wiki:SandboxUser

Version 6 (modified by Nicolas, 14 years ago) (diff)

Fix TracLinks to work in Trac 0.11

Client security and sandboxing

Account-based sandboxing is a technique in which BOINC applications run in an unprivileged user account, to limit the ability of project applications to access files outside of the BOINC directory or to cause other problems. An excellent discussion of this and other security issues is here.

Starting with version 5.5.4, the Macintosh version of BOINC does account-based sandboxing. Account-based sandboxing will be added to the Windows version starting in version 6.0.

On Linux and Windows, you can implement account-based sandboxing by creating a new, unprivileged account, and installing BOINC under that account.

Account-based sandboxing on the Macintosh

Version 5.5.4 of BOINC Manager for the Macintosh features new, stricter security measures. This additional security helps protect your computer data from potential theft or accidental or malicious damage by limiting BOINC projects' access to your system and data.

The installer sets special permission for the BOINC Manager and Client, which allows them to write to the shared BOINC Data regardless of which user is logged in. If you copy BOINC Manager or the BOINC core client without using the installer, it will not run properly. However, you can safely move the BOINC Manager within the same disk drive or partition. If you need multiple copies, run the installer again after moving BOINC Manager; this will create a fresh copy in the /Applications folder.

BOINC verifies that ownership and permissions are set properly each time it is launched. It will tell you to re-install BOINC if there is a problem.

If you experience problems with this software, you can re-install a version of BOINC prior to 5.5.4; this will automatically revert ownership and permissions to the earlier implementation.

How it works

The new safeguards use the basic security protections built into UNIX (the base underlying Mac OS X): permissions and ownership.

The administrator (usually the owner) of each computer creates one or more users who can log in, can create private files, and can share other files. Some of these users are given administrative privileges, some may not have these privileges.

There are also groups, which have one or more users as members. For example, users with administrative privileges are usually members of the 'admin' group.

In addition to these 'visible' users and groups, the operating system contains a number of 'hidden' users and groups which are used for various purposes. A person cannot log in as one of these 'hidden' users.

This structure of users and groups is used to provide security by restricting what data and operations each person or application can use. For example, many files belong to user 'system' (also called 'root') and group 'wheel' so that non-privileged users can't modify them, thus protecting the computer system from accidental or malicious harm.

Starting with version 5.5.4 of BOINC for the Macintosh, the BOINC installer creates 2 new 'hidden' users boinc_master and boinc_project, and two new 'hidden' groups, also named boinc_master and boinc_project (unless they were created by a previous installation of BOINC.)

The installer automatically gives administrators (users who are members of the 'admin' group) membership in the two new groups, so that they can manipulate BOINC files. Non-admin users are denied direct access to these files, protecting BOINC and its projects' files. This is particularly useful where many people have access to the computer, as in a school computer lab.

BOINC projects are given permission to access only project files, protecting your computer in the event that someone downloads bad software from a bogus project, or a legitimate project's application has a bug that causes it to modify files erroneously.

Non-admin users can run the BOINC Manager, but the Manager blocks non-admin users' access to certain functions, such as Attach, Detach, Reset Project. BOINC permits a non-admin user to override this restriction by entering an administrator user name and password.

For technical details of the implementation, please see sandbox.php.