Re: [Freeipmi-devel] user permissions for running freeipmi clis
Al, that would probably solve our last remaining problem. If you can do this, I'd really appreciate it (and opensolaris community also). Thx, Michal On 03/02/09 18:05, Al Chu wrote: Hey Michal, On Fri, 2009-02-27 at 18:31 +0100, Michal Bachorik - Sun Microsystems - Prague Czech Republic wrote: Hi Al, thx for update. I am no expert on solaris BMC driver, but guys who seem to have more knowledge than I do claim that Solaris bmc driver do not need root permissions. Just as a clarification, I am saying that root is a policy decision, not a technical requirement. If you'd like to make it a requirement that non-root users can access the BMC, perhaps I could make a compile time option that implements this alternate behavior, so OpenSolaris and implement this for their distribution?? Al To explain why I need this info - a solaris SW has to follow some architectural rules, and one of these rules touches this problem. I think I have enough information now, and I will see how authorities will deal with them. With regards, michal On 02/27/09 18:18, Al Chu11 wrote: Hey Michal, A bit of background here. The first FreeIPMI releases implemented their inband communication via iopl() calls in Linux. These calls require root and thus some checks were put in before the calls. Later, support for other devices (openipmi's /dev/ipmi, sun's /dev/bmc) were added. I just left the root checks in there. I can't speak for Sun boxes, but I assume one can change the permissions on these devices to allow non-root users to access the BMC. I suppose root checks could be left up to the system administrator setting permissions on /dev/* instead of FreeIPMI just checking for root. Mirroring some of Andy's comments, I'm a bit reluctant to remove the root checks though. There are inherent IPMI security configurations that are done inband (i.e. set BMC passwords) that really should only be done by root. Al On Fri, 2009-02-27 at 12:27 +0100, Michal Bachorik - Sun Microsystems - Prague Czech Republic wrote: Hi all, we are trying to port freeipmi on opensolaris (most of the stuff done, just paperwork remains) and we need to clarify one thing - freeipmi requires (at least our ported version) an user with root permissions to run certain commands. As we are using solaris BMC driver, we first thought that the problem is in BMC driver but according the information form some other (more BMC driver skilled guys) this is not the reason and they suspect that it is matter of how freeipmi interprets the IPMI user security. Can some shed more light into it, please? Is it freeipmi who needs root user? Here is brief output how freeipmi clis behave when run under a non-root account: -->cd /usr/sbin/ -->ls -la bmc-* -rwxr-xr-x 1 root bin 1050148 Feb 19 19:09 bmc-config -rwxr-xr-x 1 root bin 514956 Feb 19 19:09 bmc-device -rwxr-xr-x 1 root bin 487364 Feb 19 19:09 bmc-info -rwxr-xr-x 1 root bin 339560 Feb 19 19:09 bmc-watchdog -->ls -la ipmi-* -rwxr-xr-x 1 root bin 527748 Feb 19 19:09 ipmi-chassis -rwxr-xr-x 1 root bin 677276 Feb 19 19:09 ipmi-chassis-config -rwxr-xr-x 1 root bin 679640 Feb 19 19:09 ipmi-fru -rwxr-xr-x 1 root bin 138348 Feb 19 19:10 ipmi-locate -rwxr-xr-x 1 root bin 471508 Feb 19 19:09 ipmi-oem -rwxr-xr-x 1 root bin 474672 Feb 19 19:09 ipmi-raw -rwxr-xr-x 1 root bin 641740 Feb 19 19:09 ipmi-sel -rwxr-xr-x 1 root bin 736188 Feb 19 19:10 ipmi-sensors -rwxr-xr-x 1 root bin 828848 Feb 19 19:10 ipmi-sensors-config @ge2:/usr/sbin> ./bmc-config --checkout ./bmc-config: permission denied @ge2:/usr/sbin> ./bmc-device --get-acpi-power-state ./bmc-device: permission denied @ge2:/usr/sbin> ./bmc-device --get-lan-statistics ./bmc-device: permission denied @ge2:/usr/sbin> ./bmc-info ./bmc-info: permission denied @ge2:/usr/sbin> ./bmc-watchdog -g bmc-watchdog: Error opening logfile '/var/log/freeipmi/bmc-watchdog.log': Permission denied @ge2:/usr/sbin> ./ipmi-chassis --get-status ./ipmi-chassis: permission denied @ge2:/usr/sbin> ./ipmi-chassis-config --checkout ./ipmi-chassis-config: permission denied @ge2:/usr/sbin> ./ipmi-fru -V ipmi-fru - 0.7.4 Copyright (C) 2007-2008 Lawrence Livermore National Security, LLC. Copyright (C) 2007 The Regents of the University of California. This program is free software; you may redistribute it under the terms of the GNU General Public License. This program has absolutely no warranty. @ge2:/usr/sbin> ./ipmi-locate ./ipmi-locate: permission denied @ge2:/usr/sbin> ./ipmi-oem -L OEM ID: supermicro Command: reset-intrusion - reset motherboard intrusion flag. @ge2:/usr/sbin> ./ipmi-sel -i ./ipmi-sel: permission denied @ge2:/usr/sbin> ./ipmi-sensors ./ipmi-sensors: permission denied @ge2:/usr/sbin> ./ipmi-sensors-config --checkout ./ipmi-sensors-config: permission denied @ge2:/usr/sbin> ./ipm
Re: [Freeipmi-devel] user permissions for running freeipmi clis
Hey Michal, On Fri, 2009-02-27 at 18:31 +0100, Michal Bachorik - Sun Microsystems - Prague Czech Republic wrote: > Hi Al, > > thx for update. I am no expert on solaris BMC driver, but guys who seem > to have more knowledge than I do claim that Solaris bmc driver do not > need root permissions. Just as a clarification, I am saying that root is a policy decision, not a technical requirement. If you'd like to make it a requirement that non-root users can access the BMC, perhaps I could make a compile time option that implements this alternate behavior, so OpenSolaris and implement this for their distribution?? Al > To explain why I need this info - a solaris SW has to follow some > architectural rules, and one of these rules touches this problem. I > think I have enough information now, and I will see how authorities will > deal with them. > > With regards, > > michal > > On 02/27/09 18:18, Al Chu11 wrote: > > Hey Michal, > > > > A bit of background here. The first FreeIPMI releases implemented their > > inband communication via iopl() calls in Linux. These calls require > > root and thus some checks were put in before the calls. > > > > Later, support for other devices (openipmi's /dev/ipmi, sun's /dev/bmc) > > were added. I just left the root checks in there. I can't speak for > > Sun boxes, but I assume one can change the permissions on these devices > > to allow non-root users to access the BMC. I suppose root checks could > > be left up to the system administrator setting permissions on /dev/* > > instead of FreeIPMI just checking for root. > > > > Mirroring some of Andy's comments, I'm a bit reluctant to remove the > > root checks though. There are inherent IPMI security configurations > > that are done inband (i.e. set BMC passwords) that really should only be > > done by root. > > > > Al > > > > On Fri, 2009-02-27 at 12:27 +0100, Michal Bachorik - Sun Microsystems - > > Prague Czech Republic wrote: > > > >> Hi all, > >> > >> we are trying to port freeipmi on opensolaris (most of the stuff done, > >> just paperwork remains) and we need to clarify one thing - freeipmi > >> requires (at least our ported version) an user with root permissions to > >> run certain commands. As we are using solaris BMC driver, we first > >> thought that the problem is in BMC driver but according the information > >> form some other (more BMC driver skilled guys) this is not the reason > >> and they suspect that it is matter of how freeipmi interprets the IPMI > >> user security. > >> > >> Can some shed more light into it, please? Is it freeipmi who needs root > >> user? > >> > >> Here is brief output how freeipmi clis behave when run under a non-root > >> account: > >> > >> -->cd /usr/sbin/ > >> -->ls -la bmc-* > >> -rwxr-xr-x 1 root bin 1050148 Feb 19 19:09 bmc-config > >> -rwxr-xr-x 1 root bin 514956 Feb 19 19:09 bmc-device > >> -rwxr-xr-x 1 root bin 487364 Feb 19 19:09 bmc-info > >> -rwxr-xr-x 1 root bin 339560 Feb 19 19:09 bmc-watchdog > >> -->ls -la ipmi-* > >> -rwxr-xr-x 1 root bin 527748 Feb 19 19:09 ipmi-chassis > >> -rwxr-xr-x 1 root bin 677276 Feb 19 19:09 ipmi-chassis-config > >> -rwxr-xr-x 1 root bin 679640 Feb 19 19:09 ipmi-fru > >> -rwxr-xr-x 1 root bin 138348 Feb 19 19:10 ipmi-locate > >> -rwxr-xr-x 1 root bin 471508 Feb 19 19:09 ipmi-oem > >> -rwxr-xr-x 1 root bin 474672 Feb 19 19:09 ipmi-raw > >> -rwxr-xr-x 1 root bin 641740 Feb 19 19:09 ipmi-sel > >> -rwxr-xr-x 1 root bin 736188 Feb 19 19:10 ipmi-sensors > >> -rwxr-xr-x 1 root bin 828848 Feb 19 19:10 ipmi-sensors-config > >> > >> @ge2:/usr/sbin> ./bmc-config --checkout > >> ./bmc-config: permission denied > >> @ge2:/usr/sbin> ./bmc-device --get-acpi-power-state > >> ./bmc-device: permission denied > >> @ge2:/usr/sbin> ./bmc-device --get-lan-statistics > >> ./bmc-device: permission denied > >> @ge2:/usr/sbin> ./bmc-info > >> ./bmc-info: permission denied > >> @ge2:/usr/sbin> ./bmc-watchdog -g > >> bmc-watchdog: Error opening logfile > >> '/var/log/freeipmi/bmc-watchdog.log': Permission denied > >> @ge2:/usr/sbin> ./ipmi-chassis --get-status > >> ./ipmi-chassis: permission denied > >> @ge2:/usr/sbin> ./ipmi-chassis-config --checkout > >> ./ipmi-chassis-config: permission denied > >> @ge2:/usr/sbin> ./ipmi-fru -V > >> ipmi-fru - 0.7.4 > >> Copyright (C) 2007-2008 Lawrence Livermore National Security, LLC. > >> Copyright (C) 2007 The Regents of the University of California. > >> This program is free software; you may redistribute it under the terms of > >> the GNU General Public License. This program has absolutely no warranty. > >> @ge2:/usr/sbin> ./ipmi-locate > >> ./ipmi-locate: permission denied > >> @ge2:/usr/sbin> ./ipmi-oem -L > >> OEM ID: supermicro > >>Command: reset-intrusion - reset motherboard intrusion flag. > >> > >> @ge2:/usr/sbin> ./ipmi-sel -i > >> ./i
Re: [Freeipmi-devel] user permissions for running freeipmi clis
Hi Al, thx for update. I am no expert on solaris BMC driver, but guys who seem to have more knowledge than I do claim that Solaris bmc driver do not need root permissions. To explain why I need this info - a solaris SW has to follow some architectural rules, and one of these rules touches this problem. I think I have enough information now, and I will see how authorities will deal with them. With regards, michal On 02/27/09 18:18, Al Chu11 wrote: Hey Michal, A bit of background here. The first FreeIPMI releases implemented their inband communication via iopl() calls in Linux. These calls require root and thus some checks were put in before the calls. Later, support for other devices (openipmi's /dev/ipmi, sun's /dev/bmc) were added. I just left the root checks in there. I can't speak for Sun boxes, but I assume one can change the permissions on these devices to allow non-root users to access the BMC. I suppose root checks could be left up to the system administrator setting permissions on /dev/* instead of FreeIPMI just checking for root. Mirroring some of Andy's comments, I'm a bit reluctant to remove the root checks though. There are inherent IPMI security configurations that are done inband (i.e. set BMC passwords) that really should only be done by root. Al On Fri, 2009-02-27 at 12:27 +0100, Michal Bachorik - Sun Microsystems - Prague Czech Republic wrote: Hi all, we are trying to port freeipmi on opensolaris (most of the stuff done, just paperwork remains) and we need to clarify one thing - freeipmi requires (at least our ported version) an user with root permissions to run certain commands. As we are using solaris BMC driver, we first thought that the problem is in BMC driver but according the information form some other (more BMC driver skilled guys) this is not the reason and they suspect that it is matter of how freeipmi interprets the IPMI user security. Can some shed more light into it, please? Is it freeipmi who needs root user? Here is brief output how freeipmi clis behave when run under a non-root account: -->cd /usr/sbin/ -->ls -la bmc-* -rwxr-xr-x 1 root bin 1050148 Feb 19 19:09 bmc-config -rwxr-xr-x 1 root bin 514956 Feb 19 19:09 bmc-device -rwxr-xr-x 1 root bin 487364 Feb 19 19:09 bmc-info -rwxr-xr-x 1 root bin 339560 Feb 19 19:09 bmc-watchdog -->ls -la ipmi-* -rwxr-xr-x 1 root bin 527748 Feb 19 19:09 ipmi-chassis -rwxr-xr-x 1 root bin 677276 Feb 19 19:09 ipmi-chassis-config -rwxr-xr-x 1 root bin 679640 Feb 19 19:09 ipmi-fru -rwxr-xr-x 1 root bin 138348 Feb 19 19:10 ipmi-locate -rwxr-xr-x 1 root bin 471508 Feb 19 19:09 ipmi-oem -rwxr-xr-x 1 root bin 474672 Feb 19 19:09 ipmi-raw -rwxr-xr-x 1 root bin 641740 Feb 19 19:09 ipmi-sel -rwxr-xr-x 1 root bin 736188 Feb 19 19:10 ipmi-sensors -rwxr-xr-x 1 root bin 828848 Feb 19 19:10 ipmi-sensors-config @ge2:/usr/sbin> ./bmc-config --checkout ./bmc-config: permission denied @ge2:/usr/sbin> ./bmc-device --get-acpi-power-state ./bmc-device: permission denied @ge2:/usr/sbin> ./bmc-device --get-lan-statistics ./bmc-device: permission denied @ge2:/usr/sbin> ./bmc-info ./bmc-info: permission denied @ge2:/usr/sbin> ./bmc-watchdog -g bmc-watchdog: Error opening logfile '/var/log/freeipmi/bmc-watchdog.log': Permission denied @ge2:/usr/sbin> ./ipmi-chassis --get-status ./ipmi-chassis: permission denied @ge2:/usr/sbin> ./ipmi-chassis-config --checkout ./ipmi-chassis-config: permission denied @ge2:/usr/sbin> ./ipmi-fru -V ipmi-fru - 0.7.4 Copyright (C) 2007-2008 Lawrence Livermore National Security, LLC. Copyright (C) 2007 The Regents of the University of California. This program is free software; you may redistribute it under the terms of the GNU General Public License. This program has absolutely no warranty. @ge2:/usr/sbin> ./ipmi-locate ./ipmi-locate: permission denied @ge2:/usr/sbin> ./ipmi-oem -L OEM ID: supermicro Command: reset-intrusion - reset motherboard intrusion flag. @ge2:/usr/sbin> ./ipmi-sel -i ./ipmi-sel: permission denied @ge2:/usr/sbin> ./ipmi-sensors ./ipmi-sensors: permission denied @ge2:/usr/sbin> ./ipmi-sensors-config --checkout ./ipmi-sensors-config: permission denied @ge2:/usr/sbin> ./ipmimonitoring ./ipmimonitoring: permission denied @ge2:/usr/sbin> ./ipmiping -i 1 ge2 ipmiping ge2 (10.18.143.68) response timed out: rq_seq=25 response timed out: rq_seq=26 response timed out: rq_seq=27 response timed out: rq_seq=28 ^C--- ipmiping ge2 statistics --- 5 requests transmitted, 0 responses received in time, 100.0% packet loss @ge2:/usr/sbin> ./ipmipower -h ge2 -s ge2: connection timeout Regards, Michal ___ Freeipmi-devel mailing list Freeipmi-devel@gnu.org http:// lists.gnu.org/mailman/listinfo/freeipmi-devel begin:vcard fn:Michal Bachorik n:Bachorik;Michal org:Sun Microsystems;SGE
Re: [Freeipmi-devel] user permissions for running freeipmi clis
Hey Michal, A bit of background here. The first FreeIPMI releases implemented their inband communication via iopl() calls in Linux. These calls require root and thus some checks were put in before the calls. Later, support for other devices (openipmi's /dev/ipmi, sun's /dev/bmc) were added. I just left the root checks in there. I can't speak for Sun boxes, but I assume one can change the permissions on these devices to allow non-root users to access the BMC. I suppose root checks could be left up to the system administrator setting permissions on /dev/* instead of FreeIPMI just checking for root. Mirroring some of Andy's comments, I'm a bit reluctant to remove the root checks though. There are inherent IPMI security configurations that are done inband (i.e. set BMC passwords) that really should only be done by root. Al On Fri, 2009-02-27 at 12:27 +0100, Michal Bachorik - Sun Microsystems - Prague Czech Republic wrote: > Hi all, > > we are trying to port freeipmi on opensolaris (most of the stuff done, > just paperwork remains) and we need to clarify one thing - freeipmi > requires (at least our ported version) an user with root permissions to > run certain commands. As we are using solaris BMC driver, we first > thought that the problem is in BMC driver but according the information > form some other (more BMC driver skilled guys) this is not the reason > and they suspect that it is matter of how freeipmi interprets the IPMI > user security. > > Can some shed more light into it, please? Is it freeipmi who needs root > user? > > Here is brief output how freeipmi clis behave when run under a non-root > account: > > -->cd /usr/sbin/ > -->ls -la bmc-* > -rwxr-xr-x 1 root bin 1050148 Feb 19 19:09 bmc-config > -rwxr-xr-x 1 root bin 514956 Feb 19 19:09 bmc-device > -rwxr-xr-x 1 root bin 487364 Feb 19 19:09 bmc-info > -rwxr-xr-x 1 root bin 339560 Feb 19 19:09 bmc-watchdog > -->ls -la ipmi-* > -rwxr-xr-x 1 root bin 527748 Feb 19 19:09 ipmi-chassis > -rwxr-xr-x 1 root bin 677276 Feb 19 19:09 ipmi-chassis-config > -rwxr-xr-x 1 root bin 679640 Feb 19 19:09 ipmi-fru > -rwxr-xr-x 1 root bin 138348 Feb 19 19:10 ipmi-locate > -rwxr-xr-x 1 root bin 471508 Feb 19 19:09 ipmi-oem > -rwxr-xr-x 1 root bin 474672 Feb 19 19:09 ipmi-raw > -rwxr-xr-x 1 root bin 641740 Feb 19 19:09 ipmi-sel > -rwxr-xr-x 1 root bin 736188 Feb 19 19:10 ipmi-sensors > -rwxr-xr-x 1 root bin 828848 Feb 19 19:10 ipmi-sensors-config > > @ge2:/usr/sbin> ./bmc-config --checkout > ./bmc-config: permission denied > @ge2:/usr/sbin> ./bmc-device --get-acpi-power-state > ./bmc-device: permission denied > @ge2:/usr/sbin> ./bmc-device --get-lan-statistics > ./bmc-device: permission denied > @ge2:/usr/sbin> ./bmc-info > ./bmc-info: permission denied > @ge2:/usr/sbin> ./bmc-watchdog -g > bmc-watchdog: Error opening logfile > '/var/log/freeipmi/bmc-watchdog.log': Permission denied > @ge2:/usr/sbin> ./ipmi-chassis --get-status > ./ipmi-chassis: permission denied > @ge2:/usr/sbin> ./ipmi-chassis-config --checkout > ./ipmi-chassis-config: permission denied > @ge2:/usr/sbin> ./ipmi-fru -V > ipmi-fru - 0.7.4 > Copyright (C) 2007-2008 Lawrence Livermore National Security, LLC. > Copyright (C) 2007 The Regents of the University of California. > This program is free software; you may redistribute it under the terms of > the GNU General Public License. This program has absolutely no warranty. > @ge2:/usr/sbin> ./ipmi-locate > ./ipmi-locate: permission denied > @ge2:/usr/sbin> ./ipmi-oem -L > OEM ID: supermicro >Command: reset-intrusion - reset motherboard intrusion flag. > > @ge2:/usr/sbin> ./ipmi-sel -i > ./ipmi-sel: permission denied > @ge2:/usr/sbin> ./ipmi-sensors > ./ipmi-sensors: permission denied > @ge2:/usr/sbin> ./ipmi-sensors-config --checkout > ./ipmi-sensors-config: permission denied > @ge2:/usr/sbin> ./ipmimonitoring > ./ipmimonitoring: permission denied > @ge2:/usr/sbin> ./ipmiping -i 1 ge2 > ipmiping ge2 (10.18.143.68) > response timed out: rq_seq=25 > response timed out: rq_seq=26 > response timed out: rq_seq=27 > response timed out: rq_seq=28 > ^C--- ipmiping ge2 statistics --- > 5 requests transmitted, 0 responses received in time, 100.0% packet loss > @ge2:/usr/sbin> ./ipmipower -h ge2 -s > ge2: connection timeout > > Regards, > > Michal > ___ > Freeipmi-devel mailing list > Freeipmi-devel@gnu.org > http:// lists.gnu.org/mailman/listinfo/freeipmi-devel -- Albert Chu ch...@llnl.gov Computer Scientist High Performance Systems Division Lawrence Livermore National Laboratory ___ Freeipmi-devel mailing list Freeipmi-devel@gnu.org http://lists.gnu.org/mailman/listinfo/freeipmi-devel
RE: [Freeipmi-devel] user permissions for running freeipmi clis
Michal, Having done a Linux to Solaris port of ipmiutil also, Linux and Solaris both handle access to device drivers similarly. If a program like freeipmi wants to access a device driver, it must have root privileges. This is also consistent with the IPMI firmware security for the local system interface, where configuration and reset capability does not require a password locally (that's how the password is set :). The utilities cannot open /dev/bmc to access the driver without root privileges. Unfortunately, Windows is insecure in this paradigm, requiring extra safeguards, but that's another topic. If you really want to enable non-root users to read (but not write) IPMI data, you could set up a proxy to control access to the device driver via /dev/bmc, and manage requests from non-root users, but you would definitely want to restrict non-root users from writing any IPMI data through the proxy. Note that IPMI LAN access always requires an IPMI user/password, so non-root users can use it that way because they have access control. Andy -Original Message- From: freeipmi-devel-bounces+arcress=users.sourceforge@gnu.org [mailto:freeipmi-devel-bounces+arcress=users.sourceforge@gnu.org] On Behalf Of Michal Bachorik - Sun Microsystems - Prague Czech Republic Sent: Friday, February 27, 2009 6:28 AM To: freeipmi-devel@gnu.org Subject: [Freeipmi-devel] user permissions for running freeipmi clis Hi all, we are trying to port freeipmi on opensolaris (most of the stuff done, just paperwork remains) and we need to clarify one thing - freeipmi requires (at least our ported version) an user with root permissions to run certain commands. As we are using solaris BMC driver, we first thought that the problem is in BMC driver but according the information form some other (more BMC driver skilled guys) this is not the reason and they suspect that it is matter of how freeipmi interprets the IPMI user security. Can some shed more light into it, please? Is it freeipmi who needs root user? Here is brief output how freeipmi clis behave when run under a non-root account: -->cd /usr/sbin/ -->ls -la bmc-* -rwxr-xr-x 1 root bin 1050148 Feb 19 19:09 bmc-config -rwxr-xr-x 1 root bin 514956 Feb 19 19:09 bmc-device -rwxr-xr-x 1 root bin 487364 Feb 19 19:09 bmc-info -rwxr-xr-x 1 root bin 339560 Feb 19 19:09 bmc-watchdog -->ls -la ipmi-* -rwxr-xr-x 1 root bin 527748 Feb 19 19:09 ipmi-chassis -rwxr-xr-x 1 root bin 677276 Feb 19 19:09 ipmi-chassis-config -rwxr-xr-x 1 root bin 679640 Feb 19 19:09 ipmi-fru -rwxr-xr-x 1 root bin 138348 Feb 19 19:10 ipmi-locate -rwxr-xr-x 1 root bin 471508 Feb 19 19:09 ipmi-oem -rwxr-xr-x 1 root bin 474672 Feb 19 19:09 ipmi-raw -rwxr-xr-x 1 root bin 641740 Feb 19 19:09 ipmi-sel -rwxr-xr-x 1 root bin 736188 Feb 19 19:10 ipmi-sensors -rwxr-xr-x 1 root bin 828848 Feb 19 19:10 ipmi-sensors-config @ge2:/usr/sbin> ./bmc-config --checkout ./bmc-config: permission denied @ge2:/usr/sbin> ./bmc-device --get-acpi-power-state ./bmc-device: permission denied @ge2:/usr/sbin> ./bmc-device --get-lan-statistics ./bmc-device: permission denied @ge2:/usr/sbin> ./bmc-info ./bmc-info: permission denied @ge2:/usr/sbin> ./bmc-watchdog -g bmc-watchdog: Error opening logfile '/var/log/freeipmi/bmc-watchdog.log': Permission denied @ge2:/usr/sbin> ./ipmi-chassis --get-status ./ipmi-chassis: permission denied @ge2:/usr/sbin> ./ipmi-chassis-config --checkout ./ipmi-chassis-config: permission denied @ge2:/usr/sbin> ./ipmi-fru -V ipmi-fru - 0.7.4 Copyright (C) 2007-2008 Lawrence Livermore National Security, LLC. Copyright (C) 2007 The Regents of the University of California. This program is free software; you may redistribute it under the terms of the GNU General Public License. This program has absolutely no warranty. @ge2:/usr/sbin> ./ipmi-locate ./ipmi-locate: permission denied @ge2:/usr/sbin> ./ipmi-oem -L OEM ID: supermicro Command: reset-intrusion - reset motherboard intrusion flag. @ge2:/usr/sbin> ./ipmi-sel -i ./ipmi-sel: permission denied @ge2:/usr/sbin> ./ipmi-sensors ./ipmi-sensors: permission denied @ge2:/usr/sbin> ./ipmi-sensors-config --checkout ./ipmi-sensors-config: permission denied @ge2:/usr/sbin> ./ipmimonitoring ./ipmimonitoring: permission denied @ge2:/usr/sbin> ./ipmiping -i 1 ge2 ipmiping ge2 (10.18.143.68) response timed out: rq_seq=25 response timed out: rq_seq=26 response timed out: rq_seq=27 response timed out: rq_seq=28 ^C--- ipmiping ge2 statistics --- 5 requests transmitted, 0 responses received in time, 100.0% packet loss @ge2:/usr/sbin> ./ipmipower -h ge2 -s ge2: connection timeout Regards, Michal The information contained in this document is CONFIDENTIAL and property of Kontron. Any unauthorized review, use, disclosure or distribution
Re: [Freeipmi-devel] user permissions for running freeipmi clis
Hi Andy, thx for info. I become more and more confused as one party claims that solaris /dev/bmc does need root privs, other says that it does not :) (and i am just a poor java developer with solaris admin training ..). Anyway, thx once more, I will discuss it with guys here. Regards, Michal On 02/27/09 14:46, Andy Cress wrote: Michal, Having done a Linux to Solaris port of ipmiutil also, Linux and Solaris both handle access to device drivers similarly. If a program like freeipmi wants to access a device driver, it must have root privileges. This is also consistent with the IPMI firmware security for the local system interface, where configuration and reset capability does not require a password locally (that's how the password is set :). The utilities cannot open /dev/bmc to access the driver without root privileges. Unfortunately, Windows is insecure in this paradigm, requiring extra safeguards, but that's another topic. If you really want to enable non-root users to read (but not write) IPMI data, you could set up a proxy to control access to the device driver via /dev/bmc, and manage requests from non-root users, but you would definitely want to restrict non-root users from writing any IPMI data through the proxy. Note that IPMI LAN access always requires an IPMI user/password, so non-root users can use it that way because they have access control. Andy -Original Message- From: freeipmi-devel-bounces+arcress=users.sourceforge@gnu.org [mailto:freeipmi-devel-bounces+arcress=users.sourceforge@gnu.org] On Behalf Of Michal Bachorik - Sun Microsystems - Prague Czech Republic Sent: Friday, February 27, 2009 6:28 AM To: freeipmi-devel@gnu.org Subject: [Freeipmi-devel] user permissions for running freeipmi clis Hi all, we are trying to port freeipmi on opensolaris (most of the stuff done, just paperwork remains) and we need to clarify one thing - freeipmi requires (at least our ported version) an user with root permissions to run certain commands. As we are using solaris BMC driver, we first thought that the problem is in BMC driver but according the information form some other (more BMC driver skilled guys) this is not the reason and they suspect that it is matter of how freeipmi interprets the IPMI user security. Can some shed more light into it, please? Is it freeipmi who needs root user? Here is brief output how freeipmi clis behave when run under a non-root account: -->cd /usr/sbin/ -->ls -la bmc-* -rwxr-xr-x 1 root bin 1050148 Feb 19 19:09 bmc-config -rwxr-xr-x 1 root bin 514956 Feb 19 19:09 bmc-device -rwxr-xr-x 1 root bin 487364 Feb 19 19:09 bmc-info -rwxr-xr-x 1 root bin 339560 Feb 19 19:09 bmc-watchdog -->ls -la ipmi-* -rwxr-xr-x 1 root bin 527748 Feb 19 19:09 ipmi-chassis -rwxr-xr-x 1 root bin 677276 Feb 19 19:09 ipmi-chassis-config -rwxr-xr-x 1 root bin 679640 Feb 19 19:09 ipmi-fru -rwxr-xr-x 1 root bin 138348 Feb 19 19:10 ipmi-locate -rwxr-xr-x 1 root bin 471508 Feb 19 19:09 ipmi-oem -rwxr-xr-x 1 root bin 474672 Feb 19 19:09 ipmi-raw -rwxr-xr-x 1 root bin 641740 Feb 19 19:09 ipmi-sel -rwxr-xr-x 1 root bin 736188 Feb 19 19:10 ipmi-sensors -rwxr-xr-x 1 root bin 828848 Feb 19 19:10 ipmi-sensors-config @ge2:/usr/sbin> ./bmc-config --checkout ./bmc-config: permission denied @ge2:/usr/sbin> ./bmc-device --get-acpi-power-state ./bmc-device: permission denied @ge2:/usr/sbin> ./bmc-device --get-lan-statistics ./bmc-device: permission denied @ge2:/usr/sbin> ./bmc-info ./bmc-info: permission denied @ge2:/usr/sbin> ./bmc-watchdog -g bmc-watchdog: Error opening logfile '/var/log/freeipmi/bmc-watchdog.log': Permission denied @ge2:/usr/sbin> ./ipmi-chassis --get-status ./ipmi-chassis: permission denied @ge2:/usr/sbin> ./ipmi-chassis-config --checkout ./ipmi-chassis-config: permission denied @ge2:/usr/sbin> ./ipmi-fru -V ipmi-fru - 0.7.4 Copyright (C) 2007-2008 Lawrence Livermore National Security, LLC. Copyright (C) 2007 The Regents of the University of California. This program is free software; you may redistribute it under the terms of the GNU General Public License. This program has absolutely no warranty. @ge2:/usr/sbin> ./ipmi-locate ./ipmi-locate: permission denied @ge2:/usr/sbin> ./ipmi-oem -L OEM ID: supermicro Command: reset-intrusion - reset motherboard intrusion flag. @ge2:/usr/sbin> ./ipmi-sel -i ./ipmi-sel: permission denied @ge2:/usr/sbin> ./ipmi-sensors ./ipmi-sensors: permission denied @ge2:/usr/sbin> ./ipmi-sensors-config --checkout ./ipmi-sensors-config: permission denied @ge2:/usr/sbin> ./ipmimonitoring ./ipmimonitoring: permission denied @ge2:/usr/sbin> ./ipmiping -i 1 ge2 ipmiping ge2 (10.18.143.68) response timed out: rq_seq=25 response timed out: rq_seq=26 response timed out: rq_seq=27 response timed out: rq_se
[Freeipmi-devel] user permissions for running freeipmi clis
Hi all, we are trying to port freeipmi on opensolaris (most of the stuff done, just paperwork remains) and we need to clarify one thing - freeipmi requires (at least our ported version) an user with root permissions to run certain commands. As we are using solaris BMC driver, we first thought that the problem is in BMC driver but according the information form some other (more BMC driver skilled guys) this is not the reason and they suspect that it is matter of how freeipmi interprets the IPMI user security. Can some shed more light into it, please? Is it freeipmi who needs root user? Here is brief output how freeipmi clis behave when run under a non-root account: -->cd /usr/sbin/ -->ls -la bmc-* -rwxr-xr-x 1 root bin 1050148 Feb 19 19:09 bmc-config -rwxr-xr-x 1 root bin 514956 Feb 19 19:09 bmc-device -rwxr-xr-x 1 root bin 487364 Feb 19 19:09 bmc-info -rwxr-xr-x 1 root bin 339560 Feb 19 19:09 bmc-watchdog -->ls -la ipmi-* -rwxr-xr-x 1 root bin 527748 Feb 19 19:09 ipmi-chassis -rwxr-xr-x 1 root bin 677276 Feb 19 19:09 ipmi-chassis-config -rwxr-xr-x 1 root bin 679640 Feb 19 19:09 ipmi-fru -rwxr-xr-x 1 root bin 138348 Feb 19 19:10 ipmi-locate -rwxr-xr-x 1 root bin 471508 Feb 19 19:09 ipmi-oem -rwxr-xr-x 1 root bin 474672 Feb 19 19:09 ipmi-raw -rwxr-xr-x 1 root bin 641740 Feb 19 19:09 ipmi-sel -rwxr-xr-x 1 root bin 736188 Feb 19 19:10 ipmi-sensors -rwxr-xr-x 1 root bin 828848 Feb 19 19:10 ipmi-sensors-config @ge2:/usr/sbin> ./bmc-config --checkout ./bmc-config: permission denied @ge2:/usr/sbin> ./bmc-device --get-acpi-power-state ./bmc-device: permission denied @ge2:/usr/sbin> ./bmc-device --get-lan-statistics ./bmc-device: permission denied @ge2:/usr/sbin> ./bmc-info ./bmc-info: permission denied @ge2:/usr/sbin> ./bmc-watchdog -g bmc-watchdog: Error opening logfile '/var/log/freeipmi/bmc-watchdog.log': Permission denied @ge2:/usr/sbin> ./ipmi-chassis --get-status ./ipmi-chassis: permission denied @ge2:/usr/sbin> ./ipmi-chassis-config --checkout ./ipmi-chassis-config: permission denied @ge2:/usr/sbin> ./ipmi-fru -V ipmi-fru - 0.7.4 Copyright (C) 2007-2008 Lawrence Livermore National Security, LLC. Copyright (C) 2007 The Regents of the University of California. This program is free software; you may redistribute it under the terms of the GNU General Public License. This program has absolutely no warranty. @ge2:/usr/sbin> ./ipmi-locate ./ipmi-locate: permission denied @ge2:/usr/sbin> ./ipmi-oem -L OEM ID: supermicro Command: reset-intrusion - reset motherboard intrusion flag. @ge2:/usr/sbin> ./ipmi-sel -i ./ipmi-sel: permission denied @ge2:/usr/sbin> ./ipmi-sensors ./ipmi-sensors: permission denied @ge2:/usr/sbin> ./ipmi-sensors-config --checkout ./ipmi-sensors-config: permission denied @ge2:/usr/sbin> ./ipmimonitoring ./ipmimonitoring: permission denied @ge2:/usr/sbin> ./ipmiping -i 1 ge2 ipmiping ge2 (10.18.143.68) response timed out: rq_seq=25 response timed out: rq_seq=26 response timed out: rq_seq=27 response timed out: rq_seq=28 ^C--- ipmiping ge2 statistics --- 5 requests transmitted, 0 responses received in time, 100.0% packet loss @ge2:/usr/sbin> ./ipmipower -h ge2 -s ge2: connection timeout Regards, Michal begin:vcard fn:Michal Bachorik n:Bachorik;Michal org:Sun Microsystems;SGE adr:;;V Parku 2308/8;Prague;CZ;14800;Czech Republic email;internet:michal.bacho...@sun.com title:Software Engineer tel;work:+420233009649 tel;home:+420241404479 tel;cell:+420775182551 x-mozilla-html:TRUE version:2.1 end:vcard ___ Freeipmi-devel mailing list Freeipmi-devel@gnu.org http://lists.gnu.org/mailman/listinfo/freeipmi-devel
