Hi Andreas, One of the main security issues is the ability to determine which action a certain user can take based on his profile. If we let them all work under the root account in an open shell there is a high risk that someone can accidently execute a command that destabilizes the system. A nice and easy feature is the use of the sudo program. With this, you can define which commands can be executed and by who. A Foxboro I/A system can be splitted up in directory paths with different tasks. One of the main tasks is file management E.g. /opt/disp,/opt/menus,/opt/overlays contains all your display files. If you now create a small copy/move/delete script that only allows to work under these directories, you create the certainty that system files cannot be modified or removed. (PS: Make sure that the regular user cannot modify this type of scripts !!. A better solution is using a graphical file explorer that limits the accessible directories. Greetings, Lieven Taleman B.V.B.A Talsoft - Belgium lieven.taleman@xxxxxxxxxx -----Oorspronkelijk bericht----- Van: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx]Namens Johnson, Alex P (IPS) Verzonden: vrijdag 19 mei 2006 21:38 Aan: foxboro@xxxxxxxxxxxxx Onderwerp: Re: [foxboro] Foxboro I/A OPC - Security In general, anything that accesses the OM needs root permissions. You can grant any program root permissions by using the chmod command: chmod +4000 <pgmName> The application could then be run by someone other than root as if root had run it. Other issues running as a different user tend to boil down to directory access permissions. Hope this helps. Regards, Alex Johnson Invensys Systems, Inc. 10900 Equity Drive Houston, TX 77041 713.329.8472 (voice) 713.329.1700 (fax) 713.329.1600 (switchboard) alex.johnson@xxxxxxxxxxxxxxxx -----Original Message----- From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx] On Behalf Of Weiss, Andreas Sent: Saturday, March 11, 2006 7:36 AM To: foxboro@xxxxxxxxxxxxx Subject: Re: [foxboro] Foxboro I/A OPC - Security > A software guy loves to work under full access (say root)=20 > because than he > does not has to worry about "permission denied" issues. Hi, which I/A series applications on a Solaris Box can run under another account than root? Has anyone experience in this field for example building display under a normal user account (that is a non root account)? Greetings, Andreas _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave