Experimental Physics and
Industrial Control System
| 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 <2020> 2021 2022 2023 2024 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 <2020> 2021 2022 2023 2024 |
| <== Date ==> | <== Thread ==> |
|---|
| Subject: | Re: Connection to PVA server fails despite server |
| From: | "Johnson, Andrew N. via Tech-talk" <tech-talk at aps.anl.gov> |
| To: | Michael Davidsaver <mdavidsaver at gmail.com> |
| Cc: | EPICS tech-talk <tech-talk at aps.anl.gov> |
| Date: | Wed, 11 Nov 2020 00:27:41 +0000 |
On Nov 10, 2020, at 5:53 PM, Michael Davidsaver via Tech-talk <tech-talk at aps.anl.gov> wrote:
The libCom osiGetUserName() implementation for posix targets that Kay pointed out is basically a wrapper around getpwuid(getuid()) with appropriate
checks for the result, so we’re already relying on the C library to do that for us.
If there is no name available for the process's uid, what user name should the client code send the server? This matters if the server has access security enabled, although the user-name can be easily spoofed – the other input to the access rules is the
IP address of the client which is much harder for the client to spoof.
I’m going to guess that the CA server doesn’t care if no user name is provided, but the PVA server isn’t handling that like it probably should (or it’s been taught to never talk to an anonymous client).
There are several obvious approaches for fixing this: Modify the server to accept anonymous clients; change osiGetUserName() to stringify the number returned by getuid() so
that gets passed to the server as the name; or have the client send some other string such as “nobody”.
I don’t think it should be fixed in osiGetUserName() itself since that’s a low-level API and should be able to tell its caller that there is no user-name associated with this process. Sending out
uid numbers could be considered a security hole in some places, so longer-term I think this would have to be fixed inside the pvAccess module one way or another, not in libCom.
- Andrew
--
Complexity comes for free, simplicity you have to work for.
|
- References:
- Connection to PVA server fails despite server Wlodek, Jakub via Tech-talk
- Re: Connection to PVA server fails despite server Michael Davidsaver via Tech-talk
- Re: Connection to PVA server fails despite server Wlodek, Jakub via Tech-talk
- Re: Connection to PVA server fails despite server Michael Davidsaver via Tech-talk
- Navigate by Date:
- Prev: Re: Connection to PVA server fails despite server Michael Davidsaver via Tech-talk
- Next: Re: Connection to PVA server fails despite server Michael Davidsaver via Tech-talk
- Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 <2020> 2021 2022 2023 2024
- Navigate by Thread:
- Prev: Re: Connection to PVA server fails despite server Michael Davidsaver via Tech-talk
- Next: Career opportunities for EPICS Integrator at Telescope Services in Sweden Maria Almaz via Tech-talk
- Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 <2020> 2021 2022 2023 2024
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·