Re: IOC Shell Persist history: ERROR Permission denied (13) writing '.iocsh_history'

[Michael Davidsaver via Tech-talk <tech-talk at aps.anl.gov>]

On 11/1/24 12:51, Johnson, Andrew N. wrote:
> At APS our production IOCs are started from a script with the CWD set to the IOC‘s boot directory. The accounts they run under deliberately have no ability to write to their own application or configuration files, in an attempt to make it harder for anyone who successfully breaks into one to persistently change those files.
>
> Brad didn’t say so, but I assume SNS also use read-only IOC boot directories. I guess he could give procServ the command
>
>      /bin/env EPICS_IOCSH_HISTFILE=/path… ./st.cmd
>
> to start the IOC without having to wrap it in a script, although that feels a bit unwieldy to me.

I would think that passing $EPICS_IOCSH_HISTFILE _through_ procServ would be
in keeping with what I have seen with systemd or sysv arrangements.  Although
this would only save a few characters, with the Real Question being why a
minor feature like shell history needs individual handling?

I have sometimes wondered about trying to establish a conventional FS
location for IOC volatile data.  Firstly for autosave.  Something
analogous to what systemd's "StateDirectory=" tries to accomplish.


wrt. "epicsEnvSet EPICS_IOCSH_HISTFILE ...".  As it stands, there would be
a bootstrapping issue as $EPICS_IOCSH_HISTFILE is read before any iocsh
command is interpreted.  Nothing insurmountable, but some work would be
needed to allow setting/changing EPICS_IOCSH_HISTFILE after iocsh init.


> I already added setting that environment variable to our IOC launch script, even though we aren’t running 7.0.8.1 yet.
>
> - Andrew
>
> --
>
> Complexity comes for free, Simplicity you have to work for.
>
> On 11/1/24, 1:26 PM, "Tech-talk" <tech-talk-bounces at aps.anl.gov> wrote:
>
> On 11/1/24 06:09, Webb, Brad via Tech-talk wrote:
> > After upgrading to EPICS 7.0.8.1 I see the errors below in the IOC start-up console output.
> > ERROR Permission denied (13) writing '.iocsh_history'
> > ERROR Permission denied (13) writing '.iocsh_history'
> >
> >   From the release notes:
> > https://urldefense.us/v3/__https://github.com/epics-base/epics-base/blob/7.0/documentation/RELEASE_NOTES.md*persist-history__;Iw!!G_uCfscf7eWS!fxC6WWyvShbxHs8jPNfGxcc-Yd3gb7wGySPtGjoGKon5HqQERrpNd3FD4NrQvKubT7JRig5xbohNUi8W3jbS$ <https://urldefense.us/v3/__https:/github.com/epics-base/epics-base/blob/7.0/documentation/RELEASE_NOTES.md*persist-history__;Iw!!G_uCfscf7eWS!fxC6WWyvShbxHs8jPNfGxcc-Yd3gb7wGySPtGjoGKon5HqQERrpNd3FD4NrQvKubT7JRig5xbohNUi8W3jbS$>
> >
> > I find this section about setting the environment variable:
> > Persist history
> > Attempt to read and write command to a file (./.iocsh_history by default). Name may be overwritten
> > with by setting $EPICS_IOCSH_HISTFILE to an alternate path, or disabled by setting to an empty
> > string.
> >
> > So, my question is how can this variable be set on a per IOC basis so that each IOC can have its own
> > unique path for the history file?
>
> Whatever mechanism you are using to launch IOC processes would
> need to compute and set $EPICS_IOCSH_HISTFILE .
>
> Since you did RtM, I appreciate that this is not by itself a
> useful reply :)
>
> Can you say more about how your IOCs are being launched?
> Do multiple IOC processes share the same $PWD and/or does
> an IOC not have permission to create files in $PWD ?