wiki:ClientSetupLogicWinSix

Version 8 (modified by romw, 17 years ago) (diff)

More Updates

Client Setup Logic for 6.0 Clients

T(VersionSix)?

Major differences from version 5 are:

  • Implements account-based sandboxing by creating unprivileged accounts for BOINC.
  • It moves the BOINC data directory if needed, and BOINC executables are in a separate directory.
  • User no longer selects install type.

This document describes the various changes to the installer including:

  • User Accounts and Groups
  • Data Directory
  • Executables Directory
  • User Interface Changes
  • Custom Action Changes

User Accounts

Two user accounts will be created, one to execute boinc.exe, and one that boinc.exe can use to launch science applications.

NOTE: Including the computer name avoids name collisions when BOINC is installed on domain controllers.

Users:

boinc_<ComputerName>
boinc_project_<ComputerName>

Both boinc_<ComputerName> and boinc_project_<ComputerName> will be setup so that their passwords never expire.

A file will be created by the installer in the BOINC data directory called client_init.xml which contains the username and base64 encoded password for boinc_project_<ComputerName>. The first time the client starts up after install it will read the file and store an encrypted form of the data in a new file using CryptProtectData/CryptUnprotectData. After reading in the client_init.xml file it will be deleted.

Each time an installation occurs, both of the account passwords will be reset and a new randomly generated password will be used.

Groups:

boinc_administrators
boinc_project

Each group will contain the following members:

boinc_administrators Administrator
<Installing User>
boinc_<ComputerName>
boinc_project boinc_project_<ComputerName>

Data Directory

All data, configuration files, and logs will be moved to the following default location:

Vista:
C:\Users\All Users\BOINC

2000/XP:
C:\Documents and Settings\All Users\Application Data\BOINC

Under BOINC there will be a 'projects' and 'slots' directory.

Directories will have the following permissions:

BOINC SYSTEM (Full Control)
Administrators (Full Control)
boinc_administrators (Modify, Read & Execute, List Folder Contents, Read, Write)
boinc_projects (Deny All)
BOINC\projects SYSTEM (Full Control)
Administrators (Full Control)
boinc_administrators (Modify, Read & Execute, List Folder Contents, Read, Write)
boinc_projects (Modify, Read & Execute, List Folder Contents, Read, Write)
BOINC\slots SYSTEM (Full Control)
Administrators (Full Control)
boinc_administrators (Modify, Read & Execute, List Folder Contents, Read, Write)
boinc_projects (Modify, Read & Execute, List Folder Contents, Read, Write)

Notes: What to do if an organization has disabled the 'Bypass Traverse Checking' user right for Everyone? See http://support.microsoft.com/kb/823659 for more details.

Executables Directory

Same location as the previous releases.

C:\Program Files\BOINC

Directory will have the following permissions:

BOINC SYSTEM (Full Control)
Administrators (Full Control)
boinc_administrators (Modify, Read & Execute, List Folder Contents, Read, Write)
boinc_projects (Deny All)

User Interface

Welcome Screen

Same as before.

License Screen

Same as before.

Configuration Screen

Setup Type Button Group

Two radio buttons, graphics compatible installation and secure installation, will be displayed with the secure installation being the default.

The advanced configuration button will be disabled if the graphics compatible installation is selected.

Options

A checkbox will be displayed, Launch BOINC Manager at startup, which will be checked by default.

A checkbox will be displayed, Configure BOINC as my screensaver, which will be checked by default.

A button will be displayed, Advanced Configuration, which when pressed will save the current configuration options, and switch to the advanced configuration screen.

Advanced Configuration

This configuration page will allow the user to change the default data directory, the default executable directory, as well as which user accounts and passwords the installer will use to setup BOINC.

Confirmation Screen

Same as before.

Custom Actions

Several specialized pieces of code will manage the migration from the v5 data directory to v6 data directory structure. These custom pieces of code will all be executed during the execution phase of setup and will be introduced inbetween the following standard custom actions:

    ... MSI: Validates installaton package
    ...
    CAValidateSetup
    CAShutdownBOINC
    CAShutdownBOINCManager
    CAShutdownBOINCManager95
    CAShutdownBOINCScreensaver
    ...
    ... MSI: Remove older version if it exists
    ...
    CACleanupOldBinaries
    CAMigratex86x64
    CAMigrateCPDNBBC
    CACreateBOINCAccounts (New in Version 6.0)
    CACreateBOINCGroups (New in Version 6.0)
    CAMigrateBOINCData (New in Version 6.0)
    ...
    ... MSI: Begin installation process

CAValidateSetup

Checks that the parameters passed into the installation program are valid for the installation type. Otherwise it reports an error to the user. This is a backup check for validating the parameters passed in via the command line, if the user is installing via the GUI this shouldn't ever be a problem.

IF SetupType == 'Single-User' THEN
    IF ALLUSERS == 1 THEN
        ABORT
    END IF
    IF SERVICE* IS NOT NULL THEN
        ABORT
    END IF
ELSE
    IF SERVICE* IS NULL THEN
        ABORT
    END IF
END IF

CAShutdownBOINC

Kills boinc.exe is it is currently executing on the system.

TerminateProcessByName("boinc.exe")

CAShutdownBOINCManager

Kills boincmgr.exe is it is currently executing on the system.

TerminateProcessByName("boincmgr.exe")

CAShutdownBOINCManager95

Kills boincmgr.exe is it is currently executing on the system using Win9x compatible means.

TerminateProcessByName95("boincmgr.exe")

CAShutdownBOINCScreensaver

Kills boinc.scr is it is currently executing on the system.

TerminateProcessByName95("boinc.scr")

CACleanupOldBinaries

Deletes any lingering files left over from a previous BOINC installation, this can sometimes happen if a user replaces a stock client with a optimized one.

DeleteFile(strInstallDirectory + _T("\\boinc.exe"));
DeleteFile(strInstallDirectory + _T("\\boincmgr.exe"));
DeleteFile(strInstallDirectory + _T("\\boinccmd.exe"));
DeleteFile(strInstallDirectory + _T("\\boinc.dll"));
DeleteFile(strInstallDirectory + _T("\\libcurl.dll"));
DeleteFile(strInstallDirectory + _T("\\libeay32.dll"));
DeleteFile(strInstallDirectory + _T("\\ssleay32.dll"));
DeleteFile(strInstallDirectory + _T("\\zlib1.dll"));
DeleteFile(strInstallDirectory + _T("\\dbghelp.dll"));
DeleteFile(strInstallDirectory + _T("\\dbghelp95.dll"));
DeleteFile(strInstallDirectory + _T("\\srcsrv.dll"));
DeleteFile(strInstallDirectory + _T("\\symsrv.dll"));

CAMigratex86x64

Migrate any data files from "C:\Program Files (x86)\BOINC" to "C:\Program Files\BOINC" if "C:\Program Files\BOINC" doesn't already exist.

MoveFileEx("C:\\Program Files (x86)\\BOINC", strInstallDirectory, MOVEFILE_COPY_ALLOWED|MOVEFILE_WRITE_THROUGH);

CAMigrateCPDNBBC

Migrate any data files from "C:\Program Files\Climate Change Experiment" to "C:\Program Files\BOINC" if "C:\Program Files\BOINC" doesn't already exist.

MoveFileEx("C:\\Program Files\\Climate Change Experiment", strInstallDirectory, MOVEFILE_COPY_ALLOWED|MOVEFILE_WRITE_THROUGH);

CACreateBOINCAccounts

Creates the two user accounts that BOINC will need to complete a secure installation. Passwords are base64 encoded before being stored to disk.

strComputerName = GetComputerName()

GetProperty("BOINC_USERNAME", strBOINCUsername)
IF strBOINCUsername IS NULL THEN
    strBOINCUsername = "boinc_" + strComputerName
END IF

GetProperty("BOINC_PROJECT_USERNAME", strBOINCProjectUsername)
IF strBOINCProjectUsername IS NULL THEN
    strBOINCProjectUsername = "boinc_project_" + strComputerName
END IF

strBOINCAccountPassword = GenerateNewPassword()
strBOINCProjectAccountPassword = GenerateNewPassword()

IF GetUserAccount(strBOINCUsername) EXISTS THEN
    ResetUserAccountPassword(strBOINCUsername, strBOINCAccountPassword);
ELSE
    CreateUserAccount(strBOINCUsername, strBOINCAccountPassword)
    SetUserAccountProperty(strBOINCUsername, "PasswordNeverExpires")
END IF
    
IF GetUserAccount(strBOINCProjectUsername) EXISTS THEN
    ResetUserAccountPasswordstrBOINCProjectUsername, strBOINCProjectAccountPassword);
ELSE
    CreateUserAccount(strBOINCProjectUsername, strBOINCProjectAccountPassword)
    SetUserAccountProperty(strBOINCProjectUsername, "PasswordNeverExpires")
END IF

WriteAccountsToDisk(strBOINCUsername, strBOINCAccountPassword, strBOINCProjectUsername, strBOINCProjectAccountPassword)

CACreateBOINCGroups

Creates the two security groups that BOINC will need to complete a secure installation.

CAMigrateBOINCData

Migrate any data files from "C:\Program Files\BOINC" to all users application data location if the all users application data location doesn't already exist.

MoveFileEx("C:\\Program Files\\BOINC", strDataDirectory, MOVEFILE_COPY_ALLOWED|MOVEFILE_WRITE_THROUGH);