Re: [foxboro] Dedicated DMs with DHCP

• From: Corey R Clingo <clingoc@xxxxxxxxxxxxx>
• To: foxboro@xxxxxxxxxxxxx
• Date: Fri, 11 Oct 2002 09:49:32 -0500

I agree that their running everything as root is a Vewy Bad Idea (tm).
However, some applications at least can run as a non-root user.  Most
legacy applications run fine; I think the user "ia" is used out of the box
for  remote apps.  I had some problems with Foxview/FoxDraw, but the
"secret" (for me, anyway) was to set up all the environment variables just
as Foxboro's boot scripts (S99FOXBORO and its children) do.  Here's my list
so far:

Legacy DM: no problems.
Display Builder/Configurator: had to change some directory/file permissions
(see below)
ICC: no problems, though I can't say we've used all its functions remotely.
Foxview and FoxDraw: Setting the environment vars as described above made
them work, but I had GUI lockup problems, so I did this only for a brief
time.

I don't know how much security you gain, as most of these programs that
I've looked at are setuid root, but Display Builder must drop privs at some
point because after I implemented this I had to change permissions on our
graphics directories so that files could be saved (DB gives no warning
about inability to write files, BTW...grr).  If all these apps drop privs
after execution, this could also cause problems if your file permissions
are not set accordingly.

Anyway, my DM startup script checks the username, then enables/disables
omsets, sets DM_CLASS and DM_TYPE, and protects/unprotects some ACLs based
on username.  It could easily enough give priority to certain users, or
reserve DMs, or whatever, but we don't really have a need for that.

Corey Clingo
BASF Corp.



|---------+---------------------------->
|         |           stan             |
|         |           <stanb@xxxxxxxx> |
|         |           Sent by:         |
|         |           foxboro-bounce@fr|
|         |           eelists.org      |
|         |                            |
|         |                            |
|         |           10/11/2002 06:52 |
|         |           AM               |
|         |           Please respond to|
|         |           foxboro          |
|         |                            |
|---------+---------------------------->
  
>-------------------------------------------------------------------------------------------------------------------------------|
  |                                                                             
                                                  |
  |               To:  foxboro                                                  
                                                  |
  |        cc:                                                                  
                                                  |
  |        Subject: Re: [foxboro] Dedicated DMs with DHCP                       
                                                  |
  
>-------------------------------------------------------------------------------------------------------------------------------|





On Thu, Oct 10, 2002 at 05:39:06PM -0500, Corey R Clingo wrote:
>
>
> If your dynamic addressing setup includes dynamic DNS also (i.e., the
same
> PC always has the same DNS name, regardless of its address), I'd think
you
> could do this with dmcfg in the normal manner, using the DNS names rather
> than IP addresses.  If it does not, you would have to rig up some kind of
> script to check some other user- or machine-specific piece of information
> prior to starting up a DM.
>
> We're doing something similar by creating different user accounts.  We
> don't dedicate DMs but we grant different access levels depending on user
> ID, and enforce user login security with OpenSSH.  Works OK if you don't
> have very many levels of access.  Other ways to do this sort of thing
come
> to mind.  We can discuss off-list if you like.
>

I would be extremely interested in hearing more about this. I'm totally
appalled by the fact that all Foxboro users here run as root (which is "A
Very Bad Idea" (tm)), but I've run into difficulties when trying to run
various Foxboro suppled executables as a non-root user.

Could you elaborate on what you have done here?

--
"They that would give up essential liberty for temporary safety deserve
neither liberty nor safety."
      -- Benjamin Franklin


_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html

foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave






 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
 

Other related posts:

• » Re: [foxboro] Dedicated DMs with DHCP
• » Re: [foxboro] Dedicated DMs with DHCP
• » Re: [foxboro] Dedicated DMs with DHCP
• » Re: [foxboro] Dedicated DMs with DHCP
• » Re: [foxboro] Dedicated DMs with DHCP
• » Re: [foxboro] Dedicated DMs with DHCP
• » Re: [foxboro] Dedicated DMs with DHCP
• » Re: [foxboro] Dedicated DMs with DHCP
• » Re: [foxboro] Dedicated DMs with DHCP
• » Re: [foxboro] Dedicated DMs with DHCP
• » Re: [foxboro] Dedicated DMs with DHCP

1. Home
2. foxboro
3. Archive
4. 10-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---