Changes between Initial Version and Version 1 of SandboxUser


Ignore:
Timestamp:
Apr 26, 2007, 5:22:42 AM (18 years ago)
Author:
KSMarksPsych
Comment:

Added page. Looks like the text might needs some updating. The final link has no corresponding WikiName?.

Legend:

Unmodified
Added
Removed
Modified
  • SandboxUser

    v1 v1  
     1= The Secure BOINC Client =
     2       
     3Version 5.5.4 of BOINC Manager for the Macintosh features new, stricter security measures. This additional security helps protect your computer data from potential theft or accidental or malicious damage by limiting BOINC projects' access to your system and data. Once we have tested this security implementation on the Mac, we plan to extend it to other computer platforms, including Linux and Windows.
     4
     5The installer sets special permission for the BOINC Manager and Client, which allows them to write to the shared BOINC Data regardless of which user is logged in. If you '''copy''' BOINC Manager or the BOINC core client without using the installer, it will not run properly. However, you can safely '''move''' the BOINC Manager within the same disk drive or partition. If you need multiple copies, run the installer again after moving BOINC Manager; this will create a fresh copy in the `/Applications` folder.
     6
     7BOINC verifies that ownership and permissions are set properly each time it is launched. It will tell you to re-install BOINC if there is a problem.
     8
     9If you experience problems with this software, you can re-install a version of BOINC prior to 5.5.4; this will automatically revert ownership and permissions to the earlier implementation.
     10
     11== How it works ==
     12
     13The new safeguards use the basic security protections built into UNIX (the base underlying Mac OS X): permissions and ownership.
     14
     15The administrator (usually the owner) of each computer creates one or more users who can log in, can create private files, and can share other files. Some of these users are given administrative privileges, some may not have these privileges.
     16
     17There are also groups, which have one or more users as members. For example, users with administrative privileges are usually members of the 'admin' group.
     18
     19In addition to these 'visible' users and groups, the operating system contains a number of 'hidden' users and groups which are used for various purposes. A person cannot log in as one of these 'hidden' users.
     20
     21This structure of users and groups is used to provide security by restricting what data and operations each person or application can use. For example, many files belong to user 'system' (also called 'root') and group 'wheel' so that non-privileged users can't modify them, thus protecting the computer system from accidental or malicious harm.
     22
     23Starting with version 5.5.4 of BOINC for the Macintosh, the BOINC installer creates 2 new 'hidden' users '''boinc_master''' and '''boinc_project''', and two new 'hidden' groups, also named '''boinc_master''' and '''boinc_project''' (unless they were created by a previous installation of BOINC.)
     24
     25The installer automatically gives administrators (users who are members of the 'admin' group) membership in the two new groups, so that they can manipulate BOINC files. Non-admin users are denied direct access to these files, protecting BOINC and its projects' files. This is particularly useful where many people have access to the computer, as in a school computer lab.
     26
     27BOINC projects are given permission to access only project files, protecting your computer in the event that someone downloads bad software from a bogus project, or a legitimate project's application has a bug that causes it to modify files erroneously.
     28
     29Non-admin users can run the BOINC Manager, but the Manager blocks non-admin users' access to certain functions, such as Attach, Detach, Reset Project. BOINC permits a non-admin user to override this restriction by entering an administrator user name and password.
     30
     31For technical details of the implementation, please see http://boinc.berkeley.edu/sandbox.php.