spec

Software for Diffraction

wizard

Wizard mode for hardware permissions

At some spec installations, administrators need to prevent users from accessing or modifying the configuration of certain motors. The edconf program supports a wizard mode that allows such protection. If one types ^W while running edconf, one is prompted for the wizard's password. If entered correctly, additional levels of protection can be configured.

When running spec, a user who knows the password can gain temporary access to protected motors via the spec_par("specwiz") function. The standard macros onwiz and offwiz provide a convenient implementation.

The current protection levels are:

NONE
All actions allowed.
LIMITS SET
Can't change limit positions or steps per degree/mm.
CAN'T MOVE
Can't change steps per degree/mm, sign of user * dial, position or limits.
WIZ LEV 1
Can't change any configuration parameters, but can move motor, change limits and user offset.
WIZ LEV 2
Can't change any configuration parameters, but can move motor and change user offset.
WIZ LEV 3
Can't change any configuration parameters or move motor, but can change user offset.
WIZ LEV 4
Can change all parameters and can move motor, but can't change motor number or controller associated with motor.

The first three levels can be modified without wizard mode being active.

Note, the protections apply to standard motor parameters and standard optional motor parameters. The protections do not currently affect any non-standard optional motor parameters (those accessed with the p command).

Since modern UNIX-based systems forbid unprivileged users access to encrypted passwords, spec will first look for a readable spec.d/passwd file that contains an entry with an encrypted password for a specwiz user. If no such file exists, spec will also look in /etc/passwd and /etc/shadow, although the former is unlikely to contain encrypted passwords and the latter is unlikely to be readable. The spec distribution includes a wiz_passwd utility, which can be run to create the spec.d/passwd file. Note, wiz_passwd uses a circa 1975 encryption algorithm.

To prevent users from disabling the wizard protections by editing the config file by hand, one can use file protection features built in to operating system. One possibility is to make the edconf program set-user id specadm, change the ownership of the config files to specadm, and change the modes of the config files to rw-r--r--. Do that using commands (as super user) along the following lines (for a spec geometry):

chown specadm edconf spec/config
chmod u+s edconf
chmod 644 spec/config

The onwiz macro usage is as follows. With no arguments, activates wizard mode for 10 minutes. With a positive argument arg, the timer is set for arg seconds. With a negative argument, wizard mode will remain on until explicitly turned off. With an argument of zero, wizard mode will be active until the next main prompt. If wizard mode is already active, an argument can be used to change the duration without having to re-enter the password. The timer is implemented by adding a command to the standard prompt_mac, which executes before each main spec prompt.


Resource Quick Links

Contact Us | Sitemap
© 2024 Certified Scientific Software.