Subject: |
Re: [Merge] ~epics-core/epics-base/+git/asLib:as-hostname into epics-base:7.0 |
From: |
Bruce Hill via Core-talk <[email protected]> |
To: |
mdavidsaver <[email protected]> |
Date: |
Wed, 14 Aug 2019 05:59:34 -0000 |
Successfully tested this patch w/ pvAccess gwdev branch and pva2pva d7314ea from mdavidsaver.
Tested IOC and ca-gateway instances w/ asCheckClientIP=0 and asCheckClientIP=1.
ca-gateway was based on R2-1-1-0 with inline code to set asCheckClientIP.
No changes were needed to pcas version 4.13.2.
With asCheckClientIP=0, a hacked caput can bypass ASG RULES using hostnames.
With asCheckClientIP=1, caput can only spoof username
For pvput and IOC testing:
With asCheckClientIP=0, All ASG RULES using HAG deny write access.
With asCheckClientIP=1, pvput works same as CA for all UAG and HAG based ASG RULES. (Didn't test variables in RULES or spoofing username in pvput.)
Also tested w/ new p4p gateway as a client while p4p gateway is running it's own access security.
--
https://code.launchpad.net/~epics-core/epics-base/+git/asLib/+merge/358822
Your team EPICS Core Developers is subscribed to branch epics-base:7.0.
- Navigate by Date:
- Prev:
Jenkins build is still unstable: epics-7.0 » mac #142 APS Jenkins via Core-talk
- Next:
Re: [Merge] ~epics-core/epics-base/+git/asLib:as-hostname into epics-base:7.0 Bruce Hill via Core-talk
- Index:
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
<2019>
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: [Merge] ~epics-core/epics-base/+git/asLib:as-hostname into epics-base:7.0 Andrew Johnson via Core-talk
- Next:
Re: [Merge] ~epics-core/epics-base/+git/asLib:as-hostname into epics-base:7.0 Bruce Hill via Core-talk
- Index:
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
<2019>
2020
2021
2022
2023
2024
|