wizard
Wizard mode for hardware permissions
At some spec installations, administrators need to prevent users from accessing or modifying the configuration of certain motors. The edconf program supports a wizard mode that allows such protection. If one types ^W while running edconf, one is prompted for the wizard's password. If entered correctly, additional levels of protection can be configured.
When running spec, a user who knows the password can gain temporary access to protected motors via the spec_par("specwiz") function. The standard macros onwiz and offwiz provide a convenient implementation.
The current protection levels (including non-wizard levels) are:
- NONE
- All actions allowed.
- LIMITS SET
- Can't change limit positions, steps per degree/mm or sign of user * dial.
- CAN'T MOVE
- Can't move motor or change limits, steps per degree/mm or sign of user * dial, but can change user offset.
- READ ONLY
- Can't move motor or change any parameters other than user offset (as of spec release 6.13.02).
- WIZ LEV 1
- Can't change any configuration parameters except steps per degree/mm and sign of user * dial. Can move motor, change limits and change user offset.
- WIZ LEV 2
- Can't change any configuration parameters or limits, but can move motor and change user offset.
- WIZ LEV 3
- Same restrictions as READ ONLY. Can't move motor or change any parameters, but can change user offset.
- WIZ LEV 4
- Can change all parameters and can move motor, but can't change motor number or controller associated with motor.
The first four levels can be modified without wizard mode being active.
Since modern UNIX-based systems forbid unprivileged users access to encrypted passwords, spec will first look for a readable spec.d/passwd file that contains an entry with an encrypted password for a specwiz user. If no such file exists, spec will also look in /etc/passwd and /etc/shadow, although the former is unlikely to contain encrypted passwords and the latter is unlikely to be readable. The spec distribution includes a wiz_passwd utility, which can be run to create the spec.d/passwd file. Note, wiz_passwd uses a circa 1975 encryption algorithm.
If no wizard password has been set, a default password can be entered. One can try to guess the default password (think "Horse Feathers") or contact CSS. If a password has been set, the default password will not work.
To prevent users from disabling the wizard protections by editing the config file by hand, one can use file protection features built in to operating system. One possibility is to make the edconf program set-user id specadm, change the ownership of the config files to specadm, and change the modes of the config files to rw-r--r--. Do that using commands (as super user) along the following lines (for a spec geometry):
chown specadm edconf spec/config chmod u+s edconf chmod 644 spec/config
The spec installation tools should maintain the set-user id mode of edconf when spec is reinstalled or updated.
The onwiz macro usage is as follows. With no arguments, activates wizard mode for 10 minutes. With a positive argument arg, the timer is set for arg seconds. With a negative argument, wizard mode will remain on until explicitly turned off. With an argument of zero, wizard mode will be active until the next main prompt. If wizard mode is already active, an argument can be used to change the duration without having to re-enter the password. The timer is implemented by adding a command to the standard prompt_mac, which executes before each main spec prompt.