Re: [Openipmi-developer] [PATCH] ipmi_lan: Accept higher privilege than requested
Certainly a needed patch, but why do this check at all (other than FYI)?
Even if the privilege is detected wrong here, it should not abort, but
proceed.
If the privilege is wrong, the target firmware will reject it.
Andy
-Original Message-
From: Arnd Hannemann [mailto:a...@arndnet.de]
Sent: Thursday, July 26, 2012 7:16 AM
To: openipmi-developer@lists.sourceforge.net
Subject: [Openipmi-developer] [PATCH] ipmi_lan: Accept higher privilege
thanrequested
Currently openipmi expects that the privilege level in the
open session response equals the privilege which was requested.
This is wrong, because it is legal to request a lower privilege
level than allowed for a user:
According to IPMI v2.0 spec the RCMP+ Open Session Response
contains the _maximum_ privilege Level allowed for a session.
Additionally there seems to be a bug in the HP ILO3 IPMI implementation
where the maximum privilege level returned in the response is admin
even if the user is only allowed to login with privilege operator.
Both bugs together prevent the ipmilan stonith agent to work with ILO3
and fence with priv=operator.
This patch fixes the behavior of openIPMI and allows the session open
repsonse
message to contain an higher privilege level than requested.
With this patch fencing with priv=operator works correctly.
Signed-off-by: Arnd Hannemann a...@arndnet.de
---
lib/ipmi_lan.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/ipmi_lan.c b/lib/ipmi_lan.c
index c55445e..095f133 100644
--- a/lib/ipmi_lan.c
+++ b/lib/ipmi_lan.c
@@ -4530,7 +4530,7 @@ got_rmcpp_open_session_rsp(ipmi_con_t *ipmi,
ipmi_msgi_t *rspi)
lan = (lan_data_t *) ipmi-con_data;
privilege = msg-data[2] 0xf;
-if (privilege != lan-cparm.privilege) {
+if (privilege lan-cparm.privilege) {
ipmi_log(IPMI_LOG_ERR_INFO,
%sipmi_lan.c(got_rmcpp_open_session_rsp):
Expected privilege %d, got %d,
--
1.7.9.5
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.
Discussions
will include endpoint security, mobile security and the latest in
malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Openipmi-developer mailing list
Openipmi-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openipmi-developer
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Openipmi-developer mailing list
Openipmi-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openipmi-developer
Re: [Openipmi-developer] [PATCH] ipmi_lan: Accept higher privilege than requested
On Thu, 2012-07-26 at 06:41 -0700, Andy Cress wrote:
Certainly a needed patch, but why do this check at all (other than FYI)?
Even if the privilege is detected wrong here, it should not abort, but
proceed.
If the privilege is wrong, the target firmware will reject it.
I do a similar check/error out in FreeIPMI. I believe it's the right
thing to do to error out at the authentication phase and tell the user
they can't connect at the requested privilege level. Otherwise, random
IPMI commands will just fail with privilege level not sufficient later
on.
Al
Andy
-Original Message-
From: Arnd Hannemann [mailto:a...@arndnet.de]
Sent: Thursday, July 26, 2012 7:16 AM
To: openipmi-developer@lists.sourceforge.net
Subject: [Openipmi-developer] [PATCH] ipmi_lan: Accept higher privilege
thanrequested
Currently openipmi expects that the privilege level in the
open session response equals the privilege which was requested.
This is wrong, because it is legal to request a lower privilege
level than allowed for a user:
According to IPMI v2.0 spec the RCMP+ Open Session Response
contains the _maximum_ privilege Level allowed for a session.
Additionally there seems to be a bug in the HP ILO3 IPMI implementation
where the maximum privilege level returned in the response is admin
even if the user is only allowed to login with privilege operator.
Both bugs together prevent the ipmilan stonith agent to work with ILO3
and fence with priv=operator.
This patch fixes the behavior of openIPMI and allows the session open
repsonse
message to contain an higher privilege level than requested.
With this patch fencing with priv=operator works correctly.
Signed-off-by: Arnd Hannemann a...@arndnet.de
---
lib/ipmi_lan.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/ipmi_lan.c b/lib/ipmi_lan.c
index c55445e..095f133 100644
--- a/lib/ipmi_lan.c
+++ b/lib/ipmi_lan.c
@@ -4530,7 +4530,7 @@ got_rmcpp_open_session_rsp(ipmi_con_t *ipmi,
ipmi_msgi_t *rspi)
lan = (lan_data_t *) ipmi-con_data;
privilege = msg-data[2] 0xf;
-if (privilege != lan-cparm.privilege) {
+if (privilege lan-cparm.privilege) {
ipmi_log(IPMI_LOG_ERR_INFO,
%sipmi_lan.c(got_rmcpp_open_session_rsp):
Expected privilege %d, got %d,
--
Albert Chu
ch...@llnl.gov
Computer Scientist
High Performance Systems Division
Lawrence Livermore National Laboratory
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Openipmi-developer mailing list
Openipmi-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openipmi-developer
