wiki:ClientSetupWinSix

Version 4 (modified by romw, 13 years ago) (diff)

Updates

Windows Installer Specification v6

T(VersionSix)?

Introduction

BOINC version 6 for Windows is a big improvement in security. In order to take advantage of the increased security though, there needs to be some major changes to the installer.

Implementation details can be found here.

Goals

The goals of the installer for v6 are:

  • Account-based sandboxing
  • Separate the data files from the executable files
  • Simplify installer experience

Account-based Sandboxing

BOINC will now utilize the Windows users’ and groups’ functionality to control specifically who can execute and manage BOINC.

Two user accounts will be created one for executing BOINC itself and one for executing the BOINC applications. Three local user groups will be created to handle to manage BOINC.

Executable/Data? Separation

Previous versions of BOINC on Windows stored the data files and executable files in the same directory structure which made managing permissions difficult.

The installer will now need to create a new directory that will serve as the data directory. The installer will migrate data files to the new data directory if they exist.

Simplify installer experience

Welcome Screen

Same as before.

License Screen

Same as before.

Configuration Screen

title: Installation options
subtitle: These are the current installation options

Program directory:  [...]
Data directory:  [...]

Use BOINC screensaver
Protected application execution
Allow all users on this computer to control BOINC


Click Next to use these options.
Click Advanced to customize options.
[Advanced] [Next]

Advanced goes to the advanced configuration page. Next goes to the Confirmation screen.

Advanced Configuration

title: Customize installation options
subtitle: Customize how BOINC is installed on your computer

Program directory: [...] [Browse]
Data directory: [...] [Browse]

[ ] Use BOINC Screensaver
[X] Protected application execution.
    This provides increased protection against faulty project applications.
    However, it may cause screensaver graphics to not work with older applications.
[X] Allow all users on this computer to control BOINC
[Next]

Checkboxes labeled as [X] are enabled by default, otherwise they are disabled. If any values are present from previous install, use them. The "Allow users" checkbox is disabled unless the "Protected" checkbox is set.

'Next' goes to 'Confirmation' screen.

Confirmation Screen

Same as before.

Discussion Topics

  • Why are we switching over to account-based sandboxing?

The main reason is security. Currently if you install using a single user install then all of the BOINC components run as you. This means there is a potential problem if a project has been setup just to snoop on a volunteer’s machine. For instance, they could send back your Quicken or MS Money files after making it look like your computer did some work. So to further protect a volunteer from potiential BOINC defects and/or malicious projects two low-privileged users will be created to run BOINC and BOINC based applications.

  • Why are we seperating the data and executable directories?

Again the main reason is security, but it also allows for people to move their data to a different location in case they buy a new hard drive or want to use a network drive.

  • Why install as a service instead of a single user install?

Service installs allow for the boinc core client to be isolated from any users files. Since the core client has the only available incoming TCP/IP connection it is at risk of being hacked, to mitigate information disclosure of sensitive user files such as MS Money or Quicken files the core client is executed with its own user account.

By default non-administrative accounts cannot create globally named shared memory segments, therefore keyboard and mouse activity could not be monitored without setting up an account with that additional user right.

  • Why was the 'Launch BOINC on startup' option removed from the installer?

The 'Launch BOINC on startup' option actually started the BOINC Manager, so on systems where BOINC was being installed as a service it was being ignored. Most people do not understand the difference between BOINC and the BOINC Manager. Most people who install BOINC want it to run whenever they are not around.

To keep things simple we decided to remove the option and setup the system so that both BOINC and the BOINC Manager are started at system startup or logon, if the users want to change this behavior they can delete the BOINC Manager shortcut and/or change the service properties via the service control manager administrative tool.

  • Launching worker and graphics applications as boinc_project.

Isolate BOINC-based applications from BOINC and the rest of the system.