Sandbox design

This document describes the permissions structure for BOINC on the Macintosh. It has been updated for BOINC versions 6.8.20 and 6.10.30 and later. The purpose of this scheme is to 'sandbox' BOINC applications, i.e. to limit the amount of damage that a malicious or malfunctioning application can cause.

In our design, BOINC applications run under a specially-created account having a minimal set of privileges. In early versions of BOINC, the applications typically ran as the user who installed BOINC, and had the full privileges of that account.

Our design uses two users and two groups, both specially created for use by BOINC. These users and groups are created by the installation process.

On Mac OS X, boinc_project and boinc_master are added to the Supplementary Groups Lists of those other users who are members of group admin. This gives admin users full access to all BOINC and project files.

The following diagram shows user, group and permissions for the BOINC file and directory tree:

BOINC data
   user: boinc_master
   group: boinc_master
   protection: 0771
projects
   user: boinc_master
   group: boinc_project
   protection: 0770
setiathome.berkeley.edu
   user: boinc_master
   group: boinc_project
   protection: 0775
files created by BOINC Client
   user: boinc_master
   group: boinc_project
   protection: 0661 or 0771


files created by project apps
   user: boinc_project
   group: boinc_project
   protection: 0661 or 0771


running BOINC installer changes all files to
   user: boinc_master
   group: boinc_project
   protection: 0661 or 0771


slots
   user: boinc_master
   group: boinc_project
   protection: 0770
0
   user: boinc_master
   group: boinc_project
   protection: 0775
files created by BOINC Client
   user: boinc_master
   group: boinc_project
   protection: 0661 or 0771


files created by project apps
   user: boinc_project
   group: boinc_project
   protection: 0661 or 0771


running BOINC installer changes all files to
   user: boinc_master
   group: boinc_project
   protection: 0661 or 0771


switcher (directory)
   user: boinc_master
   group: boinc_master
   protection: 0550
switcher (executable)
   user: root
   group: boinc_master
   protection: 0050+setuid


setprojectgrp (executable)
   user: boinc_master
   group: boinc_project
   protection: 0500+setgid


locale
   user: boinc_master
   group: boinc_master
   protection: 0555
de
   user: boinc_master
   group: boinc_master
   protection: 0555
BOINC Manager.mo
   user: boinc_master
   group: boinc_master
   protection: 0444


wxstd.mo
   user: boinc_master
   group: boinc_master
   protection: 0444


account_*.xml
   user: boinc_master
   group: boinc_master
   protection: 0660


acct_mgr_login.xml
   user: boinc_master
   group: boinc_master
   protection: 0660


client_state.xml
   user: boinc_master
   group: boinc_master
   protection: 0660


gui_rpc_auth.cfg
   user: boinc_master
   group: boinc_master
   protection: 0660


sched_reply*
   user: boinc_master
   group: boinc_master
   protection: 0660


sched_request*
   user: boinc_master
   group: boinc_master
   protection: 0660


ss_config.xml
   user: boinc_master
   group: boinc_master
   protection: 0664



BOINC executables
   user: (installing user)
   group: admin
   protection: 0555
BOINC Manager
   user: boinc_master
   group: boinc_master
   protection: 0555


BOINC Client
   user: boinc_master
   group: boinc_master
   protection: 0555+setuid+setgid


screensaver (directory)
   user: (installing user)
   group: admin
   protection: 0555
gfx_switcher (executable)
   user: root
   group: boinc_master
   protection: 0555+setuid

Implementation notes:



Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.