mirror of https://github.com/BOINC/boinc.git
103 lines
3.8 KiB
PHP
103 lines
3.8 KiB
PHP
|
<?php
|
||
|
require_once("docutil.php");
|
||
|
page_head("The Secure BOINC Client");
|
||
|
echo "
|
||
|
Version 5.5.4 of BOINC Manager for the Macintosh features new,
|
||
|
stricter security measures.
|
||
|
This additional security helps protect your computer data from potential theft
|
||
|
or accidental or malicious damage by limiting BOINC projects' access to your
|
||
|
system and data.
|
||
|
Once we have tested this security implementation on the Mac,
|
||
|
we plan to extend it to other computer platforms, including Linux and Windows.
|
||
|
|
||
|
<p>
|
||
|
The installer sets special permission for the BOINC Manager and Client,
|
||
|
which allows them to write to the shared BOINC Data regardless
|
||
|
of which user is logged in.
|
||
|
If you <b>copy</b> BOINC Manager or the BOINC core client
|
||
|
without using the installer, it will not run properly.
|
||
|
However, you can safely <b>move</b> the BOINC Manager within
|
||
|
the same disk drive or partition.
|
||
|
If you need multiple copies,
|
||
|
run the installer again after moving BOINC Manager;
|
||
|
this will create a fresh copy in the <code>/Applications</code> folder.
|
||
|
|
||
|
<p>
|
||
|
BOINC verifies that ownership and permissions are set properly
|
||
|
each time it is launched.
|
||
|
It will tell you to re-install BOINC if there is a problem.
|
||
|
|
||
|
<p>
|
||
|
If you experience problems with this software,
|
||
|
you can re-install a version of BOINC prior to 5.5.4;
|
||
|
this will automatically revert ownership and permissions to the earlier
|
||
|
implementation.
|
||
|
|
||
|
<h3>How it works</h3>
|
||
|
<p>
|
||
|
The new safeguards use the basic security protections built into UNIX
|
||
|
(the base underlying Mac OS X): permissions and ownership.
|
||
|
|
||
|
<p>
|
||
|
The administrator (usually the owner) of each computer creates
|
||
|
one or more users who can log in, can create private files,
|
||
|
and can share other files.
|
||
|
Some of these users are given administrative privileges,
|
||
|
some may not have these privileges.
|
||
|
|
||
|
<p>
|
||
|
There are also groups, which have one or more users as members.
|
||
|
For example, users with administrative privileges are usually members
|
||
|
of the 'admin' group.
|
||
|
|
||
|
<p>
|
||
|
In addition to these 'visible' users and groups,
|
||
|
the operating system contains a number of 'hidden'
|
||
|
users and groups which are used for various purposes.
|
||
|
A person cannot log in as one of these 'hidden' users.
|
||
|
|
||
|
<p>
|
||
|
This structure of users and groups is used to provide security
|
||
|
by restricting what data and operations each person or application can use.
|
||
|
For example, many files belong to user 'system' (also called 'root')
|
||
|
and group 'wheel' so that non-privileged users can't modify them,
|
||
|
thus protecting the computer system from accidental or malicious harm.
|
||
|
|
||
|
<p>
|
||
|
Starting with version 5.5.4 of BOINC for the Macintosh,
|
||
|
the BOINC installer creates 2 new 'hidden'
|
||
|
users <b>boinc_master</b> and <b>boinc_project</b>,
|
||
|
and two new 'hidden' groups,
|
||
|
also named <b>boinc_master</b> and <b>boinc_project</b>
|
||
|
(unless they were created by a previous installation of BOINC.)
|
||
|
|
||
|
<p>
|
||
|
The installer automatically gives administrators
|
||
|
(users who are members of the 'admin' group)
|
||
|
membership in the two new groups,
|
||
|
so that they can manipulate BOINC files.
|
||
|
Non-admin users are denied direct access to these files,
|
||
|
protecting BOINC and its projects' files.
|
||
|
This is particularly useful where many people have access to the computer,
|
||
|
as in a school computer lab.
|
||
|
|
||
|
<p>
|
||
|
BOINC projects are given permission to access only project files,
|
||
|
protecting your computer in the event that someone downloads bad software
|
||
|
from a bogus project, or a legitimate project's
|
||
|
application has a bug that causes it to modify files erroneously.
|
||
|
|
||
|
<p>
|
||
|
Non-admin users can run the BOINC Manager,
|
||
|
but the Manager blocks non-admin users' access to certain functions,
|
||
|
such as Attach, Detach, Reset Project.
|
||
|
BOINC permits a non-admin user to override this restriction
|
||
|
by entering an administrator user name and password.
|
||
|
|
||
|
<p>
|
||
|
For technical details of the implementation, please see
|
||
|
<a href=http://boinc.berkeley.edu/sandbox.php>http://boinc.berkeley.edu/sandbox.php</a>.
|
||
|
";
|
||
|
page_tail();
|
||
|
?>
|