Michal, Having done a Linux to Solaris port of ipmiutil also, Linux and Solaris both handle access to device drivers similarly. If a program like freeipmi wants to access a device driver, it must have root privileges.
This is also consistent with the IPMI firmware security for the local system interface, where configuration and reset capability does not require a password locally (that's how the password is set :). The utilities cannot open /dev/bmc to access the driver without root privileges. Unfortunately, Windows is insecure in this paradigm, requiring extra safeguards, but that's another topic. If you really want to enable non-root users to read (but not write) IPMI data, you could set up a proxy to control access to the device driver via /dev/bmc, and manage requests from non-root users, but you would definitely want to restrict non-root users from writing any IPMI data through the proxy. Note that IPMI LAN access always requires an IPMI user/password, so non-root users can use it that way because they have access control. Andy -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michal Bachorik - Sun Microsystems - Prague Czech Republic Sent: Friday, February 27, 2009 6:28 AM To: [email protected] Subject: [Freeipmi-devel] user permissions for running freeipmi clis Hi all, we are trying to port freeipmi on opensolaris (most of the stuff done, just paperwork remains) and we need to clarify one thing - freeipmi requires (at least our ported version) an user with root permissions to run certain commands. As we are using solaris BMC driver, we first thought that the problem is in BMC driver but according the information form some other (more BMC driver skilled guys) this is not the reason and they suspect that it is matter of how freeipmi interprets the IPMI user security. Can some shed more light into it, please? Is it freeipmi who needs root user? Here is brief output how freeipmi clis behave when run under a non-root account: -->cd /usr/sbin/ -->ls -la bmc-* -rwxr-xr-x 1 root bin 1050148 Feb 19 19:09 bmc-config -rwxr-xr-x 1 root bin 514956 Feb 19 19:09 bmc-device -rwxr-xr-x 1 root bin 487364 Feb 19 19:09 bmc-info -rwxr-xr-x 1 root bin 339560 Feb 19 19:09 bmc-watchdog -->ls -la ipmi-* -rwxr-xr-x 1 root bin 527748 Feb 19 19:09 ipmi-chassis -rwxr-xr-x 1 root bin 677276 Feb 19 19:09 ipmi-chassis-config -rwxr-xr-x 1 root bin 679640 Feb 19 19:09 ipmi-fru -rwxr-xr-x 1 root bin 138348 Feb 19 19:10 ipmi-locate -rwxr-xr-x 1 root bin 471508 Feb 19 19:09 ipmi-oem -rwxr-xr-x 1 root bin 474672 Feb 19 19:09 ipmi-raw -rwxr-xr-x 1 root bin 641740 Feb 19 19:09 ipmi-sel -rwxr-xr-x 1 root bin 736188 Feb 19 19:10 ipmi-sensors -rwxr-xr-x 1 root bin 828848 Feb 19 19:10 ipmi-sensors-config <non-root-user>@ge2:/usr/sbin> ./bmc-config --checkout ./bmc-config: permission denied <non-root-user>@ge2:/usr/sbin> ./bmc-device --get-acpi-power-state ./bmc-device: permission denied <non-root-user>@ge2:/usr/sbin> ./bmc-device --get-lan-statistics ./bmc-device: permission denied <non-root-user>@ge2:/usr/sbin> ./bmc-info ./bmc-info: permission denied <non-root-user>@ge2:/usr/sbin> ./bmc-watchdog -g bmc-watchdog: Error opening logfile '/var/log/freeipmi/bmc-watchdog.log': Permission denied <non-root-user>@ge2:/usr/sbin> ./ipmi-chassis --get-status ./ipmi-chassis: permission denied <non-root-user>@ge2:/usr/sbin> ./ipmi-chassis-config --checkout ./ipmi-chassis-config: permission denied <non-root-user>@ge2:/usr/sbin> ./ipmi-fru -V ipmi-fru - 0.7.4 Copyright (C) 2007-2008 Lawrence Livermore National Security, LLC. Copyright (C) 2007 The Regents of the University of California. This program is free software; you may redistribute it under the terms of the GNU General Public License. This program has absolutely no warranty. <non-root-user>@ge2:/usr/sbin> ./ipmi-locate ./ipmi-locate: permission denied <non-root-user>@ge2:/usr/sbin> ./ipmi-oem -L OEM ID: supermicro Command: reset-intrusion - reset motherboard intrusion flag. <non-root-user>@ge2:/usr/sbin> ./ipmi-sel -i ./ipmi-sel: permission denied <non-root-user>@ge2:/usr/sbin> ./ipmi-sensors ./ipmi-sensors: permission denied <non-root-user>@ge2:/usr/sbin> ./ipmi-sensors-config --checkout ./ipmi-sensors-config: permission denied <non-root-user>@ge2:/usr/sbin> ./ipmimonitoring ./ipmimonitoring: permission denied <non-root-user>@ge2:/usr/sbin> ./ipmiping -i 1 ge2 ipmiping ge2 (10.18.143.68) response timed out: rq_seq=25 response timed out: rq_seq=26 response timed out: rq_seq=27 response timed out: rq_seq=28 ^C--- ipmiping ge2 statistics --- 5 requests transmitted, 0 responses received in time, 100.0% packet loss <non-root-user>@ge2:/usr/sbin> ./ipmipower -h ge2 -s ge2: connection timeout Regards, Michal The information contained in this document is CONFIDENTIAL and property of Kontron. Any unauthorized review, use, disclosure or distribution is prohibited without express written consent of Kontron. If you are not the intended recipient, please contact the sender and destroy all copies of the original message and enclosed attachments. _______________________________________________ Freeipmi-devel mailing list [email protected] http://lists.gnu.org/mailman/listinfo/freeipmi-devel
