On 04/21, Oscar Ibañez wrote:
> These are the reasons because I need to know how to deal with different user
> accounts inside phoebus (I want to highlight it because it is very
> important: inside) and how to manage passwords. In all cases, I need to
> manage critical data related to security.
Thanks for the explanation; it helps to know what you're trying to do.
I suspect you could do what you're talking about, but it wouldn't really
be secure. For example, I know practically nothing about Phoebus, but
I have seen that it has some scripting capabilities, so if Phoebus
does a CA put to an EPICS PV, and you password-protect that, are you
sure that there's no way, either via a Phoebus command line option or
from the running Phoebus application, for the user to cause Phoebus to
run a script of their choosing that does the same CA put and is not
password-protected?
Even if Phoebus doesn't allow that (which is unusual anyway in that
Phoebus would be trying to prevent the user from doing something in
itself when it is running as that very user), there's nothing that
prevents the user from doing the same CA put from the command line using
the caput program.
But maybe you intentionally don't install the caput program on the
computer. In that case, the user could just install EPICS Base (or
another EPICS CA implementation) in the home directory of the account or
in the temporary file system. I doubt you disallow writing to both of
those.
EPICS CA does have a security mechanism built in called access security,
but it's off by default, and even if it's on, it's based on the source
host and username. The source host would be that of the computer that
Phoebus is running on, so the user wouldn't need to change that since
it would already be allowed for the privileged password-protected
operations in Phoebus. Then all that's left is the username which
can be spoofed in the EPICS CA protocol, so the user could set it to
whatever they want.
So, this is all to say that it's not really a secure system (which is
understandable since it wasn't designed for that). Are you OK with
that? Do you just want something that gives some basic protection even
though it's not actually secure?
Lewis
- Replies:
- Re: What is the best (and simple) way to implement security in a Phoebus solution? Oscar Ibañez via Tech-talk
- References:
- What is the best (and simple) way to implement security in a Phoebus solution? Oscar Ibañez via Tech-talk
- Re: What is the best (and simple) way to implement security in a Phoebus solution? J. Lewis Muir via Tech-talk
- Re: What is the best (and simple) way to implement security in a Phoebus solution? Oscar Ibañez via Tech-talk
- Navigate by Date:
- Prev:
Re: [EXTERNAL] Re: What is the best (and simple) way to implement security in a Phoebus solution? Johnson, Andrew N. via Tech-talk
- Next:
Time delay Dudley, David via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
<2021>
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: [EXTERNAL] Re: What is the best (and simple) way to implement security in a Phoebus solution? Oscar Ibañez via Tech-talk
- Next:
Re: What is the best (and simple) way to implement security in a Phoebus solution? Oscar Ibañez via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
<2021>
2022
2023
2024
|