wiki:ClientSetupLogicWinSix

Version 36 (modified by romw, 16 years ago) (diff)

--

Windows installer logic for version 6

T(VersionSix)?

Major differences from version 5 are:

  • Account-based sandboxing using unprivileged accounts.
  • Moves the BOINC data directory if needed.
  • BOINC executables are in a separate directory.
  • Simplified installer user experience.

Protection policy

The installer has a "Allow all users on this computer to control BOINC" checkbox. If checked, then all users on the host will be able control BOINC (i.e. attach/detach projects) using the BOINC Manager. Otherwise only the user who installed BOINC or an administrator can control BOINC, and other users can only monitor the BOINC client.

Sandboxing

The installer offers two modes: 'Graphics compatible' and 'Secure'.

Graphics compatible installation is the same as the single-user installation of v5. The manager will be responsible for launching the core client, and all applications will be launched in the same security context as the user who logged into the system. This allows users to see graphics from older as well as newer science applications, or projects with long running tasks which won't complete for a while.

If the user selects Secure, the core client will run as a service. Two user accounts and two groups will be created:

Users:

boinc_master
The core client runs under this account.
boinc_project
Apps and graphics app run under this account.

If the computer being installed upon is a domain controller, then the account names will have the computer name appended on to them.

Groups:

boinc_admins
Members of this group can change the configuration and protection settings for the BOINC client (for example the GUI RPC password and host list) and can also run the BOINC Manager and screensaver.
boinc_users
Members of this group can run the BOINC Manager and screensaver.

Initially, each group contains the following members:

boinc_admins Administrator
<Installing User>
'boinc_master'
boinc_users Everyone (if 'Allow everyone to use BOINC' is checked), else empty
boinc_projects 'boinc_project'

Account passwords are managed as follows:

  • The installer creates a file 'client_auth.xml' in the BOINC data directory containing the name and base64 encoded password of the boinc_project account.
  • The password properties are added to SecureCustomProperties to prevent them being logged.
  • The password for boinc_master is managed by Windows.

On each installation, both of the account passwords are randomly regenerated.

User Rights Assignment

boinc_masterDeny logon locally
Deny access to this computer from the network
Debug programs
Log on as a service
Bypass traverse checking
boinc_projectDeny logon locally
Deny access to this computer from the network

Data directory

All data, configuration files, and logs will be moved to the following default location:

Vista:
C:\Users\All Users\BOINC

2000/XP:
C:\Documents and Settings\All Users\Application Data\BOINC

Under the data directory there will be 'projects' and 'slots' directories.

Directories will have the following permissions:

BOINC SYSTEM (Full Control)
Administrators (Full Control)
boinc_admins (Modify, Read & Execute, List Folder Contents, Read, Write)
boinc_users (Read & Execute, List Folder Contents, Read)
boinc_projects (Deny All)
BOINC\projects SYSTEM (Full Control)
Administrators (Full Control)
boinc_admins (Modify, Read & Execute, List Folder Contents, Read, Write)
boinc_users (Read & Execute, List Folder Contents, Read)
boinc_projects (Modify, Read & Execute, List Folder Contents, Read, Write)
BOINC\slots SYSTEM (Full Control)
Administrators (Full Control)
boinc_admins (Modify, Read & Execute, List Folder Contents, Read, Write)
boinc_users (Read & Execute, List Folder Contents, Read)
boinc_projects (Modify, Read & Execute, List Folder Contents, Read, Write)

Executables directory

Same default location as previous versions, C:\Program Files\BOINC

Directory will have the following permissions:

BOINC SYSTEM (Full Control)
Administrators (Full Control)
boinc_admins (Modify, Read & Execute, List Folder Contents, Read, Write)
boinc_users (Read & Execute, List Folder Contents, Read)
boinc_projects (Deny All)

User Interface

Welcome Screen

Same as before.

License Screen

Same as before.

Configuration Screen

title: Installation options
subtitle: These are the current installation options

Program directory:  C:\\Program Files\BOINC\
Data directory: C:\\Documents and Settings\All Users\Application Data\ BOINC\

Launch BOINC on system startup
Use BOINC screensaver
Protected application execution
Allow all users on this computer to control BOINC


Click Next to use these options.
Click Advanced to customize options.
[Advanced] [Next]

Advanced goes to the advanced configuration page. Next goes to the Confirmation screen.

Advanced Configuration

title: Customize installation options
subtitle: Customize how BOINC is installed on your computer

Program directory: [...] [Browse]
Data directory: [...] [Browse]

[] Launch BOINC on system startup
[] Use BOINC Screensaver
[] Protected application execution.
   This provides increased protection against faulty project applications.
   However, it may cause screensaver graphics to not work with older applications.
[] Allow all users on this computer to control BOINC
[Next]

Checkboxes are off by default. If any values are present from previous install, use them. The "Allow users" checkbox is disabled unless the "Protected" checkbox is set.

'Next' goes to 'Confimation' screen.

Confirmation Screen

Same as before.

Custom Actions

Custom actions are executed in the following sequence:

    ... MSI: Validates installation package
    ...
    CAValidateSetup
    CAShutdownBOINC
    CAShutdownBOINCManager
    CAShutdownBOINCManager95
    CAShutdownBOINCScreensaver
    ...
    ... MSI: Remove older version if it exists
    ...
    CACleanupOldBinaries
    CAMigratex86x64
    CAMigrateCPDNBBC
    CACreateBOINCAccounts (New in Version 6.0)
    CACreateBOINCGroups (New in Version 6.0)
    CAMigrateBOINCData (New in Version 6.0)
    ...
    ... MSI: Begin installation process

CAValidateSetup

Checks that the parameters passed into the installation program are valid for the installation type. Otherwise it reports an error to the user. This is a backup check for validating the parameters passed in via the command line, if the user is installing via the GUI this shouldn't ever be a problem.

IF SetupType == 'Single-User' THEN
    IF ALLUSERS == 1 THEN
        ABORT
    END IF
    IF SERVICE* IS NOT NULL THEN
        ABORT
    END IF
ELSE
    IF SERVICE* IS NULL THEN
        ABORT
    END IF
END IF

CAShutdownBOINC

Kills boinc.exe if it is currently executing on the system.

TerminateProcessByName("boinc.exe")

CAShutdownBOINCManager

Kills boincmgr.exe if it is currently executing on the system.

TerminateProcessByName("boincmgr.exe")

CAShutdownBOINCManager95

Kills boincmgr.exe if it is currently executing on the system using Win9x compatible means.

TerminateProcessByName95("boincmgr.exe")

CAShutdownBOINCScreensaver

Kills boinc.scr if it is currently executing on the system.

TerminateProcessByName95("boinc.scr")

CACleanupOldBinaries

Deletes any lingering files left over from a previous BOINC installation. This can sometimes happen if a user replaces a stock client with a optimized one.

DeleteFile(strInstallDirectory + _T("\\boinc.exe"));
DeleteFile(strInstallDirectory + _T("\\boincmgr.exe"));
DeleteFile(strInstallDirectory + _T("\\boinccmd.exe"));
DeleteFile(strInstallDirectory + _T("\\boinc.dll"));
DeleteFile(strInstallDirectory + _T("\\libcurl.dll"));
DeleteFile(strInstallDirectory + _T("\\libeay32.dll"));
DeleteFile(strInstallDirectory + _T("\\ssleay32.dll"));
DeleteFile(strInstallDirectory + _T("\\zlib1.dll"));
DeleteFile(strInstallDirectory + _T("\\dbghelp.dll"));
DeleteFile(strInstallDirectory + _T("\\dbghelp95.dll"));
DeleteFile(strInstallDirectory + _T("\\srcsrv.dll"));
DeleteFile(strInstallDirectory + _T("\\symsrv.dll"));

CAMigratex86x64

Migrate any data files from "C:\Program Files (x86)\BOINC" to "C:\Program Files\BOINC" if "C:\Program Files\BOINC" doesn't already exist. This handles the case where the user is upgrading from a 32-bit BOINC to a 64-bit BOINC on Win64.

MoveFileEx("C:\\Program Files (x86)\\BOINC", strInstallDirectory, MOVEFILE_COPY_ALLOWED|MOVEFILE_WRITE_THROUGH);

CAMigrateCPDNBBC

Migrate any data files from "C:\Program Files\Climate Change Experiment" to "C:\Program Files\BOINC" if "C:\Program Files\BOINC" doesn't already exist. Handles case where user is upgrading from BBC to V6.

MoveFileEx("C:\\Program Files\\Climate Change Experiment", strInstallDirectory, MOVEFILE_COPY_ALLOWED|MOVEFILE_WRITE_THROUGH);

CACreateBOINCAccounts

Creates the two user accounts used for a protected installation. Passwords are base64 encoded before being stored to disk.

strComputerName = GetComputerName()
bIsDomainController = IsDomainController()

GetProperty("BOINC_USERNAME", strBOINCUsername)
GetProperty("BOINC_PROJECT_USERNAME", strBOINCProjectUsername)

IF bIsDomainController THEN
    IF strBOINCUsername IS NULL THEN
        strBOINCUsername = "boinc_" + strComputerName
    END IF
    IF strBOINCProjectUsername IS NULL THEN
        strBOINCProjectUsername = "boinc_project_" + strComputerName
    END IF
ELSE
    IF strBOINCUsername IS NULL THEN
        strBOINCUsername = "boinc"
    END IF
    IF strBOINCProjectUsername IS NULL THEN
        strBOINCProjectUsername = "boinc_project"
    END IF
END IF

strBOINCAccountPassword = GenerateNewPassword()
strBOINCProjectAccountPassword = GenerateNewPassword()

IF GetUserAccount(strBOINCUsername) EXISTS THEN
    ResetUserAccountPassword(strBOINCUsername, strBOINCAccountPassword);
ELSE
    CreateUserAccount(strBOINCUsername, strBOINCAccountPassword)
    SetUserAccountProperty(strBOINCUsername, "PasswordNeverExpires")
END IF
    
IF GetUserAccount(strBOINCProjectUsername) EXISTS THEN
    ResetUserAccountPasswordstrBOINCProjectUsername, strBOINCProjectAccountPassword);
ELSE
    CreateUserAccount(strBOINCProjectUsername, strBOINCProjectAccountPassword)
    SetUserAccountProperty(strBOINCProjectUsername, "PasswordNeverExpires")
END IF

WriteAccountsToDisk(strBOINCUsername, strBOINCAccountPassword, strBOINCProjectUsername, strBOINCProjectAccountPassword)

CACreateBOINCGroups

Creates the two security groups that BOINC will need to complete a secure installation.

strComputerName = GetComputerName()
bIsDomainController = IsDomainController()

GetProperty("BOINC_USERNAME", strBOINCUsername)
GetProperty("BOINC_PROJECT_USERNAME", strBOINCProjectUsername)

IF bIsDomainController THEN
    IF strBOINCUsername IS NULL THEN
        strBOINCUsername = "boinc_" + strComputerName
    END IF
    IF strBOINCProjectUsername IS NULL THEN
        strBOINCProjectUsername = "boinc_project_" + strComputerName
    END IF
ELSE
    IF strBOINCUsername IS NULL THEN
        strBOINCUsername = "boinc"
    END IF
    IF strBOINCProjectUsername IS NULL THEN
        strBOINCProjectUsername = "boinc_project"
    END IF
END IF

IF GetGroup("boinc_admins") NOT EXISTS THEN
    CreateGroup("boinc_administrators")
    AddUserToGroup("Administrator")
    AddUserToGroup(GetCurrentUsername())
    AddUserToGroup(strBOINCUsername)
END IF
    
IF GetGroup("boinc_project") NOT EXISTS THEN
    CreateGroup("boinc_project")
    AddUserToGroup(strBOINCProjectUsername)
END IF

CAMigrateBOINCData

Look in the registry for the old data directory, else "C:\Program Files\BOINC". Move data files from old data dir to all users application data location if the all users application data location doesn't already exist.

old_data_dir = registry_lookup
MoveFileEx(old_data_dir, strDataDirectory, MOVEFILE_COPY_ALLOWED|MOVEFILE_WRITE_THROUGH);

Reverting to a pre-V6 version of BOINC

Manually move data dir contents to executables dir, then install old version.

Manually remove BOINC-related accounts and groups. Note: we can't remove them automatically on uninstall, otherwise they'd get removed and recreated on each upgrade, and any group membership changes would be lost.

Design Decisions

  • Why install as a service instead of a single user install?

Service installs allow for the boinc core client to be isolated from any users files. Since the core client has the only available incomming TCP/IP connection it is at risk of being hacked, to mitigate information disclosure of sensitive user files such as MS Money or Quicken files the core client is executed with its own user account.

By default non-administrative accounts cannot create globally named shared memory segments, therefore keyboard and mouse activity could not be monitored without setting up an account with that additional user right.

  • Launching worker and graphics applications as boinc_project.

Isolate boinc-based applications from boinc and the rest of the system.