EPICS Home

Experimental Physics and Industrial Control System


 
1994  1995  1996  1997  1998  <19992000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  Index 1994  1995  1996  1997  1998  <19992000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020 
<== Date ==> <== Thread ==>

Subject: RE: X-terminals & EPICS security
From: johill@lanl.gov (Jeff Hill)
To: "tech-talk@aps.anl.gov" <tech-talk@aps.anl.gov>
Date: Thu, 21 Jan 1999 12:16:09 -0700
On Thursday, January 21, 1999 8:32 AM, Ned Arnold [SMTP:nda@aps.anl.gov] wrote:
>  
> > I want to implement EPICS security to place control restrictions based upon
> > the physical location  (control room, experimental areas)  of our OPI's,
> > which are all  X-terminals 'served' from a single host (Sun).   All of the
> > CA clients are run on our host,  and Channel Access (security) does not
> > 'know' where the medm displays are located.
> > 
> > Is there a way I can configure the access security configuration file to use
> > the names/IP address of the individual X-terminals ?
> > 
> > 
> 
> 
> No.  I was told <since Channel Access Security was born> that to implement this
> feature would make it difficult to port to other operating systems. I was
> encouraged to do this with "prudent system administration" rather than 
> channel access security. I never figured out how to do that either.
> 

This does appear to be somewhat messy to implement without impacting portability
(and the one or to other things that I have to get done at the moment).
The CA client library would need to know that X is in use and then ask it where
the server is (since the DISPLAY variable isn't always defined), but if the X
window system is running over DECNET then perhaps we have a problem ;-)
Also, it is possible that one process is talking to more than one X servers.
Perhaps in this situation the host location would be listed as "unknown". We 
would of course need to be very careful about directly linking any of the code
in EPICS base with X (and therefore preventing sites from running without it).

A similar problem occurs when cau is run from an rlogin, telnet, rsh, ssh ...
session. When we did the first cut at access control, I looked briefly at a solution for 
remote login and this appeared to be difficult to implement under UNIX in a portable 
fashion. We could however create a bit of code for each UNIX system. The default 
behavior for new operating systems would be to not implement this, but the proper 
OS specific code could always be added latter as the need and inclination arises.

If we choose to pursue this then the first step would be to move the part of CA that
determines a client's host name to libCom so that there are independent versions of 
the routine for each operating system. This would also make the code easier to
maintain by persons that are not familiar with CA, but are familiar with the local
operating system.

Jeff

Navigate by Date:
Prev: Re: Slow booting ioc Garrett D. Rinehart
Next: RE: Slow booting ioc Jeff Hill
Index: 1994  1995  1996  1997  1998  <19992000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020 
Navigate by Thread:
Prev: Re: X-terminals & EPICS security Gary Carr
Next: Slow booting ioc Garrett D. Rinehart
Index: 1994  1995  1996  1997  1998  <19992000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020