Hello tangoers,
we made some tests with TAC, and I would like to understand a specific point: is there any way to block the possibility to bypass TAC by an environment variable?
In the case of a computer which can be accessed by anyone, one would like to avoid anyone who can access to a terminal to have write access to any device.
Is there any way to avoid this?
Thank you.
Hi Philippe
You can bypass the TAC for a java program (Astor for instance or TAC manager) if you run it with the environment variable:
SUPER_TANGO=true
Thank you Pascal.
In fact, that is precisely the point I want to manage: how to avoid this capacity of anyone with an access to a terminal to bypass TAC?
[quote=“philippeg”]Thank you Pascal.
In fact, that is precisely the point I want to manage: how to avoid this capacity of anyone with an access to a terminal to bypass TAC? [/quote]
As it is now, you can’t, unless you recompile the Tango kernel code and use only Tango libraries recompiled with this code.
TAC was designed to prevent some users to execute commands/write attributes they are not supposed to execute/write.
In the current design, it is the responsibility of everyone to use the proper environment… It is the responsibility of the user to not bypass TAC (Most of the users don’t know about this possibility. Even though this “feature” is documented, it is usually not known by the users). This might change now with topics like this on the forum… 
TAC was never designed against malicious user behaviour.
Of course, we can discuss on a way to improve the system for the future versions and make it less easy to bypass TAC.
In any case, it is always useful to be able to bypass it if you don’t want to get stuck in the case you accidentally blocked yourself or if you forgot your TAC admin password.
kind regards,
Reynald
Thank you Reynald, it answers my question.
I understand that TAC is used in a collaborative context but I need others tools to control write access to devices on a computer which possibly give access to unauthorized users.
After thinking this, I wonder if a walkthrough could be to let the server define the name of the environment variable.
It would allow anyone to continue to use the same environment variable by default but it which could/should be renamed.
Does this seems realistic?
Sounds reasonable to me.
This environment variable should be set only in the environment of the TAC DS. So usually what is done is that TAC DS is started by a script which will set the environment variable before starting the TAC DS.
In the tango distribution, by default, this script is /usr/local/bin/tango_wca (Tango with Control Access). It does already the job for you.
So you can start The Tango Database, Tango Database server and Tango Access Control server using the following command:
tango_wca start
I just tested it on an Ubuntu 16.04 and this script was reporting errors on this platform…
As a quick and dirty fix, you can replace the line 168:
findproc TangoAccessControl
with
findproc TangoAccessC
and line 186:
killproc TangoAccessControl
with
killproc TangoAccessC
In this case, users will have read-only access (if they didn’t define the super environment variable). The clients which were already connected to some TANGO devices will still be able to write attributes, send commands to these TANGO devices (if they need to reconnect at some point, they will probably switch to Read-Only access mode).
[quote=“philippeg”]After thinking this, I wonder if a walkthrough could be to let the server define the name of the environment variable.
It would allow anyone to continue to use the same environment variable by default but it which could/should be renamed.
Does this seems realistic?[/quote]
How/where would you specify this environment variable name?
We can imagine this environment variable name to be a configuration option of the Tango Source distribution for instance…
But be careful if you are using several versions of the Tango libraries on your control system. You will have to keep track of the environment variable names configured by each library version and the versions from today and before will still expect SUPER_TANGO environment variable.
I think there are many ways to change the current situation… I guess this will trigger interesting exchanges during the next Tango meeting.
Kind regards,
Reynald
Here is a report of what I understand on use of TAC :
sudo su
export ENV_VARIABLE=true
/usr/lib/tango/TangoAccessControl 1
connect to astor and open Manager Panel of “Access Control” (under “Tango Database”)
on any client computer, if one need to access to DS without rights control access, one can define environment variable to by-pass it.
Feel free to complete/correct, and thanks to ESRF team, especially Pascal and Reynald.