Hey Michal,

On Fri, 2009-02-27 at 18:31 +0100, Michal Bachorik - Sun Microsystems -
Prague Czech Republic wrote:
> Hi Al,
> 
> thx for update. I am no expert on solaris BMC driver, but guys who seem 
> to have more knowledge than I do claim that Solaris bmc driver do not 
> need root permissions.

Just as a clarification, I am saying that root is a policy decision, not
a technical requirement.

If you'd like to make it a requirement that non-root users can access
the BMC, perhaps I could make a compile time option that implements this
alternate behavior, so OpenSolaris and implement this for their
distribution??

Al

> To explain why I need this info - a solaris SW has to follow some 
> architectural rules, and one of these rules touches this problem.  I 
> think I have enough information now, and I will see how authorities will 
> deal with them.
> 
> With regards,
> 
> michal
> 
> On 02/27/09 18:18, Al Chu11 wrote:
> > Hey Michal,
> >
> > A bit of background here.  The first FreeIPMI releases implemented their
> > inband communication via iopl() calls in Linux.  These calls require
> > root and thus some checks were put in before the calls.
> >
> > Later, support for other devices (openipmi's /dev/ipmi, sun's /dev/bmc)
> > were added.  I just left the root checks in there.  I can't speak for
> > Sun boxes, but I assume one can change the permissions on these devices
> > to allow non-root users to access the BMC.  I suppose root checks could
> > be left up to the system administrator setting permissions on /dev/*
> > instead of FreeIPMI just checking for root.  
> >
> > Mirroring some of Andy's comments, I'm a bit reluctant to remove the
> > root checks though.  There are inherent IPMI security configurations
> > that are done inband (i.e. set BMC passwords) that really should only be
> > done by root.
> >
> > Al
> >
> > On Fri, 2009-02-27 at 12:27 +0100, Michal Bachorik - Sun Microsystems -
> > Prague Czech Republic wrote:
> >   
> >> Hi all,
> >>
> >> we are trying to port freeipmi on opensolaris (most of the stuff done, 
> >> just paperwork remains) and we need to clarify one thing - freeipmi 
> >> requires (at least our ported version) an user with root permissions to 
> >> run certain commands. As we are using solaris BMC driver, we first 
> >> thought that the problem is in BMC driver but according the information 
> >> form some other (more BMC driver skilled guys) this is not the reason 
> >> and they suspect that it is matter of how freeipmi interprets the IPMI 
> >> user security.
> >>
> >> Can some shed more light into it, please? Is it freeipmi who needs root 
> >> user?
> >>
> >> Here is brief output how freeipmi clis behave when run under a non-root 
> >> account:
> >>
> >> -->cd /usr/sbin/
> >> -->ls -la bmc-*
> >> -rwxr-xr-x   1 root     bin      1050148 Feb 19 19:09 bmc-config
> >> -rwxr-xr-x   1 root     bin       514956 Feb 19 19:09 bmc-device
> >> -rwxr-xr-x   1 root     bin       487364 Feb 19 19:09 bmc-info
> >> -rwxr-xr-x   1 root     bin       339560 Feb 19 19:09 bmc-watchdog
> >> -->ls -la ipmi-*
> >> -rwxr-xr-x   1 root     bin       527748 Feb 19 19:09 ipmi-chassis
> >> -rwxr-xr-x   1 root     bin       677276 Feb 19 19:09 ipmi-chassis-config
> >> -rwxr-xr-x   1 root     bin       679640 Feb 19 19:09 ipmi-fru
> >> -rwxr-xr-x   1 root     bin       138348 Feb 19 19:10 ipmi-locate
> >> -rwxr-xr-x   1 root     bin       471508 Feb 19 19:09 ipmi-oem
> >> -rwxr-xr-x   1 root     bin       474672 Feb 19 19:09 ipmi-raw
> >> -rwxr-xr-x   1 root     bin       641740 Feb 19 19:09 ipmi-sel
> >> -rwxr-xr-x   1 root     bin       736188 Feb 19 19:10 ipmi-sensors
> >> -rwxr-xr-x   1 root     bin       828848 Feb 19 19:10 ipmi-sensors-config
> >>
> >> <non-root-user>@ge2:/usr/sbin> ./bmc-config --checkout
> >> ./bmc-config: permission denied
> >> <non-root-user>@ge2:/usr/sbin> ./bmc-device --get-acpi-power-state
> >> ./bmc-device: permission denied
> >> <non-root-user>@ge2:/usr/sbin> ./bmc-device --get-lan-statistics
> >> ./bmc-device: permission denied
> >> <non-root-user>@ge2:/usr/sbin> ./bmc-info
> >> ./bmc-info: permission denied
> >> <non-root-user>@ge2:/usr/sbin> ./bmc-watchdog -g
> >> bmc-watchdog: Error opening logfile 
> >> '/var/log/freeipmi/bmc-watchdog.log': Permission denied
> >> <non-root-user>@ge2:/usr/sbin> ./ipmi-chassis --get-status
> >> ./ipmi-chassis: permission denied
> >> <non-root-user>@ge2:/usr/sbin> ./ipmi-chassis-config --checkout
> >> ./ipmi-chassis-config: permission denied
> >> <non-root-user>@ge2:/usr/sbin> ./ipmi-fru -V
> >> ipmi-fru - 0.7.4
> >> Copyright (C) 2007-2008 Lawrence Livermore National Security, LLC.
> >> Copyright (C) 2007 The Regents of the University of California.
> >> This program is free software; you may redistribute it under the terms of
> >> the GNU General Public License.  This program has absolutely no warranty.
> >> <non-root-user>@ge2:/usr/sbin> ./ipmi-locate
> >> ./ipmi-locate: permission denied
> >> <non-root-user>@ge2:/usr/sbin> ./ipmi-oem -L
> >> OEM ID: supermicro
> >>    Command: reset-intrusion - reset motherboard intrusion flag.
> >>
> >> <non-root-user>@ge2:/usr/sbin> ./ipmi-sel -i
> >> ./ipmi-sel: permission denied
> >> <non-root-user>@ge2:/usr/sbin> ./ipmi-sensors
> >> ./ipmi-sensors: permission denied
> >> <non-root-user>@ge2:/usr/sbin> ./ipmi-sensors-config --checkout
> >> ./ipmi-sensors-config: permission denied
> >> <non-root-user>@ge2:/usr/sbin> ./ipmimonitoring
> >> ./ipmimonitoring: permission denied
> >> <non-root-user>@ge2:/usr/sbin> ./ipmiping -i 1 ge2
> >> ipmiping ge2 (10.18.143.68)
> >> response timed out: rq_seq=25
> >> response timed out: rq_seq=26
> >> response timed out: rq_seq=27
> >> response timed out: rq_seq=28
> >> ^C--- ipmiping ge2 statistics ---
> >> 5 requests transmitted, 0 responses received in time, 100.0% packet loss
> >> <non-root-user>@ge2:/usr/sbin> ./ipmipower -h ge2 -s
> >> ge2: connection timeout
> >>
> >> Regards,
> >>
> >> Michal
> >> _______________________________________________
> >> Freeipmi-devel mailing list
> >> Freeipmi-devel@gnu.org
> >> http://  lists.gnu.org/mailman/listinfo/freeipmi-devel
> >>     
> 
-- 
Albert Chu
ch...@llnl.gov
Computer Scientist
High Performance Systems Division
Lawrence Livermore National Laboratory



_______________________________________________
Freeipmi-devel mailing list
Freeipmi-devel@gnu.org
http://lists.gnu.org/mailman/listinfo/freeipmi-devel
  • [Freeipmi-devel... Michal Bachorik - Sun Microsystems - Prague Czech Republic
    • RE: [Freei... Andy Cress
      • Re: [F... Michal Bachorik - Sun Microsystems - Prague Czech Republic
    • Re: [Freei... Al Chu11
      • Re: [F... Michal Bachorik - Sun Microsystems - Prague Czech Republic
        • Re... Al Chu
          • ... Michal Bachorik - Sun Microsystems - Prague Czech Republic

Reply via email to