Re: [foxboro] DM/Foxview "view only" configuration question

• From: "Corey R Clingo" <clingoc@xxxxxxxxxxxxx>
• To: foxboro@xxxxxxxxxxxxx
• Date: Thu, 28 Aug 2003 15:38:14 -0400

Sorry, my bad.  The file you are looking for is in the
/usr/fox/sys/Change_Env directory and is called Init_Env.  It is the one
that is called up when a DM is first started.  However, I believe this can
be customized, so you might want to check your system.  We also use legacy
DM, so I can't comment on Foxview, but I think it is something similar (but
in a different directory).  You will not need to change your other
environments unless the remote users are allowed to change to them and they
modify the omset permissions.

The logic is something to the effect of:

== $USER root enable omsets else disable omsets
== $USER remote_write enable omsets else disable omsets

Corey



|---------+---------------------------->
|         |           stan             |
|         |           <stanb@xxxxxxxxx>|
|         |           Sent by:         |
|         |           foxboro-bounce@fr|
|         |           eelists.org      |
|         |                            |
|         |                            |
|         |           08/28/2003 10:00 |
|         |           AM               |
|         |           Please respond to|
|         |           foxboro          |
|         |                            |
|---------+---------------------------->
  
>------------------------------------------------------------------------------------------------------------------------------|
  |                                                                             
                                                 |
  |              To:  foxboro                                                   
                                                 |
  |              cc:                                                            
                                                 |
  |       Subject:  Re: [foxboro] DM/Foxview "view only" configuration question 
                                                 |
  
>------------------------------------------------------------------------------------------------------------------------------|




On Thu, Aug 28, 2003 at 10:09:16AM -0400, Corey R Clingo wrote:
>
> It's a dmcmd script, in /usr/fox/sys.  I'm not at the system right now,
but
> I think we look at the LOGNAME and/or USER environment variables.  I'm
sure
> there are lots of other ways.

Sorry to ask for so much hand holding here, but while I'm confortable with
the *NIX side of this, I'm very unfamilar with the dmcmd side of this :-(

In any case /usr/fox/sys/Change_Env seems to be a directory. And in it are
scripts for the various different Foxboro user "environments". So, I guess
I would have to make this change in all of them. The system under
discussion actually  has (somewhere that I can't recall at the momnet in a
dmcmd script that gets excuted when teh FoxView session is started
(s0mehting like fv_cmds?)) dmcmd logic that checks whether the session is
LOCOL (something like DM_LOCAL ?) and if not, then it protects omsets etc.

I would like to cyhange this to user based checking. Could you please share
the dmcmd logic you use (when you get a chnace)?

Is gteenv the command to import shell environment variables into dmcmd
scripts?


>
> Savvy readers will probably notice that there are opportunities aplenty
for
> abuse here.  A remote user who can build displays can effectively
override
> any OM access controls you put in the environment scripts, and can even
> give themselves shells.  Fortunately, our graphics builders all either
sit
> at the console or are authorized for write access.  We also try to limit
> exposure by using OpenSSH to start up and "tunnel" the DM sessions, and
we
> limit the read-only users to only running a DM - no user port forwarding,
> no other commands, no shells, file transfer, etc.
>

Sounds well thought out to me.

--
"They that would give up essential liberty for temporary safety deserve
neither liberty nor safety."
      -- Benjamin Franklin


_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html

foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave






 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
 

• Follow-Ups:
  • Re: [foxboro] DM/Foxview "view only" configuration question
    • From: stan

Other related posts:

• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question
• » Re: [foxboro] DM/Foxview "view only" configuration question

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription