 7.6 at this time], because else they'd not get their corporate college/university, even banks as partners to allow installation. Go back to 7.2.42 or 7.2.47 [WCG skinned] and download it from their website, but can you trust them?
Coelum Non Animum Mutant, Qui Trans Mare Currunt
ID: 69997 · Report as offensive
Juha
Volunteer developer
Volunteer tester
Help desk expert

Send message
Joined: 20 Nov 12
Posts: 801
Finland
Message 70007 - Posted: 6 Jun 2016, 17:45:30 UTC - in response to Message 69991.  

The code doesn't try to read the device file. It only tries to get its last modified time.

At least on Mint 17 = Ubuntu 14.04 the code doesn't actually work, the last modified time isn't updated. If Fedora is same then you could patch out the code to remove both the security concern and the SELinux warning.

Rom added the code in 2014. I would like to think that he tested it and found out that it does work on some, perhaps older, distro.
ID: 70007 · Report as offensive
Germano

Send message
Joined: 21 May 16
Posts: 37
Italy
Message 70165 - Posted: 13 Jun 2016, 20:34:58 UTC
Last modified: 13 Jun 2016, 20:35:09 UTC

I added a suggestion about how to implement user idle time detection in systemd based Linux distributions
https://github.com/BOINC/boinc/issues/1187#issuecomment-225699768
ID: 70165 · Report as offensive

Message boards : BOINC client : BOINC requires access to /dev/input/event9

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.