[Openipmi-developer] [PATCH v2] ipmi_lan: Accept different privilege than requested

Thu, 26 Jul 2012 07:19:35 -0700 

Currently openipmi expects that the privilege level in the
open session response equals the privilege which was requested.
This is wrong, because it is legal to request a lower privilege
level than allowed for a user:

According to IPMI v2.0 spec the RCMP+ Open Session Response
contains the _maximum_ privilege Level allowed for a session.

Furthermore Andy Cress pointed out:
Even if the privilege is detected wrong here, it should not abort, but
proceed.

The bug was found because there seems to be a bug in the HP ILO3 IPMI
implementation where the maximum privilege level returned in the response
is "admin" even if the user is only allowed to login with privilege
"operator".

Both bugs together prevent the ipmilan stonith agent to work with ILO3
and fence with priv="operator".

This patch fixes the behavior of openIPMI and allows the "session open"
response message to contain an different privilege level than requested.
An warning is issued if the privilege level is lower than requested.

With this patch fencing with "priv=operator" works correctly.

Signed-off-by: Arnd Hannemann <a...@arndnet.de>
---
 lib/ipmi_lan.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/lib/ipmi_lan.c b/lib/ipmi_lan.c
index c55445e..cc75531 100644
--- a/lib/ipmi_lan.c
+++ b/lib/ipmi_lan.c
@@ -4530,13 +4530,11 @@ got_rmcpp_open_session_rsp(ipmi_con_t *ipmi, 
ipmi_msgi_t  *rspi)
     lan = (lan_data_t *) ipmi->con_data;
 
     privilege = msg->data[2] & 0xf;
-    if (privilege != lan->cparm.privilege) {
-       ipmi_log(IPMI_LOG_ERR_INFO,
+    if (privilege < lan->cparm.privilege) {
+       ipmi_log(IPMI_LOG_WARNING,
                 "%sipmi_lan.c(got_rmcpp_open_session_rsp): "
                 "Expected privilege %d, got %d",
                 IPMI_CONN_NAME(ipmi), lan->cparm.privilege, privilege);
-       handle_connected(ipmi, EINVAL, addr_num);
-       goto out;
     }
 
     session_id = ipmi_get_uint32(msg->data+4);
-- 
1.7.9.5


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Openipmi-developer mailing list
Openipmi-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openipmi-developer

Reply via email to