Version 10 (modified by 17 years ago) (diff) | ,
---|
Windows installer version 6 design
Introduction
This document describes the design of the BOINC Windows installer for version 6. See also the implementation details.
New features
Changes to BOINC version 6 include:
- Choice of multi-user protection policy.
- Optional account-based sandboxing
- Separate data and executable directories
- Simplified installer interface
Multi-user protection policy
The installer offers two protection modes:
- Public: all users on the host can control BOINC (i.e. attach/detach projects) using the BOINC Manager.
- Private: Only the user who installed BOINC or an administrator can control BOINC. Users can be allowed to control by adding them to a 'boinc_users' group. When other users run the BOINC Manager, they'll get a dialog saying to contact the administrator to add them to the 'boinc_users' group.
Account-based sandboxing
The installer offers two security modes:
- Secure: the BOINC client and applications run under unprivileged accounts. The client runs as a service (this is necessary because Windows lacks a "setuid" feature; running a program as a different user requires storing the password of that user, which we don't want to do).
- Graphics compatible: the client and applications run under the account the user who logged into the system. This allows users to see graphics from older as well as newer science applications, or projects with long running tasks which won't complete for a while. The client does not run as service (otherwise graphics wouldn't work). This option is available only with the Private protection policy.
The advantages of Secure mode are:
- It limits the damage that can be done by buggy or malicious applications
- It limits the damage due to bugs or network security vulnerabilities in the core client.
- By default non-administrative accounts cannot create globally named shared memory segments, therefore keyboard and mouse activity could not be monitored without setting up an account with that additional user right.
In secure mode, the BOINC client is started at system boot time by the service control manager. For a Public installation, the BOINC Manager is launched at login for all users (this simplifies the installer; it can be disabled by removing the shortcut from All Users / Microsoft / Start Menu / Startup). For a Private installation, the Manager is started at login only for the installing user.
In graphics compatible mode, the BOINC Manager is launched when the installing user logs on (a shortcut to it is in the user's Startup folder). The Manager in turn launches the BOINC client.
Separation of executable and data files
Previous versions of BOINC on Windows stored the data files and executable files in the same directory. This created problems on Vista; writing to C:\Program Files\BOINC is by default prohibited in Vista, allowing BOINC to be run only from user accounts with Administrator privileges. Furthermore, Windows Defender blocks BOINC Manager at startup, requiring the user to dismiss a balloon.
Having a separate data directory also allows you to use a new hard drive or network drive for data, without moving the executables. This makes BOINC installations more portable, and simplifies backing up BOINC.
The V6 installer create a new data directory and migrates existing data files to the new data directory. The default executable directory remains C:\Program Files\BOINC The default data directory is:
Vista: C:\ProgramData\BOINC 2000/XP: C:\Documents and Settings\All Users\Application Data\BOINC
Simplified installer interface
The new installer eliminates the Single/Multi/Service? choice, the Run on Startup checkbox, and the directory selection (the equivalent choices are available, but under an Advanced screen).
Welcome Screen
Same as before.
License Screen
Same as before.
Configuration Screen
title: Installation options subtitle: These are the current installation options Program directory: [...] Data directory: [...] Use BOINC screensaver Protected application execution Allow all users on this computer to control BOINC Click Next to use these options. Click Advanced to customize options. [Advanced] [Next]
Advanced goes to the advanced configuration page. Next goes to the Confirmation screen.
Advanced Configuration
title: Customize installation options subtitle: Customize how BOINC is installed on your computer Program directory: [...] [Browse] Data directory: [...] [Browse] [X] Use BOINC Screensaver [X] Protected application execution. This provides increased protection against faulty project applications. However, it may cause screensaver graphics to not work with older applications. [X] Allow all users on this computer to control BOINC [Next]
Checkboxes labeled as [X] are enabled by default, otherwise they are disabled. If any values are present from previous install, use them. The "Allow users" checkbox is disabled unless the "Protected" checkbox is set.
'Next' goes to 'Confirmation' screen.
Confirmation Screen
Same as before.
Discussion Topics
- Why was the 'Launch BOINC on startup' option removed from the installer?
The 'Launch BOINC on startup' option actually started the BOINC Manager, so on systems where BOINC was being installed as a service it was being ignored. Most people do not understand the difference between BOINC and the BOINC Manager. Most people who install BOINC want it to run whenever they are not around.
To keep things simple we decided to remove the option and set up the system so that both BOINC and the BOINC Manager are started at system startup or logon If the users want to change this behavior they can delete the BOINC Manager shortcut and/or change the service properties via the service control manager administrative tool.