Re: What is the best (and simple) way to implement security in a Phoebus solution?

[Oscar Ibañez via Tech-talk <tech-talk at aps.anl.gov>]

Hi Lewis,

Thank you for your detailed answer.

I have been discussing this situation with other people and, as a 
consequence of that, we need to accept that the only real security comes 
from the OS user management system. So, we have made the decision of 
studying the problem from another perspective. It is this: because we 
cannot change the OS user account, we would accept a solution where we 
could avoid accidental manipulations. For example:

Imagine that we have a widget to control the intensity of a beam. That 
is the kind of thing that people are not going to modify continuosly 
and, of course, not everybody must change it. So, if a person needs to 
change it, that person has to know a password. Obviously, if that person 
wants to create problems, he/she can always bypass the control using any 
of your proposed alternative mechanisms (i.e: using caput from the 
command line).

I have seen that there is a method known as "showPasswordDialog()" 
inside ScriptUtil. But it is something that needs to be checked in the 
Python code. Maybe a solution involving a file with password hashes 
would be better.However, it would be pretty easy to hack. Just changing 
the file content.

Any suggestions will be welcomed.

Best,

Óscar

El 21/04/2021 a las 23:16, J. Lewis Muir escribió:
> On 04/21, Oscar Ibañez wrote:
> > These are the reasons because I need to know how to deal with different user
> > accounts inside phoebus (I want to highlight it because it is very
> > important: inside) and how to manage passwords. In all cases, I need to
> > manage critical data related to security.
> Thanks for the explanation; it helps to know what you're trying to do.
>
> I suspect you could do what you're talking about, but it wouldn't really
> be secure.  For example, I know practically nothing about Phoebus, but
> I have seen that it has some scripting capabilities, so if Phoebus
> does a CA put to an EPICS PV, and you password-protect that, are you
> sure that there's no way, either via a Phoebus command line option or
> from the running Phoebus application, for the user to cause Phoebus to
> run a script of their choosing that does the same CA put and is not
> password-protected?
>
> Even if Phoebus doesn't allow that (which is unusual anyway in that
> Phoebus would be trying to prevent the user from doing something in
> itself when it is running as that very user), there's nothing that
> prevents the user from doing the same CA put from the command line using
> the caput program.
>
> But maybe you intentionally don't install the caput program on the
> computer.  In that case, the user could just install EPICS Base (or
> another EPICS CA implementation) in the home directory of the account or
> in the temporary file system.  I doubt you disallow writing to both of
> those.
>
> EPICS CA does have a security mechanism built in called access security,
> but it's off by default, and even if it's on, it's based on the source
> host and username.  The source host would be that of the computer that
> Phoebus is running on, so the user wouldn't need to change that since
> it would already be allowed for the privileged password-protected
> operations in Phoebus.  Then all that's left is the username which
> can be spoofed in the EPICS CA protocol, so the user could set it to
> whatever they want.
>
> So, this is all to say that it's not really a secure system (which is
> understandable since it wasn't designed for that).  Are you OK with
> that?  Do you just want something that gives some basic protection even
> though it's not actually secure?
>
> Lewis