25 | | Two user accounts will be created one for executing BOINC itself and one for executing the BOINC applications. Three local user groups will be created to handle to manage BOINC. |
| 24 | * '''Secure''': the BOINC client and applications run under unprivileged accounts. The core client runs as a service. ??? why are these linked? |
| 25 | |
| 26 | * '''Graphics compatible''': same as the single-user installation of v5; the core client and all applications run in the same security context as the user who logged into the system. This allows users to see graphics from older as well as newer science applications, or projects with long running tasks which won't complete for a while. |
| 27 | |
| 28 | The advantages of Secure mode are: |
| 29 | * It limits the damage that can be done by buggy or malicious applications |
| 30 | * It limits the damage due to bugs or network security vulnerabilities in the core client. |
| 31 | * By default non-administrative accounts cannot create globally named shared memory segments, therefore keyboard and mouse activity could not be monitored without setting up an account with that additional user right. |
| 32 | |
| 33 | === Multi-user protection policy === |
| 34 | |
| 35 | The installer offers two protection modes: |
| 36 | * All users on the host can control BOINC (i.e. attach/detach projects) using the BOINC Manager. |
| 37 | * Only the user who installed BOINC or an administrator can control BOINC. Users can be allowed to control by adding them to a 'boinc_users' group. When other users run the BOINC Manager, they'll get a dialog saying to contact the administrator to add them to the 'boinc_users' group. |
31 | | The installer will now need to create a new directory that will serve as the data directory. The installer will migrate data files to the new data directory if they exist. |
| 45 | Having a separate data directory also allows you to use a new hard drive or network drive for data, |
| 46 | without moving the executables. ??? so what? |
| 47 | |
| 48 | The V6 installer create a new data directory and migrates existing data files to the new data directory. |
| 49 | The default executable directory remains C:\Program Files\BOINC |
| 50 | The default data directory is: |
| 51 | {{{ |
| 52 | Vista: |
| 53 | C:\Users\All Users\BOINC |
| 54 | |
| 55 | 2000/XP: |
| 56 | C:\Documents and Settings\All Users\Application Data\BOINC |
| 57 | }}} |
| 58 | |
94 | | * Why are we switching over to account-based sandboxing? |
95 | | |
96 | | The main reason is security. Currently if you install using a single user install then all of the BOINC components run as you. This means there is a potential problem if a project has been setup just to snoop on a volunteer’s machine. For instance, they could send back your Quicken or MS Money files after making it look like your computer did some work. So to further protect a volunteer from potiential BOINC defects and/or malicious projects two low-privileged users will be created to run BOINC and BOINC based applications. |
97 | | |
98 | | * Why are we seperating the data and executable directories? |
99 | | |
100 | | Again the main reason is security, but it also allows for people to move their data to a different location in case they buy a new hard drive or want to use a network drive. |
101 | | |
102 | | * Why install as a service instead of a single user install? |
103 | | |
104 | | Service installs allow for the boinc core client to be isolated from any users files. Since the core client has the only available incoming TCP/IP connection it is at risk of being hacked, to mitigate information disclosure of sensitive user files such as MS Money or Quicken files the core client is executed with its own user account. |
105 | | |
106 | | Additionally, by default non-administrative accounts cannot create globally named shared memory segments, therefore keyboard and mouse activity could not be monitored without setting up an account with that additional user right. |
107 | | |