On Thu, 26 Jul 2012 07:19:35 -0700, Arnd Hannemann wrote:
> Currently openipmi expects that the privilege level in the
> open session response equals the privilege which was requested.
> This is wrong, because it is legal to request a lower privilege
> level than allowed for a user:
>
> According to IPMI v2.0 spec the RCMP+ Open Session Response
> contains the _maximum_ privilege Level allowed for a session.
>
> Furthermore Andy Cress pointed out:
> Even if the privilege is detected wrong here, it should not abort, but
> proceed.
>
> The bug was found because there seems to be a bug in the HP ILO3 IPMI
> implementation where the maximum privilege level returned in the
> response is "admin" even if the user is only allowed to login with
> privilege "operator".
>
> Both bugs together prevent the ipmilan stonith agent to work with ILO3
> and fence with priv="operator".
>
> This patch fixes the behavior of openIPMI and allows the "session
> open" response message to contain an different privilege level than
> requested. An warning is issued if the privilege level is lower than
> requested.
>
> With this patch fencing with "priv=operator" works correctly.
>
> Signed-off-by: Arnd Hannemann <a...@arndnet.de>
> ---
> lib/ipmi_lan.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/lib/ipmi_lan.c b/lib/ipmi_lan.c
> index c55445e..cc75531 100644
> --- a/lib/ipmi_lan.c
> +++ b/lib/ipmi_lan.c
> @@ -4530,13 +4530,11 @@ got_rmcpp_open_session_rsp(ipmi_con_t *ipmi,
> ipmi_msgi_t *rspi)
> lan = (lan_data_t *) ipmi->con_data;
>
> privilege = msg->data[2] & 0xf;
> - if (privilege != lan->cparm.privilege) {
> - ipmi_log(IPMI_LOG_ERR_INFO,
> + if (privilege < lan->cparm.privilege) {
> + ipmi_log(IPMI_LOG_WARNING,
> "%sipmi_lan.c(got_rmcpp_open_session_rsp): "
> "Expected privilege %d, got %d",
> IPMI_CONN_NAME(ipmi), lan->cparm.privilege,
> privilege);
> - handle_connected(ipmi, EINVAL, addr_num);
> - goto out;
> }
>
> session_id = ipmi_get_uint32(msg->data+4);
> --
> 1.7.9.5
I was very disappointed to find that this patch was never merged. I had
to build my own RPM for my production Zabbix server, which isn't ideal.
I can confirm that the patch still works against 2.0.23. Could it please
be merged now?
Regards,
James
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openipmi-developer mailing list
Openipmi-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openipmi-developer
