Windows installer version 6 design
This document describes the design of the BOINC Windows installer for version 6. See also the implementation notes.
Changes to BOINC version 6 include:
- Optional account-based sandboxing
- Choice of access control policy.
- Separate data and executable directories
- Simplified installer interface
The installer offers two security modes:
Secure: the BOINC client and applications run under unprivileged accounts. The client runs as a service, and runs even when no user is logged in.
Graphics compatible: the client runs only when a user is logged in. It and applications run under the account of the logged-in user. This allows users to see graphics from older as well as newer science applications, or projects with long running tasks which won't complete for a while. The client does not run as service. With this option, only the installing user and members of the Administrators group can control BOINC (i.e. attach/detach projects).
The advantages of Secure mode are:
- It limits the damage that can be done by buggy or malicious applications
- It limits the damage due to bugs or network security vulnerabilities in the core client.
- Keyboard/mouse detection works with multiple users. By default non-administrative accounts cannot create globally named shared memory segments, so keyboard and mouse activity could not be monitored without setting up an account with that additional user right.
In secure mode, the BOINC client is started at system boot time by the service control manager. For a Public installation, the BOINC Manager is launched at login for all users (this simplifies the installer; it can be disabled by removing the shortcut from All Users / Microsoft / Start Menu / Startup). For a Private installation, the Manager is started at login only for the installing user.
In graphics compatible mode, the BOINC Manager is launched when the installing user logs on (a shortcut to it is in the user's Startup folder). The Manager in turn launches the BOINC client.
Access control modes
With Secure installs, the installer offers two access-control modes:
Public: all users can control BOINC.
Private: The only users who can control BOINC are: the installing user, members of the Administrator group, and members of the 'boinc_users' group. When other users run the BOINC Manager, they'll get a dialog saying to contact the administrator to add them to the 'boinc_users' group.
Separation of executable and data files
Previous versions of BOINC on Windows stored the data files and executable files in the same directory. This created problems on Vista; writing to C:\Program Files\BOINC is by default prohibited in Vista, allowing BOINC to be run only from user accounts with Administrator privileges. Furthermore, Windows Defender blocks BOINC Manager at startup, requiring the user to dismiss a balloon.
Having a separate data directory also allows you to use a new hard drive or network drive for data, without moving the executables. This makes BOINC installations more portable, and simplifies backing up BOINC.
The V6 installer create a new data directory and migrates existing data files to the new data directory. The default executable directory remains C:\Program Files\BOINC The default data directory is:
Vista: C:\ProgramData\BOINC 2000/XP: C:\Documents and Settings\All Users\Application Data\BOINC
Simplified installer interface
The new installer eliminates the Single/Multi/Service? choice, the Run on Startup checkbox, and the directory selection (the equivalent choices are available, but under an Advanced screen).
Same as before.
Same as before.
title: Installation options subtitle: These are the current installation options Program directory: [...] Data directory: [...] Use BOINC screensaver Protected application execution Allow all users on this computer to control BOINC Click Next to use these options. Click Advanced to customize options. [Advanced] [Next]
Advanced goes to the advanced configuration page. Next goes to the Confirmation screen.
title: Customize installation options subtitle: Customize how BOINC is installed on your computer Program directory: [...] [Browse] Data directory: [...] [Browse] [X] Use BOINC Screensaver [X] Protected application execution. Run project applications under an unprivileged account. This provides increased protection against faulty applications, but it may cause graphics to not work with older applications. [X] Allow all users on this computer to control BOINC [Next]
Checkboxes labeled as [X] are enabled by default, otherwise they are disabled. If any values are present from previous install, use them. The "Allow users" checkbox is disabled unless the "Protected" checkbox is set.
'Next' goes to 'Confirmation' screen.
Same as before.
- Why was the 'Launch BOINC on startup' option removed from the installer?
The 'Launch BOINC on startup' option actually started the BOINC Manager, so on systems where BOINC was being installed as a service it was being ignored. Most people do not understand the difference between BOINC and the BOINC Manager. Most people who install BOINC want it to run whenever they are not around.
To keep things simple we decided to remove the option and set up the system so that both BOINC and the BOINC Manager are started at system startup or logon. If the users want to change this behavior they can delete the BOINC Manager shortcut and/or change the service properties via the service control manager administrative tool.