Experimental Physics and
Industrial Control System

[email protected] (Ralph Lange) · Thu, 21 Jan 1999 17:54:23 +0100 (MET)

> > Is there a way I can configure the access security configuration file to use
> > the names/IP address of the individual X-terminals ?
> 
> No.  I was told <since Channel Access Security was born> that to implement this
> feature would make it difficult to port to other operating systems. I was
> encouraged to do this with "prudent system administration" rather than 
> channel access security. I never figured out how to do that either.

Based on the experiences with X-terminals using the "old" (i.e. pre-EPICS)
BESSY I control system I would start thinking in the following direction:

 o Create (additional) different special OPI user accounts for the
   different X-terminals (or security relevant groups of X-terminals) on
   your mainframe.
 o There must be a script-like thing that runs the X-session for the
   generic OPI user (this heavily depends on your system). Insert something
   at the beginning that evaluates $DISPLAY and execs a "su" login shell
   for the appropriate terminal-dependent special OPI user which then
   starts the X-session for the special user.
 o Start all the special OPI users' interactive login shells with calling
   exit if $DISPLAY is not set correctly.
 o Be careful about file permissions. In order to share files between
   different OPI users/X-terminals you might have to create a new group
   for all the special OPI users and set the umask to make everything group 
   writable.
 o Configure your CA Security to work by user instead of by host.

This is just a first thought. I don't claim this to be elegant at all.
Or even working.

Ralph

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System