Version 22 (modified by 17 years ago) (diff) | ,
---|
Windows installer logic for version 6
Major differences from version 5 are:
- Account-based sandboxing using unprivileged accounts.
- Moves the BOINC data directory if needed.
- BOINC executables are in a separate directory.
- Simplified installer user experience.
Sandboxing
The installer offers two modes: 'Graphics compatible' and 'Secure'.
Graphics compatible installations will be the same as the single-user installation of the v5 generation of clients. The manager will be responsible for launching the core client, and all applications will be launched in the same security context as the user who logged into the system. Choose this option if you would like to see graphics from older as well as newer science applications, or projects who have long running tasks which won't complete for awhile.
If the user selects Secure, two accounts and three groups will be created:
- boinc_master
- The core client runs under this account.
- boinc_project
- Apps and graphics app run under this account.
If the computer being installed upon is a domain controller, then the account names will have the computer name appended on to them.
Groups:
- boinc_admins
- Members of this group can change the configuration and protection settings for the BOINC client (for example the GUI RPC password and host list) and can also run the BOINC Manager and screensaver.
- boinc_users
- Members of this group can run the BOINC Manager and screensaver.
Initially, each group contains the following members:
boinc_admins | Administrator <Installing User> 'boinc_master' |
boinc_users | Everyone (if 'Allow everyone to use BOINC' is checked), else empty |
Account passwords are managed as follows:
- The installer creates a file 'client_auth.xml' in the BOINC data directory containing the name and base64 encoded password of the boinc_project account.
- The password properties are added to SecureCustomProperties to prevent them being logged.
- The password for boinc_master is managed by Windows.
On each installation, both of the account passwords are randomly regenerated.
Data directory
All data, configuration files, and logs will be moved to the following default location:
Vista: C:\Users\All Users\BOINC 2000/XP: C:\Documents and Settings\All Users\Application Data\BOINC
Under the data directory there will be 'projects' and 'slots' directories.
Directories will have the following permissions:
BOINC | SYSTEM (Full Control) Administrators (Full Control) boinc_admins (Modify, Read & Execute, List Folder Contents, Read, Write) boinc_users (Read & Execute, List Folder Contents, Read) boinc_project (Deny All) |
BOINC\projects | SYSTEM (Full Control) Administrators (Full Control) boinc_admins (Modify, Read & Execute, List Folder Contents, Read, Write) boinc_users (Read & Execute, List Folder Contents, Read) boinc_project (Modify, Read & Execute, List Folder Contents, Read, Write) |
BOINC\slots | SYSTEM (Full Control) Administrators (Full Control) boinc_admins (Modify, Read & Execute, List Folder Contents, Read, Write) boinc_users (Read & Execute, List Folder Contents, Read) boinc_project (Modify, Read & Execute, List Folder Contents, Read, Write) |
Notes: What to do if an organization has disabled the 'Bypass Traverse Checking' user right for Everyone? See http://support.microsoft.com/kb/823659 for more details.
Executables directory
Same default location as previous versions, C:\Program Files\BOINC
Directory will have the following permissions:
BOINC | SYSTEM (Full Control) Administrators (Full Control) boinc_admins (Modify, Read & Execute, List Folder Contents, Read, Write) boinc_users (Read & Execute, List Folder Contents, Read) boinc_project (Deny All) |
User Interface
Welcome Screen
Same as before.
License Screen
Same as before.
Configuration Screen
This dialog displays:
Click Next to use installation defaults. Click Advanced to use customize. [Advanced] [Next]
Advanced goes to the advanced configuration page.
Advanced Configuration
Data directory: [...] [Browse] Program directory: [...] [Browse] [] Launch BOINC on system startup [] Use BOINC Screensaver [] Protected application execution. If checked, you will have increased protection against misbehaving BOINC project applications. However, this may cause screensaver graphics to not work for older applications.
Checkboxes are off by default. If any values are present from previous install, use them.
The following text will be used to describe this option:
Choose this installation method if you run BOINC projects which haven't upgraded their applications in awhile or have very long running workunits.
Secure installations will install BOINC as a service on Windows, and will be executed using the 'boinc' user account security context. BOINC science applications will be executed as the 'boinc_project' security context. Graphics will be available only for newer (Version 6) science applications. Choose this option if you are concerned about security. The following text will be used to describe this option:
Choose this installation method if you require the most secure installation method. This install method doesn't support screensaver graphics with older applications.
Choosing 'Next' when the 'Graphics Compatible' installation is selected brings the user to the 'Confirmation' screen.
Choosing 'Next' when the 'Secure' installation is selected brings the user to the 'Advanced Configuration (Service Options)' screen.
Advanced Configuration (Service Options)
A text box will be displayed requesting which user account should be used as the 'boinc' account. A password text box should be displayed to the right of the 'boinc' username text box.
A text box will be displayed requesting which user account should be used as the 'boinc_project' account. A password text box should be displayed to the right of the 'boinc_project' username text box.
A checkbox will be displayed, Allow everyone to use BOINC, which will be checked by default.
Both the 'boinc' and 'boinc_project' accounts should be validated before the user is allowed to proceed to the next screen. If the user specifies an account to use for the 'boinc' account, then automatic account creation will be disabled for the 'boinc' account. If the user specifies an account to use for the 'boinc_project' account, then automatic account creation will be disabled for the 'boinc_project' account.
Confirmation Screen
Same as before.
Custom Actions
Several specialized pieces of code will manage the migration from the v5 data directory to v6 data directory structure. These custom pieces of code will all be executed during the execution phase of setup and will be introduced in between the following standard custom actions:
... MSI: Validates installation package ... CAValidateSetup CAShutdownBOINC CAShutdownBOINCManager CAShutdownBOINCManager95 CAShutdownBOINCScreensaver ... ... MSI: Remove older version if it exists ... CACleanupOldBinaries CAMigratex86x64 CAMigrateCPDNBBC CACreateBOINCAccounts (New in Version 6.0) CACreateBOINCGroups (New in Version 6.0) CAMigrateBOINCData (New in Version 6.0) ... ... MSI: Begin installation process
CAValidateSetup
Checks that the parameters passed into the installation program are valid for the installation type. Otherwise it reports an error to the user. This is a backup check for validating the parameters passed in via the command line, if the user is installing via the GUI this shouldn't ever be a problem.
IF SetupType == 'Single-User' THEN IF ALLUSERS == 1 THEN ABORT END IF IF SERVICE* IS NOT NULL THEN ABORT END IF ELSE IF SERVICE* IS NULL THEN ABORT END IF END IF
CAShutdownBOINC
Kills boinc.exe if it is currently executing on the system.
TerminateProcessByName("boinc.exe")
CAShutdownBOINCManager
Kills boincmgr.exe if it is currently executing on the system.
TerminateProcessByName("boincmgr.exe")
CAShutdownBOINCManager95
Kills boincmgr.exe if it is currently executing on the system using Win9x compatible means.
TerminateProcessByName95("boincmgr.exe")
CAShutdownBOINCScreensaver
Kills boinc.scr if it is currently executing on the system.
TerminateProcessByName95("boinc.scr")
CACleanupOldBinaries
Deletes any lingering files left over from a previous BOINC installation, this can sometimes happen if a user replaces a stock client with a optimized one.
DeleteFile(strInstallDirectory + _T("\\boinc.exe")); DeleteFile(strInstallDirectory + _T("\\boincmgr.exe")); DeleteFile(strInstallDirectory + _T("\\boinccmd.exe")); DeleteFile(strInstallDirectory + _T("\\boinc.dll")); DeleteFile(strInstallDirectory + _T("\\libcurl.dll")); DeleteFile(strInstallDirectory + _T("\\libeay32.dll")); DeleteFile(strInstallDirectory + _T("\\ssleay32.dll")); DeleteFile(strInstallDirectory + _T("\\zlib1.dll")); DeleteFile(strInstallDirectory + _T("\\dbghelp.dll")); DeleteFile(strInstallDirectory + _T("\\dbghelp95.dll")); DeleteFile(strInstallDirectory + _T("\\srcsrv.dll")); DeleteFile(strInstallDirectory + _T("\\symsrv.dll"));
CAMigratex86x64
Migrate any data files from "C:\Program Files (x86)\BOINC" to "C:\Program Files\BOINC" if "C:\Program Files\BOINC" doesn't already exist.
MoveFileEx("C:\\Program Files (x86)\\BOINC", strInstallDirectory, MOVEFILE_COPY_ALLOWED|MOVEFILE_WRITE_THROUGH);
CAMigrateCPDNBBC
Migrate any data files from "C:\Program Files\Climate Change Experiment" to "C:\Program Files\BOINC" if "C:\Program Files\BOINC" doesn't already exist.
MoveFileEx("C:\\Program Files\\Climate Change Experiment", strInstallDirectory, MOVEFILE_COPY_ALLOWED|MOVEFILE_WRITE_THROUGH);
CACreateBOINCAccounts
Creates the two user accounts that BOINC will need to complete a secure installation. Passwords are base64 encoded before being stored to disk.
strComputerName = GetComputerName() bIsDomainController = IsDomainController() GetProperty("BOINC_USERNAME", strBOINCUsername) GetProperty("BOINC_PROJECT_USERNAME", strBOINCProjectUsername) IF bIsDomainController THEN IF strBOINCUsername IS NULL THEN strBOINCUsername = "boinc_" + strComputerName END IF IF strBOINCProjectUsername IS NULL THEN strBOINCProjectUsername = "boinc_project_" + strComputerName END IF ELSE IF strBOINCUsername IS NULL THEN strBOINCUsername = "boinc" END IF IF strBOINCProjectUsername IS NULL THEN strBOINCProjectUsername = "boinc_project" END IF END IF strBOINCAccountPassword = GenerateNewPassword() strBOINCProjectAccountPassword = GenerateNewPassword() IF GetUserAccount(strBOINCUsername) EXISTS THEN ResetUserAccountPassword(strBOINCUsername, strBOINCAccountPassword); ELSE CreateUserAccount(strBOINCUsername, strBOINCAccountPassword) SetUserAccountProperty(strBOINCUsername, "PasswordNeverExpires") END IF IF GetUserAccount(strBOINCProjectUsername) EXISTS THEN ResetUserAccountPasswordstrBOINCProjectUsername, strBOINCProjectAccountPassword); ELSE CreateUserAccount(strBOINCProjectUsername, strBOINCProjectAccountPassword) SetUserAccountProperty(strBOINCProjectUsername, "PasswordNeverExpires") END IF WriteAccountsToDisk(strBOINCUsername, strBOINCAccountPassword, strBOINCProjectUsername, strBOINCProjectAccountPassword)
CACreateBOINCGroups
Creates the two security groups that BOINC will need to complete a secure installation.
strComputerName = GetComputerName() bIsDomainController = IsDomainController() GetProperty("BOINC_USERNAME", strBOINCUsername) GetProperty("BOINC_PROJECT_USERNAME", strBOINCProjectUsername) IF bIsDomainController THEN IF strBOINCUsername IS NULL THEN strBOINCUsername = "boinc_" + strComputerName END IF IF strBOINCProjectUsername IS NULL THEN strBOINCProjectUsername = "boinc_project_" + strComputerName END IF ELSE IF strBOINCUsername IS NULL THEN strBOINCUsername = "boinc" END IF IF strBOINCProjectUsername IS NULL THEN strBOINCProjectUsername = "boinc_project" END IF END IF IF GetGroup("boinc_administrators") NOT EXISTS THEN CreateGroup("boinc_administrators") AddUserToGroup("Administrator") AddUserToGroup(GetCurrentUsername()) AddUserToGroup(strBOINCUsername) END IF IF GetGroup("boinc_project") NOT EXISTS THEN CreateGroup("boinc_project") AddUserToGroup(strBOINCProjectUsername) END IF
CAMigrateBOINCData
Migrate any data files from "C:\Program Files\BOINC" to all users application data location if the all users application data location doesn't already exist.
MoveFileEx("C:\\Program Files\\BOINC", strDataDirectory, MOVEFILE_COPY_ALLOWED|MOVEFILE_WRITE_THROUGH);
Reverting to a previous version of BOINC
Instructions will be provided on the website for copying the data files from the new location back to the old location, and how to delete the newly created users and groups. The user and group deletion should be handled by the uninstaller.