Update Sandbox docs for running default ss as user and group boinc_project

svn path=/trunk/boinc/; revision=17816

doc/sandbox.php

@@ -202,38 +202,32 @@ its own embedded helper application <i>gfx_switcher</i> which it uses to
 launch and kill the graphics applications.  
 Like the <i>switcher</i> application, <i>gfx_switcher</i> runs setuid 
 <b>root</b> and immediately changes its real and effective user ID and 
-group ID to either <b>boinc_project</b> or <b>boinc_master</b>
+group ID to <b>boinc_project</b>.
 <li>Starting with BOINC version 6.7, a default screenaver graphics application 
 is provided with BOINC.  The screensaver (now more properly called the 
 <b>screensaver coordinator</b>) runs the default graphics alternating with science 
 graphics applications according to a schedule set by the data file ss-config.xml.  
 The default graphics are run also when no science graphics are available, such as 
 when BOINC is suspended.  The default graphics executable is run as user and group 
-<b>boinc_master</b>.  This gives it access to the RPC password file and so to all 
-GUI RPCs, but allows the screensaver coordinator to kill it (via <i>gfx_switcher</i>)
- when appropriate. 
+<b>boinc_project</b>.  
 <li>The BOINC screensaver's use of setuid <b>root</b> for the 
 <i>gfx_switcher</i> application is safe because:
 <ul>
 <li>When it is run, the <i>gfx_switcher</i> application immediately changes 
-its real and effective user ID and group ID to either <b>boinc_project</b> 
-or <b>boinc_master</b>, disabling its superuser privileges.
+its real and effective user ID and group ID to <b>boinc_project</b>, disabling 
+its superuser privileges.
 <li>The <i>gfx_switcher</i> application has very limited functionality.  It 
-accepts only four commands as its first argument: 
+accepts only three commands as its first argument: 
 <ul>
 <li><i>launch_gfx</i>: the second argument is the slot number.  It looks for 
 a soft-link named <b>graphics_app</b> in the specified slot directory and launches 
 the referenced graphics application as user and group <b>boinc_project</b>.
+<li><i>default_gfx</i>: launches the default graphics application <i>boincscr</i> 
+in the BOINC data directory as user and group <b>boinc_project</b>.
 <li><i>kill_gfx</i>: the second argument is the process ID.  It kills the 
 application with the process ID; since it is running as user and group 
 <b>boinc_project</b>, it can affect only processes belonging to that user.  
-This is used to exit the science graphics application
-<li><i>default_gfx</i>: launches the default graphics application <i>boincscr</i> 
-in the BOINC data directory as user and group <b>boinc_master</b>.
-<li><i>kill_default_gfx</i>: the second argument is the process ID.  It kills the 
-application with the process ID; since it is running as user and group 
-<b>boinc_master</b>, it can affect only processes belonging to that user.  
-This is used to exit the default graphics application.</ul>
+This is used to exit all screensaver graphics applications.</ul>
 </ul>
 <li>BOINC Client sets its umask to 006 to hide account keys from unauthorized 
 users.  This means that third-party add-ons cannot read BOINC data files; they 
@@ -251,8 +245,7 @@ to simplify maintenance and administration.
 <li>The RPC password file <i>gui_rpc_auth.cfg</i>
 is accessible only by user and group <b>boinc_master</b>.
 In other words, only BOINC Manager, BOINC Client and authorized administrative 
-users can read or modify it, limiting access to most BOINC RPC functions.  As 
-of BOINC version 6.7, the default screenaver graphics application also can read it.
+users can read or modify it, limiting access to most BOINC RPC functions.  
 <li>BOINC Manager restricts certain functions to authorized users:
 Attach to Project, Detach from Project, Reset Project, Abort Task,
 Abort Transfer, Update Account Manager.