Well, maybe such architecture would be more secure and useful then: BOINC core runs always as service, under BOINC's own account with restricted rights. this BOINC core makes schedule and launch decisions that base on requests its recive and settings files. It launches CPU apps under (again) their own account just as it was done for service install before. (service can launch process under another account, right ?) Also, it launches GPU apps under current owner of console account if under that account let say BOINC manager running and requesting GPU usage. Or, even better, at install time if PC owner decided to enable BOINC operation under all users accounts, BOINC's installer arranges to launch some additional process (like boinctray.exe now for example) at user logon and w/o GUI. This process could detect if his owner owns console now and ask BOINC core to launch GPU app under current console owner account.
That way BOINC execution will be secure almost in all parts but GPU processing. And GPU processing itself will be available at any user logon. Logon still will be required but any local logon (session can be locked, I checked, console stays connected and GPU app can work in locked local session on Windows 2008 server) instead of just Administrator logon can make huge difference in GPU processing availability and total host performance on multiuser setup. Четверг, 7 марта 2013, 17:06 -05:00 от "Rom Walton" <[email protected]>: >Windows does not have the setuid equivalent functionality that *nix has. > >In order for one process to launch a new process as a different user, the >first process has to have the rights to do it. Which generally are given to >administrative accounts. Boinc_master is granted the right to launch >processes with a different token at install time. > >Starting with Win2k Microsoft introduced the RunAs service, which allows >ordinary users to launch applications as another user by virtue of the RunAs >service being the elevated process. However, the last time I checked, the >newly created process created by the RunAs service could not properly use GPU >resources. Microsoft may have fixed that in more recent versions of Windows >(Win7 and Win8). > >The last time I really dove into this area Nvidia, ATI, and even the OpenCL >framework all required any process attempting to use the GPU be the same user >account that owns the console session. Which lead to the current design and >restrictions. > >----- Rom > >-----Original Message----- >From: boinc_alpha [mailto:[email protected]] On Behalf Of >Raistmer the Sorcerer >Sent: Thursday, March 07, 2013 4:44 PM >To: [email protected] >Subject: Re: [boinc_alpha] Wrong BOINC behavior on multi-user host. Zero-level >of security for multi-user environment! > > Update of this report: >BOINC 7.0.54 service install on Win2003x64 host: >project app runs under boionc_project account, boinc.exe runs under >boinc_master account. Just as should be. >So, the question is: why BOINC neglets security setting being installed under >single user ? > >One should make clear difference between "protected execution" that is, app >launched with limited rights. BTW, BOINC always should run in such config, or >at least it should be default. >And "service install" that means to install BOINC as Windows OS service. >With very beginning these 2 concepts were merged into one and it's not good. >Currently service install has too big performance penalty being not able to >use GPU on modern Windows OS - main crunching power these days. >So, almost all users will install it not in service mode.... and UNPROTECTED. >As I reported before in that mode (BOINC 5.0.52, something changed with this >release?) runs itself and runs project apps under superuser account where it >was initially installed. > >Maybe this should belong to dev list actually, cause some redesign required to >make BOINC secure enough in most common usage scenario. > > > >Четверг, 28 февраля 2013, 21:10 +04:00 от Raistmer the Sorcerer < >[email protected] >: >>I installed latest (7.0.52) x64 BOINC client in "user" mode on Windows 2008 >>Server, cause "protected" mode installation doesn't allow GPU computations at >>all. >>During install I selected only single user to control BOINC (opposite for >>"all users control BOINC"). >>So, in my understanding, it should be installed ONLY under administrator >>account, launch ONLY when administrator log in and not bother other users of >>PC. >>But reality quite differs. >>At another user logon BOINC attempted to start and complained that it already >>runs under another user account ! >>Such behavior unacceptable for multi-user configs. >>Does anyone test BOINC in multi-user environment at all or all just install >>it on personal PC with single account ? >>Please, fix this behavior ASAP. BOINC should never interact with other users >>unless it directly instructed at install time to do this. It should never >>attempt to launch under other users accounts unless it was directly >>instructed to do this at installation time. >> >>Also: >>At installation BOINC created 3 user groups: boinc_admins, >>boinc_projects, boinc_users. For what ??? Only one group, boinc_admins, >>has any members. boinc_users is empty (but BOINC tried to run under user >>account (!) ). boinc_projects - empty (but host already attached to 2 >>projects - for what this group then ? ) If these groups are in use only for >>"protected mode install", then what they do on my server ? I used another >>kind of install. If not - why they are empty, especially, why boinc_projects >>empty ? >>Currently both projects run own binaries under Administrator account (!) No >>one sees here some security problem? If one think that BOINC operator can >>change these security settings manually - why bother to create empty groups? >>Operator can create groups, really. Half-baked at least... >> >> >_______________________________________________ >boinc_alpha mailing list >[email protected] >http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_alpha >To unsubscribe, visit the above URL and >(near bottom of page) enter your email address. _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
