Hey Michal, On Fri, 2009-02-27 at 18:31 +0100, Michal Bachorik - Sun Microsystems - Prague Czech Republic wrote: > Hi Al, > > thx for update. I am no expert on solaris BMC driver, but guys who seem > to have more knowledge than I do claim that Solaris bmc driver do not > need root permissions.
Just as a clarification, I am saying that root is a policy decision, not a technical requirement. If you'd like to make it a requirement that non-root users can access the BMC, perhaps I could make a compile time option that implements this alternate behavior, so OpenSolaris and implement this for their distribution?? Al > To explain why I need this info - a solaris SW has to follow some > architectural rules, and one of these rules touches this problem. I > think I have enough information now, and I will see how authorities will > deal with them. > > With regards, > > michal > > On 02/27/09 18:18, Al Chu11 wrote: > > Hey Michal, > > > > A bit of background here. The first FreeIPMI releases implemented their > > inband communication via iopl() calls in Linux. These calls require > > root and thus some checks were put in before the calls. > > > > Later, support for other devices (openipmi's /dev/ipmi, sun's /dev/bmc) > > were added. I just left the root checks in there. I can't speak for > > Sun boxes, but I assume one can change the permissions on these devices > > to allow non-root users to access the BMC. I suppose root checks could > > be left up to the system administrator setting permissions on /dev/* > > instead of FreeIPMI just checking for root. > > > > Mirroring some of Andy's comments, I'm a bit reluctant to remove the > > root checks though. There are inherent IPMI security configurations > > that are done inband (i.e. set BMC passwords) that really should only be > > done by root. > > > > Al > > > > On Fri, 2009-02-27 at 12:27 +0100, Michal Bachorik - Sun Microsystems - > > Prague Czech Republic wrote: > > > >> Hi all, > >> > >> we are trying to port freeipmi on opensolaris (most of the stuff done, > >> just paperwork remains) and we need to clarify one thing - freeipmi > >> requires (at least our ported version) an user with root permissions to > >> run certain commands. As we are using solaris BMC driver, we first > >> thought that the problem is in BMC driver but according the information > >> form some other (more BMC driver skilled guys) this is not the reason > >> and they suspect that it is matter of how freeipmi interprets the IPMI > >> user security. > >> > >> Can some shed more light into it, please? Is it freeipmi who needs root > >> user? > >> > >> Here is brief output how freeipmi clis behave when run under a non-root > >> account: > >> > >> -->cd /usr/sbin/ > >> -->ls -la bmc-* > >> -rwxr-xr-x 1 root bin 1050148 Feb 19 19:09 bmc-config > >> -rwxr-xr-x 1 root bin 514956 Feb 19 19:09 bmc-device > >> -rwxr-xr-x 1 root bin 487364 Feb 19 19:09 bmc-info > >> -rwxr-xr-x 1 root bin 339560 Feb 19 19:09 bmc-watchdog > >> -->ls -la ipmi-* > >> -rwxr-xr-x 1 root bin 527748 Feb 19 19:09 ipmi-chassis > >> -rwxr-xr-x 1 root bin 677276 Feb 19 19:09 ipmi-chassis-config > >> -rwxr-xr-x 1 root bin 679640 Feb 19 19:09 ipmi-fru > >> -rwxr-xr-x 1 root bin 138348 Feb 19 19:10 ipmi-locate > >> -rwxr-xr-x 1 root bin 471508 Feb 19 19:09 ipmi-oem > >> -rwxr-xr-x 1 root bin 474672 Feb 19 19:09 ipmi-raw > >> -rwxr-xr-x 1 root bin 641740 Feb 19 19:09 ipmi-sel > >> -rwxr-xr-x 1 root bin 736188 Feb 19 19:10 ipmi-sensors > >> -rwxr-xr-x 1 root bin 828848 Feb 19 19:10 ipmi-sensors-config > >> > >> <non-root-user>@ge2:/usr/sbin> ./bmc-config --checkout > >> ./bmc-config: permission denied > >> <non-root-user>@ge2:/usr/sbin> ./bmc-device --get-acpi-power-state > >> ./bmc-device: permission denied > >> <non-root-user>@ge2:/usr/sbin> ./bmc-device --get-lan-statistics > >> ./bmc-device: permission denied > >> <non-root-user>@ge2:/usr/sbin> ./bmc-info > >> ./bmc-info: permission denied > >> <non-root-user>@ge2:/usr/sbin> ./bmc-watchdog -g > >> bmc-watchdog: Error opening logfile > >> '/var/log/freeipmi/bmc-watchdog.log': Permission denied > >> <non-root-user>@ge2:/usr/sbin> ./ipmi-chassis --get-status > >> ./ipmi-chassis: permission denied > >> <non-root-user>@ge2:/usr/sbin> ./ipmi-chassis-config --checkout > >> ./ipmi-chassis-config: permission denied > >> <non-root-user>@ge2:/usr/sbin> ./ipmi-fru -V > >> ipmi-fru - 0.7.4 > >> Copyright (C) 2007-2008 Lawrence Livermore National Security, LLC. > >> Copyright (C) 2007 The Regents of the University of California. > >> This program is free software; you may redistribute it under the terms of > >> the GNU General Public License. This program has absolutely no warranty. > >> <non-root-user>@ge2:/usr/sbin> ./ipmi-locate > >> ./ipmi-locate: permission denied > >> <non-root-user>@ge2:/usr/sbin> ./ipmi-oem -L > >> OEM ID: supermicro > >> Command: reset-intrusion - reset motherboard intrusion flag. > >> > >> <non-root-user>@ge2:/usr/sbin> ./ipmi-sel -i > >> ./ipmi-sel: permission denied > >> <non-root-user>@ge2:/usr/sbin> ./ipmi-sensors > >> ./ipmi-sensors: permission denied > >> <non-root-user>@ge2:/usr/sbin> ./ipmi-sensors-config --checkout > >> ./ipmi-sensors-config: permission denied > >> <non-root-user>@ge2:/usr/sbin> ./ipmimonitoring > >> ./ipmimonitoring: permission denied > >> <non-root-user>@ge2:/usr/sbin> ./ipmiping -i 1 ge2 > >> ipmiping ge2 (10.18.143.68) > >> response timed out: rq_seq=25 > >> response timed out: rq_seq=26 > >> response timed out: rq_seq=27 > >> response timed out: rq_seq=28 > >> ^C--- ipmiping ge2 statistics --- > >> 5 requests transmitted, 0 responses received in time, 100.0% packet loss > >> <non-root-user>@ge2:/usr/sbin> ./ipmipower -h ge2 -s > >> ge2: connection timeout > >> > >> Regards, > >> > >> Michal > >> _______________________________________________ > >> Freeipmi-devel mailing list > >> Freeipmi-devel@gnu.org > >> http:// lists.gnu.org/mailman/listinfo/freeipmi-devel > >> > -- Albert Chu ch...@llnl.gov Computer Scientist High Performance Systems Division Lawrence Livermore National Laboratory _______________________________________________ Freeipmi-devel mailing list Freeipmi-devel@gnu.org http://lists.gnu.org/mailman/listinfo/freeipmi-devel