Setting up a Captive User Application with GT.M

This section discusses wholesome practices in setting up a GT.M based application on UNIX/Linux such that, when "captive" users log in to the system, they are taken directly into the application, and when they exit the application, they are logged off the system. Unless part of the application design, a captive user should not get to a shell or GT.M prompt.

The example in a??Sample .profilea?? is for /bin/sh on GNU/Linux, and may need to be adapted for use with other shells on other platforms.

At a high level, preventing a captive user from getting to a shell or GT.M prompt involves:

  • trapping signals that may cause the login shell to give the user interactive access, for example, by pressing <CTRL-Z> to suspend the mumps application;

  • preventing a GT.M process from responding to a <CTRL-C> until the application code sets up a handler; and

  • preventing an error in the application, or a bug in an error handler, from putting a captive user into direct mode.

Note that other users on the system who have appropriate privileges as managed by the operating system can still interfere with captive users. In order to secure a system for captive applications, you must protect it from untrusted other users. Users should only have credentials that permit them the level of access appropriate to their level of trustworthiness, thus: untrusted users should not have credentials to access a system with captive applications.

Defensive configuration implies setting up layers of defenses, so that an error in one layer does not compromise the system.

After initialization common to all users of a system, a login shell sources the .profile file in the user's home directory. A captive user's .profile might look something like this, where "..." denotes a value to be provided.

trap "" int quit        # terminate on SIGINT and SIGQUIT
stty susp \000         # prevent <CTRL-Z> from sending SIGSUSP
# set environment variables needed by GT.M and by application, for example
export gtm_dist=...
export gtmgbldir=...
export gtmroutines=...
export gtm_repl_instance=...
export gtm_tmp=...
# disable mumps ^C until application code sets up handler
export gtm_nocenable=1
# override default of $ZTRAP="B"
export gtm_etrap='I 0=$ST W "Process terminated by: ",$ZS,! ZHALT 1'
# set other environment variables as appropriate, for example
export EDITOR=...        # a preferred editor for ZEDIT
export TZ=...          # a timezone different from system default
export HUGETLB_SHM=yes      # example of a potential performance setting
export PATH=/usr/bin:/bin    # only the minimum needed by application
export SHELL=/bin/false     # disable ZSYSTEM from command prompt
# execute captive application starting with entryref ABC^DEF then exit
exec $gtm_dist/mumps -run ABC^DEF

Note the use of exec to run the application - this terminates the shell and disconnects users from the system when they exit the GT.M application.

If an incoming connection is via an Internet superserver such as xinetd, some of these are not applicable, such as disabling <CTRL-C> and <CTRL-Z>.

PrevA UpA Next
A HomeA