# /etc/gslservice/usergroup.cf # # Copyright: ©2015, Güralp Systems Ltd. # Author: Laurence Withers # License: GPLv3 # # This file is part of the Platinum firmware, and as such should not be edited # by users. This file sets multi-user policies for various system services and # subsystems. # # To gain a quick overview of the documented Platinum system policy, run: # grep POLICY /etc/gslservice/usergroup.cf # #POLICY: #POLICY: Data manipulation #POLICY: #POLICY: Users in group 'data' may submit new data to the system (via GDI #POLICY: socket) and may manipulate data flow (e.g. controlling gdi-link #POLICY: peers). #POLICY: [data] socket_group = data socket_mode = 0660 allowed_group = data #POLICY: #POLICY: Digital compass subsystem #POLICY: #POLICY: Users in group 'inst' can control sensors (offset null etc.) #POLICY: [dcompass.control] socket_group = inst socket_mode = 0660 allowed_group = inst #POLICY: #POLICY: Password change #POLICY: #POLICY: Users need to be a member of the 'upasswd' group in order to change #POLICY: their login password. #POLICY: [passwd] allowed_group = upasswd #POLICY: #POLICY: Sensor control #POLICY: #POLICY: Users in group 'inst' can control sensors (lock/unlock/cal etc.) #POLICY: Users in group 'instcfg' can alter configuration of digitiser #POLICY: - note that this group is required for DM24 terminal access, as that #POLICY: does give the user the capability to rewrite the digitiser config #POLICY: - users must further be in the 'dialout' group for changing the #POLICY: digitiser's baud rate or upgrading its firmware #POLICY: # used for libsctl2-provider sockets and description files [sensor-control2] # description files just need to be readable by group inst file_group = inst file_mode = 0640 # sockets must be connectable by group inst socket_group = inst socket_mode = 0660 allowed_group = inst # used for dacq-config.cgi and related configuration pages, and also for # dm24-terminal command/FORTH terminal weblink (NB: actual libdm24terminal # sockets are group inst, to support sensor-control2 operation) [dacq-config] # configuration files for das-in, libcd24ll-config file_group = instcfg file_mode = 0660 # applications test against group instcfg allowed_group = instcfg # further requirements for operations requiring raw serial port access (e.g. # dm24-upgrade, or changing the baud rate) [dacq-config.serial-port] allowed_group = dialout #POLICY: #POLICY: Serial ports #POLICY: #POLICY: Users in group 'dialout' are allowed raw access to serial ports. This #POLICY: includes stopping the relevant service. The 'openport' utility #POLICY: provides a nice front-end to this. #POLICY: # used by serialmux to set the correct permissions on device nodes [serial-port.device] file_group = dialout file_mode = 0660 # used by openport to test whether user can access port allowed_group = dialout # used by webconfig to determine which users can configure serial port services [serial-port.config] allowed_group = dialout #POLICY: #POLICY: SSH server configuration #POLICY: #POLICY: Only root can configure the SSH server and manage authorised keys for #POLICY: users. #POLICY: [ssh.config] allowed_owner = root