I agree that their running everything as root is a Vewy Bad Idea (tm). However, some applications at least can run as a non-root user. Most legacy applications run fine; I think the user "ia" is used out of the box for remote apps. I had some problems with Foxview/FoxDraw, but the "secret" (for me, anyway) was to set up all the environment variables just as Foxboro's boot scripts (S99FOXBORO and its children) do. Here's my list so far: Legacy DM: no problems. Display Builder/Configurator: had to change some directory/file permissions (see below) ICC: no problems, though I can't say we've used all its functions remotely. Foxview and FoxDraw: Setting the environment vars as described above made them work, but I had GUI lockup problems, so I did this only for a brief time. I don't know how much security you gain, as most of these programs that I've looked at are setuid root, but Display Builder must drop privs at some point because after I implemented this I had to change permissions on our graphics directories so that files could be saved (DB gives no warning about inability to write files, BTW...grr). If all these apps drop privs after execution, this could also cause problems if your file permissions are not set accordingly. Anyway, my DM startup script checks the username, then enables/disables omsets, sets DM_CLASS and DM_TYPE, and protects/unprotects some ACLs based on username. It could easily enough give priority to certain users, or reserve DMs, or whatever, but we don't really have a need for that. Corey Clingo BASF Corp. |---------+----------------------------> | | stan | | | <stanb@xxxxxxxx> | | | Sent by: | | | foxboro-bounce@fr| | | eelists.org | | | | | | | | | 10/11/2002 06:52 | | | AM | | | Please respond to| | | foxboro | | | | |---------+----------------------------> >-------------------------------------------------------------------------------------------------------------------------------| | | | To: foxboro | | cc: | | Subject: Re: [foxboro] Dedicated DMs with DHCP | >-------------------------------------------------------------------------------------------------------------------------------| On Thu, Oct 10, 2002 at 05:39:06PM -0500, Corey R Clingo wrote: > > > If your dynamic addressing setup includes dynamic DNS also (i.e., the same > PC always has the same DNS name, regardless of its address), I'd think you > could do this with dmcfg in the normal manner, using the DNS names rather > than IP addresses. If it does not, you would have to rig up some kind of > script to check some other user- or machine-specific piece of information > prior to starting up a DM. > > We're doing something similar by creating different user accounts. We > don't dedicate DMs but we grant different access levels depending on user > ID, and enforce user login security with OpenSSH. Works OK if you don't > have very many levels of access. Other ways to do this sort of thing come > to mind. We can discuss off-list if you like. > I would be extremely interested in hearing more about this. I'm totally appalled by the fact that all Foxboro users here run as root (which is "A Very Bad Idea" (tm)), but I've run into difficulties when trying to run various Foxboro suppled executables as a non-root user. Could you elaborate on what you have done here? -- "They that would give up essential liberty for temporary safety deserve neither liberty nor safety." -- Benjamin Franklin _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave