boinc
boinc copied to clipboard
BOINC
Revisit using unprivileged account on Windows
A while back we explored having the Windows client run apps under an unprivileged account. I believe we found that this prevented the apps from using GPUs, and we made it into an install option ("protected mode" or something).
Is this still the case? It would be nice if we offered the same level of security on Win as on Mac.
Even if this sandboxing technique can't work for applications that require GPU access (and maybe some problems with vbox/docker as well?), there's no reason not to make it be default for CPU. Windows 10 now also comes with a "sandbox" mode that may be useful as well, though I'm not sure what protections exactly it offers or if there is any performance loss.
The problem is that if user later wants to use GPU - theyvwl have to reinstall BOINC that is not good. But as promised, I'll take a look at it and maybe will find some suitable solution.
Regarding Windiws sandbox - it's too heavy, and provides no API or tools to control files within this sandbox, and asking user every time to run Windows sandbox, install BOINC there, attach to the projects or project manager, etc is not good. Windows sandbox is good when you want manually to test smth, but nothing more.