Experimental Physics and
Industrial Control System

Oscar Ibañez via Tech-talk <tech-talk at aps.anl.gov> · Thu, 22 Apr 2021 11:01:50 +0200

Hi Lewis,

Thank you for your detailed answer.

I have been discussing this situation with other people and, as a

consequence of that, we need to accept that the only real security comes

from the OS user management system. So, we have made the decision of

studying the problem from another perspective. It is this: because we

cannot change the OS user account, we would accept a solution where we

could avoid accidental manipulations. For example:

Imagine that we have a widget to control the intensity of a beam. That

is the kind of thing that people are not going to modify continuosly

and, of course, not everybody must change it. So, if a person needs to

change it, that person has to know a password. Obviously, if that person

wants to create problems, he/she can always bypass the control using any

of your proposed alternative mechanisms (i.e: using caput from the

command line).

I have seen that there is a method known as "showPasswordDialog()"

inside ScriptUtil. But it is something that needs to be checked in the

Python code. Maybe a solution involving a file with password hashes

would be better.However, it would be pretty easy to hack. Just changing

the file content.

Any suggestions will be welcomed.

Best,

Óscar

El 21/04/2021 a las 23:16, J. Lewis Muir escribió:

On 04/21, Oscar Ibañez wrote:

These are the reasons because I need to know how to deal with different user
accounts inside phoebus (I want to highlight it because it is very
important: inside) and how to manage passwords. In all cases, I need to
manage critical data related to security.

Thanks for the explanation; it helps to know what you're trying to do.

I suspect you could do what you're talking about, but it wouldn't really
be secure.  For example, I know practically nothing about Phoebus, but
I have seen that it has some scripting capabilities, so if Phoebus
does a CA put to an EPICS PV, and you password-protect that, are you
sure that there's no way, either via a Phoebus command line option or
from the running Phoebus application, for the user to cause Phoebus to
run a script of their choosing that does the same CA put and is not
password-protected?

Even if Phoebus doesn't allow that (which is unusual anyway in that
Phoebus would be trying to prevent the user from doing something in
itself when it is running as that very user), there's nothing that
prevents the user from doing the same CA put from the command line using
the caput program.

But maybe you intentionally don't install the caput program on the
computer.  In that case, the user could just install EPICS Base (or
another EPICS CA implementation) in the home directory of the account or
in the temporary file system.  I doubt you disallow writing to both of
those.

EPICS CA does have a security mechanism built in called access security,
but it's off by default, and even if it's on, it's based on the source
host and username.  The source host would be that of the computer that
Phoebus is running on, so the user wouldn't need to change that since
it would already be allowed for the privileged password-protected
operations in Phoebus.  Then all that's left is the username which
can be spoofed in the EPICS CA protocol, so the user could set it to
whatever they want.

So, this is all to say that it's not really a secure system (which is
understandable since it wasn't designed for that).  Are you OK with
that?  Do you just want something that gives some basic protection even
though it's not actually secure?

Lewis

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System