Version 8 (modified by davea, 13 years ago) (diff)


Windows installer version 6 design



This document describes the design of the BOINC Windows installer for version 6. See also the implementation details.

New features

Changes to BOINC version 6 include:

  • Choice of multi-user protection policy.
  • Optional account-based sandboxing
  • Separate data and executable directories
  • Simplified installer experience

Multi-user protection policy

The installer offers two protection modes:

  • Public: all users on the host can control BOINC (i.e. attach/detach projects) using the BOINC Manager.
  • Private: Only the user who installed BOINC or an administrator can control BOINC. Users can be allowed to control by adding them to a 'boinc_users' group. When other users run the BOINC Manager, they'll get a dialog saying to contact the administrator to add them to the 'boinc_users' group.

Account-based sandboxing

The installer offers two security modes:

  • Secure: the BOINC client and applications run under unprivileged accounts. The client runs as a service (this is necessary because Windows lacks a "setuid" feature; running a program as a different user requires storing the password of that user, which we don't want to do).
  • Graphics compatible: the client and applications run under the account the user who logged into the system. This allows users to see graphics from older as well as newer science applications, or projects with long running tasks which won't complete for a while. The client does not run as service (otherwise graphics wouldn't work). This option is available only with the Private protection policy.

The advantages of Secure mode are:

  • It limits the damage that can be done by buggy or malicious applications
  • It limits the damage due to bugs or network security vulnerabilities in the core client.
  • By default non-administrative accounts cannot create globally named shared memory segments, therefore keyboard and mouse activity could not be monitored without setting up an account with that additional user right.

In secure mode, the BOINC client is started at system boot time by the service control manager. For a Public installation, the BOINC Manager is launched at login for all users (this simplifies the installer; it can be disabled by removing the shortcut from All Users / Microsoft / Start Menu / Startup). For a Private installation, the Manager is started at login only for the installing user.

In graphics compatible mode, the BOINC Manager is launched when the installing user logs on (a shortcut to it is in the user's Startup folder). The Manager in turn launches the BOINC client.

Separation of executable and data files

Previous versions of BOINC on Windows stored the data files and executable files in the same directory. This created problems on Vista; writing to C:\Program Files\BOINC is by default prohibited in Vista, allowing BOINC to be run only from user accounts with Administrator privileges. Furthermore, Windows Defender blocks BOINC Manager at startup, requiring the user to dismiss a balloon.

Having a separate data directory also allows you to use a new hard drive or network drive for data, without moving the executables. This makes BOINC installations more portable, and simplifies backing up BOINC.

The V6 installer create a new data directory and migrates existing data files to the new data directory. The default executable directory remains C:\Program Files\BOINC The default data directory is:

C:\Users\All Users\BOINC

C:\Documents and Settings\All Users\Application Data\BOINC

Simplify installer experience

Welcome Screen

Same as before.

License Screen

Same as before.

Configuration Screen

title: Installation options
subtitle: These are the current installation options

Program directory:  [...]
Data directory:  [...]

Use BOINC screensaver
Protected application execution
Allow all users on this computer to control BOINC

Click Next to use these options.
Click Advanced to customize options.
[Advanced] [Next]

Advanced goes to the advanced configuration page. Next goes to the Confirmation screen.

Advanced Configuration

title: Customize installation options
subtitle: Customize how BOINC is installed on your computer

Program directory: [...] [Browse]
Data directory: [...] [Browse]

[ ] Use BOINC Screensaver
[X] Protected application execution.
    This provides increased protection against faulty project applications.
    However, it may cause screensaver graphics to not work with older applications.
[X] Allow all users on this computer to control BOINC

Checkboxes labeled as [X] are enabled by default, otherwise they are disabled. If any values are present from previous install, use them. The "Allow users" checkbox is disabled unless the "Protected" checkbox is set.

'Next' goes to 'Confirmation' screen.

Confirmation Screen

Same as before.

Discussion Topics

  • Why was the 'Launch BOINC on startup' option removed from the installer?

The 'Launch BOINC on startup' option actually started the BOINC Manager, so on systems where BOINC was being installed as a service it was being ignored. Most people do not understand the difference between BOINC and the BOINC Manager. Most people who install BOINC want it to run whenever they are not around.

To keep things simple we decided to remove the option and set up the system so that both BOINC and the BOINC Manager are started at system startup or logon If the users want to change this behavior they can delete the BOINC Manager shortcut and/or change the service properties via the service control manager administrative tool.