Our design uses two users and two groups, both specially created for use by BOINC. These users and groups are created by the installation process.

• Group: boinc_master
• Group: boinc_project
• User: boinc_master
  • Primary group: boinc_master
  • Supplementary groups: none
• User: boinc_project
  • Primary group: boinc_project
  • Supplementary groups: none

The following diagram shows user, group and permissions for the BOINC file and directory tree:

"; echo show_dir(0, 'BOINC data', $mm0771, array( show_dir(1, 'projects', $mp0770, array( show_dir(2, 'setiathome.berkeley.edu', $mp0775, array( show_file('files created by BOINC Client', $mp06610771), show_file('files created by project apps', $pp06610771), show_file('running BOINC installer changes all files to', $mp06610771) )) )), show_dir(1, 'slots', $mp0770, array( show_dir(2, '0', $mp0775, array( show_file('files created by BOINC Client', $mp06610771), show_file('files created by project apps', $pp06610771), show_file('running BOINC installer changes all files to', $mp06610771) )) )), show_dir(1, 'switcher (directory)', $mm0550, array( show_file('switcher (executable)', $rm4050), show_file('setprojectgrp (executable)', $mp2500) )), show_dir(1, 'locale', $mm0555, array( show_dir(2, 'de', $mm0555, array( show_file('BOINC Manager.mo', $mm0444), show_file('wxstd.mo', $mm0444) )) )), show_file('account_*.xml', $mm0660), show_file('acct_mgr_login.xml', $mm0660), show_file('client_state.xml', $mm0660), show_file('gui_rpc_auth.cfg', $mm0660), show_file('sched_reply*', $mm0660), show_file('sched_request*', $mm0660), show_file('ss_config.xml', $mm0664) )); echo "

"; echo show_dir(0, 'BOINC executables', $ua0555, array( show_file('BOINC Manager', $mm2555), show_file('BOINC Client', $mm6555), show_dir(1, 'screensaver (directory)', $ua0555, array( show_file('gfx_switcher (executable)', $rm4555) )), )); echo "

Implementation notes:

• BOINC Client runs setuid and setgid to boinc_master:boinc_master.
• BOINC Client uses the helper application setprojectgrp to set project and slot files and directories to group boinc_project.
• BOINC Client does not directly execute project applications. It runs the helper application switcher, passing the request in the argument list. switcher runs setuid root and immediately changes its real and effective user ID and group ID to boinc_project, so all project applications inherit user and group boinc_project. This blocks project applications from accessing unauthorized files.
• In most cases, it is best to avoid running setuid root because it can present a security risk. In this case, however, this is necessary to reduce the risk because only the superuser can change the real user and group of a process. This prevents a malicious or malfunctioning application from reverting to the user and group who launched BOINC, since any process can change its user and group back to the real user and group IDs.
• BOINC's use of setuid root for the switcher application is safe because:
  • The switcher application is inside the switcher directory. This directory is accessible only by user and group boinc_master, so that project applications cannot modify the switcher application's permissions or code. This also prevents unauthorized users from using switcher to damage or manipulate project files.
  • The switcher application is readable and executable only by group boinc_master; all other access is forbidden.
  • When it is run, the switcher application immediately changes its real and effective user ID and group ID to boinc_project, disabling its superuser privileges.
• As of BOINC Version 6.10.5, BOINC Manager no longer runs setgid to group boinc_master, because Mac OS 10.6 does not allow it. So it can be run only by users who are members of group boinc_master. By default, the BOINC installer automatically adds all users who are members of group admin to group boinc_master, and optionally adds non-admin users to group boinc_master. The Manager runs as the user who launched it, which is necessary for a number of GUI features to work correctly. Although this means that BOINC Manager cannot modify files created by project applications, there is no need for it to do so.
• Starting with BOINC version 6.0, project science applications use a separate companion application to display graphics. These graphics applications are launched by the BOINC Manager when the user clicks on the Show Graphics button. Running the graphics application with the BOINC Manager's user and group would be a security risk, so BOINC Manager uses the switcher application to launch them as user and group boinc_project.
• The screensaver also can run the graphics applications. The Macintosh screensaver is launched by the operating system, so it runs as the currently logged in user and group. Since running the science projects' graphics applications with this user and group would be a security risk, the screensaver has its own embedded helper application gfx_switcher which it uses to launch and kill the graphics applications. Like the switcher application, gfx_switcher runs setuid root and immediately changes its real and effective user ID and group ID to boinc_project.
• Starting with BOINC version 6.7, a default screenaver graphics application is provided with BOINC. The screensaver (now more properly called the screensaver coordinator) runs the default graphics alternating with science graphics applications according to a schedule set by the data file ss_config.xml. The default graphics are run also when no science graphics are available, such as when BOINC is suspended. The default graphics executable is run as user and group boinc_project.
• The BOINC screensaver's use of setuid root for the gfx_switcher application is safe because:
  • When it is run, the gfx_switcher application immediately changes its real and effective user ID and group ID to boinc_project, disabling its superuser privileges.
  • The gfx_switcher application has very limited functionality. It accepts only three commands as its first argument:
    • launch_gfx: the second argument is the slot number. It looks for a soft-link named graphics_app in the specified slot directory and launches the referenced graphics application as user and group boinc_project.
    • default_gfx: launches the default graphics application boincscr in the BOINC data directory as user and group boinc_project.
    • kill_gfx: the second argument is the process ID. It kills the application with the process ID; since it is running as user and group boinc_project, it can affect only processes belonging to that user. This is used to exit all screensaver graphics applications.
• To hide account keys from unauthorized users, BOINC Client sets its umask to 006 and (as of versions 6.8.20 and 6.10.30) makes all *.xml files at the top level directory not world-readable (except ss_config.xml, which must be read by the screensaver coordinator). This means that third-party add-ons cannot read BOINC data files; they must use GUI RPCs to access BOINC Data.
• BOINC sets the umask for project applications to 002; the default permissions for all files and directories they create prevent modification outside the boinc_project user and group.
• Files written by projects are world-readable so that the BOINC Client can read them. But, starting with BOINC versions 6.8.20 and 6.10.30, the slots directory and the projects directory are executable (traversable) only by user boinc_master and group boinc_projects, to prevent unauthorized users from reading account keys from the init_data.xml files.
• Unauthorized users cannot modify BOINC or project files.
• Users with admin access are members of groups boinc_master and boinc_project so that they do have direct access to all BOINC and project files to simplify maintenance and administration.
• The RPC password file gui_rpc_auth.cfg is accessible only by user and group boinc_master. In other words, only BOINC Manager, BOINC Client and authorized users can read or modify it, restricting access to those BOINC RPC functions which modify BOINC's operation.
• On Macintosh computers, the actual directory structures of the BOINC Manager application bundle and the screensaver bundle are more complex than implied by the box BOINC executables in the BOINC tree diagram shown above.
• Some Macintosh system administrators may wish to further limit which users can perform BOINC Manager functions (Activity Menu, etc.). This can be done by moving BOINC Manager out of the /Applications directory into a directory with restricted access.
• Important information for project developers: The BOINC installer traverses the BOINC Data directory and sets the users, groups and permissions of all files as shown in the above table. This allows it to repair corrupted permissions. Note that the BOINC installer will change all files and subdirectories in the projects directory, the slots directory, and all their subdirectories to user boinc_master and group boinc_project. This means that:
  • If a project file needs to be executable by another project file, its executable-by-group permission bit must be set. The BOINC installer will not alter the executable-by-user and executable-by-group permission bits of files in these directories (though it will set these bits for the directories themselves.)
  • It is critical that all files and subdirectories under the projects and slots directories have both their read-by-owner and read-by-group permission bits set, and that all subdirectories have both their executable-by-owner and executable-by-group permission bits set.