Re: [foxboro] DM/Foxview "view only" configuration question

• From: stan <stanb@xxxxxxxxx>
• To: foxboro@xxxxxxxxxxxxx
• Date: Thu, 28 Aug 2003 11:00:47 -0400

On Thu, Aug 28, 2003 at 10:09:16AM -0400, Corey R Clingo wrote:
> 
> It's a dmcmd script, in /usr/fox/sys.  I'm not at the system right now, but
> I think we look at the LOGNAME and/or USER environment variables.  I'm sure
> there are lots of other ways.

Sorry to ask for so much hand holding here, but while I'm confortable with
the *NIX side of this, I'm very unfamilar with the dmcmd side of this :-(

In any case /usr/fox/sys/Change_Env seems to be a directory. And in it are
scripts for the various different Foxboro user "environments". So, I guess
I would have to make this change in all of them. The system under
discussion actually  has (somewhere that I can't recall at the momnet in a
dmcmd script that gets excuted when teh FoxView session is started
(s0mehting like fv_cmds?)) dmcmd logic that checks whether the session is
LOCOL (something like DM_LOCAL ?) and if not, then it protects omsets etc. 

I would like to cyhange this to user based checking. Could you please share
the dmcmd logic you use (when you get a chnace)?

Is gteenv the command to import shell environment variables into dmcmd
scripts?


> 
> Savvy readers will probably notice that there are opportunities aplenty for
> abuse here.  A remote user who can build displays can effectively override
> any OM access controls you put in the environment scripts, and can even
> give themselves shells.  Fortunately, our graphics builders all either sit
> at the console or are authorized for write access.  We also try to limit
> exposure by using OpenSSH to start up and "tunnel" the DM sessions, and we
> limit the read-only users to only running a DM - no user port forwarding,
> no other commands, no shells, file transfer, etc.
> 

Sounds well thought out to me.

-- 
"They that would give up essential liberty for temporary safety deserve
neither liberty nor safety."
                                                -- Benjamin Franklin
 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
 

• References:
  • Re: [foxboro] DM/Foxview "view only" configuration question
    • From: Corey R Clingo

Other related posts:

• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription