Re: [foxboro] Protecting control based upon user ID

• From: "Johnson, Alex P \(IPS\)" <alex.johnson@xxxxxxxxxxxxxxxx>
• To: <foxboro@xxxxxxxxxxxxx>
• Date: Tue, 12 Sep 2006 09:58:12 -0400

If you use UNIX log ins, e.g., root and ia, they are different owners.

So you can set things up for special programs like omset pretty easily
by simply restricting execution to the owner of the program - root.

It can get lots more complex if you want.

As a rule, each user does have a separate home directory and a shell
that executes on log in. The administrator can do a variety of things,
e.g., run the restricted shell or change the path to limit the tools
that are accessible.


Just be aware that programs that access the OM must have root
permissions since the Shared Memory segment that the OM uses is
restricted to root access.

You can get that for non-root users, but setting the 'set-uid' bit using
chmod to give any user root access to specific programs (sort of the
reverse of the original request).


Regards,
=20
Alex Johnson
Invensys Systems, Inc.
10900 Equity Drive
Houston, TX 77041
713.329.8472 (voice)
713.329.1700 (fax)
713.329.1600 (switchboard)
alex.johnson@xxxxxxxxxxxxxxxx

-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx]
On Behalf Of brad.s.wilson@xxxxxxxxxxxxxx
Sent: Tuesday, September 12, 2006 7:49 AM
To: foxboro@xxxxxxxxxxxxx
Subject: Re: [foxboro] Protecting control based upon user ID

I haven't done too much UNIX admin stuff, but since UNIX only allows for
3
access levels (user/owner, group and other), how would one set up more
than
3 levels of access ?  Would each ID would have their own home directory
structure with the programs they're allowed to run in their home area,
and
set up the other directories to be off-limits ?

Brad Wilson
Process Control Engineer
ExxonMobil Chemical Co
Edison Synthetics Plant
732-321-6115
732-321-6177 fax
Brad.S.Wilson@xxxxxxxxxxxxxx


=20

             "Johnson, Alex

             P \(IPS\)"

             <alex.johnson@
To=20
             ips.invensys.c           <foxboro@xxxxxxxxxxxxx>

             om>
cc=20
             Sent by:

             foxboro-bounce
Subject=20
             @freelists.org           Re: [foxboro] Protecting control

                                      based upon user ID

=20

             09/12/06 08:05

             AM

=20

=20

             Please respond

                   to

             foxboro@freeli

                sts.org

=20

=20





You can use chmod to make omset usable only by the user root. You would
enable the execution by  the owner and disable by people in the group or
other.
Does that make sense?

Type 'man chmod' to set the flags.

AJ


-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx on behalf of stan
Sent: Tue 9/12/2006 7:12 AM
To: Foxboro List
Subject: [foxboro] Protecting control based upon user ID

I need to be able to disable omset for users based upon who they log in
as
(UNIX user ID). I've got situations (both Foxview and DM) where I want
the
user (either logged in locally or using a X client) to log in as root,
and
have control. if however, they log in as user ia, I don't want them to
be
able to get omset enabled.

Is this possible? If so, how can I accomplish this?

--
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)


_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html

foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         =
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Djoin
to unsubscribe:      =
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Dleave



-- No attachments (even text) are allowed --
-- Type: application/ms-tnef
-- File: winmail.dat




_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html

foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         =
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Djoin
to unsubscribe:      =
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Dleave



=20
=20
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
=20
foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         =
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Djoin
to unsubscribe:      =
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Dleave
=20

 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
 

Other related posts:

• » Re: [foxboro] Protecting control based upon user ID
• » Re: [foxboro] Protecting control based upon user ID
• » Re: [foxboro] Protecting control based upon user ID
• » Re: [foxboro] Protecting control based upon user ID
• » Re: [foxboro] Protecting control based upon user ID

1. Home
2. foxboro
3. Archive
4. 09-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---