Changes between Version 5 and Version 6 of ClientSetupWinSix


Ignore:
Timestamp:
Jan 7, 2008, 2:58:47 PM (13 years ago)
Author:
davea
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ClientSetupWinSix

    v5 v6  
    1 = Windows Installer Specification v6 =
     1= Windows installer version 6 design =
    22
    33[[T(VersionSix)]]
     
    77== Introduction ==
    88
    9 BOINC version 6 for Windows is a big improvement in security. In order to take advantage of the increased security though, there needs to be some major changes to the installer.
     9wThis document describes the design of the BOINC Windows installer for version 6.
     10Implementation details are [ClientSetupLogicWinSix here].
    1011
    11 Implementation details can be found [ClientSetupLogicWinSix here].
     12== New features ==
    1213
    13 == Goals ==
    14 
    15 The goals of the installer for v6 are:
     14Changes to BOINC version 6 include:
    1615
    1716 * Account-based sandboxing
    18  * Separate the data files from the executable files
     17 * Separate data and executable directories
    1918 * Simplify installer experience
    2019
    21 == Account-based Sandboxing ==
     20== Account-based sandboxing ==
    2221
    23 BOINC will now utilize the Windows users’ and groups’ functionality to control specifically who can execute and manage BOINC.
     22The installer offers two security modes:
    2423
    25 Two user accounts will be created one for executing BOINC itself and one for executing the BOINC applications. Three local user groups will be created to handle to manage BOINC.
     24 * '''Secure''': the BOINC client and applications run under unprivileged accounts.  The core client runs as a service. ??? why are these linked?
     25
     26 * '''Graphics compatible''': same as the single-user installation of v5; the core client and all applications run in the same security context as the user who logged into the system. This allows users to see graphics from older as well as newer science applications, or projects with long running tasks which won't complete for a while.
     27
     28The advantages of Secure mode are:
     29 * It limits the damage that can be done by buggy or malicious applications
     30 * It limits the damage due to bugs or network security vulnerabilities in the core client.
     31 * By default non-administrative accounts cannot create globally named shared memory segments, therefore keyboard and mouse activity could not be monitored without setting up an account with that additional user right.
     32
     33=== Multi-user protection policy ===
     34
     35The installer offers two protection modes:
     36 * All users on the host can control BOINC (i.e. attach/detach projects) using the BOINC Manager.
     37 * Only the user who installed BOINC or an administrator can control BOINC. Users can be allowed to control by adding them to a 'boinc_users' group.  When other users run the BOINC Manager, they'll get a dialog saying to contact the administrator to add them to the 'boinc_users' group.
    2638
    2739== Executable/Data Separation ==
    2840
    29 Previous versions of BOINC on Windows stored the data files and executable files in the same directory structure which made managing permissions difficult.
     41Previous versions of BOINC on Windows stored the data files and executable files
     42in the same directory.
     43This created problems on Vista ??? explain?
    3044
    31 The installer will now need to create a new directory that will serve as the data directory.  The installer will migrate data files to the new data directory if they exist.
     45Having a separate data directory also allows you to use a new hard drive or network drive for data,
     46without moving the executables.  ??? so what?
     47
     48The V6 installer create a new data directory and migrates existing data files to the new data directory.
     49The default executable directory remains C:\Program Files\BOINC
     50The default data directory is:
     51{{{
     52Vista:
     53C:\Users\All Users\BOINC
     54
     552000/XP:
     56C:\Documents and Settings\All Users\Application Data\BOINC
     57}}}
     58
    3259
    3360== Simplify installer experience ==
     
    92119== Discussion Topics ==
    93120
    94  * Why are we switching over to account-based sandboxing?
    95 
    96 The main reason is security.  Currently if you install using a single user install then all of the BOINC components run as you.  This means there is a potential problem if a project has been setup just to snoop on a volunteer’s machine.  For instance, they could send back your Quicken or MS Money files after making it look like your computer did some work.  So to further protect a volunteer from potiential BOINC defects and/or malicious projects two low-privileged users will be created to run BOINC and BOINC based applications.
    97 
    98  * Why are we seperating the data and executable directories?
    99 
    100 Again the main reason is security, but it also allows for people to move their data to a different location in case they buy a new hard drive or want to use a network drive.
    101 
    102  * Why install as a service instead of a single user install?
    103 
    104 Service installs allow for the boinc core client to be isolated from any users files. Since the core client has the only available incoming TCP/IP connection it is at risk of being hacked, to mitigate information disclosure of sensitive user files such as MS Money or Quicken files the core client is executed with its own user account.
    105 
    106 Additionally, by default non-administrative accounts cannot create globally named shared memory segments, therefore keyboard and mouse activity could not be monitored without setting up an account with that additional user right.
    107 
    108121 * Why was the 'Launch BOINC on startup' option removed from the installer?
    109122
    110123The 'Launch BOINC on startup' option actually started the BOINC Manager, so on systems where BOINC was being installed as a service it was being ignored. Most people do not understand the difference between BOINC and the BOINC Manager. Most people who install BOINC want it to run whenever they are not around.
    111124
    112 To keep things simple we decided to remove the option and setup the system so that both BOINC and the BOINC Manager are started at system startup or logon, if the users want to change this behavior they can delete the BOINC Manager shortcut and/or change the service properties via the service control manager administrative tool.
     125To keep things simple we decided to remove the option and
     126set up the system so that both BOINC and the BOINC Manager are started at system startup or logon
     127If the users want to change this behavior they can delete the BOINC Manager
     128shortcut and/or change the service properties via the service control manager administrative tool.
    113129
    114  * Launching worker and graphics applications as boinc_project.
    115 
    116 Isolate BOINC-based applications from BOINC and the rest of the system.