freeipmi-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Freeipmi-devel] user permissions for running freeipmi clis


From: Michal Bachorik - Sun Microsystems - Prague Czech Republic
Subject: Re: [Freeipmi-devel] user permissions for running freeipmi clis
Date: Fri, 27 Feb 2009 14:58:10 +0100
User-agent: Thunderbird 2.0.0.17 (X11/20081023)

Hi Andy,

thx for info. I become more and more confused as one party claims that solaris /dev/bmc does need root privs, other says that it does not :) (and i am just a poor java developer with solaris admin training ..).

Anyway, thx once more, I will discuss it with guys here.

Regards,

Michal

On 02/27/09 14:46, Andy Cress wrote:
Michal,

Having done a Linux to Solaris port of ipmiutil also, Linux and Solaris
both handle access to device drivers similarly.  If a program like
freeipmi wants to access a device driver, it must have root privileges.

This is also consistent with the IPMI firmware security for the local
system interface, where configuration and reset capability does not
require a password locally (that's how the password is set :).  The
utilities cannot open /dev/bmc to access the driver without root
privileges.  Unfortunately, Windows is insecure in this paradigm,
requiring extra safeguards, but that's another topic.
If you really want to enable non-root users to read (but not write) IPMI
data, you could set up a proxy to control access to the device driver
via /dev/bmc, and manage requests from non-root users, but you would
definitely want to restrict non-root users from writing any IPMI data
through the proxy.

Note that IPMI LAN access always requires an IPMI user/password, so
non-root users can use it that way because they have access control.

Andy

-----Original Message-----
From: address@hidden
[mailto:address@hidden On
Behalf Of Michal Bachorik - Sun Microsystems - Prague Czech Republic
Sent: Friday, February 27, 2009 6:28 AM
To: address@hidden
Subject: [Freeipmi-devel] user permissions for running freeipmi clis

Hi all,

we are trying to port freeipmi on opensolaris (most of the stuff done,
just paperwork remains) and we need to clarify one thing - freeipmi
requires (at least our ported version) an user with root permissions to
run certain commands. As we are using solaris BMC driver, we first
thought that the problem is in BMC driver but according the information
form some other (more BMC driver skilled guys) this is not the reason
and they suspect that it is matter of how freeipmi interprets the IPMI
user security.

Can some shed more light into it, please? Is it freeipmi who needs root
user?

Here is brief output how freeipmi clis behave when run under a non-root
account:

-->cd /usr/sbin/
-->ls -la bmc-*
-rwxr-xr-x   1 root     bin      1050148 Feb 19 19:09 bmc-config
-rwxr-xr-x   1 root     bin       514956 Feb 19 19:09 bmc-device
-rwxr-xr-x   1 root     bin       487364 Feb 19 19:09 bmc-info
-rwxr-xr-x   1 root     bin       339560 Feb 19 19:09 bmc-watchdog
-->ls -la ipmi-*
-rwxr-xr-x   1 root     bin       527748 Feb 19 19:09 ipmi-chassis
-rwxr-xr-x   1 root     bin       677276 Feb 19 19:09
ipmi-chassis-config
-rwxr-xr-x   1 root     bin       679640 Feb 19 19:09 ipmi-fru
-rwxr-xr-x   1 root     bin       138348 Feb 19 19:10 ipmi-locate
-rwxr-xr-x   1 root     bin       471508 Feb 19 19:09 ipmi-oem
-rwxr-xr-x   1 root     bin       474672 Feb 19 19:09 ipmi-raw
-rwxr-xr-x   1 root     bin       641740 Feb 19 19:09 ipmi-sel
-rwxr-xr-x   1 root     bin       736188 Feb 19 19:10 ipmi-sensors
-rwxr-xr-x   1 root     bin       828848 Feb 19 19:10
ipmi-sensors-config

<non-root-user>@ge2:/usr/sbin> ./bmc-config --checkout
./bmc-config: permission denied
<non-root-user>@ge2:/usr/sbin> ./bmc-device --get-acpi-power-state
./bmc-device: permission denied
<non-root-user>@ge2:/usr/sbin> ./bmc-device --get-lan-statistics
./bmc-device: permission denied
<non-root-user>@ge2:/usr/sbin> ./bmc-info
./bmc-info: permission denied
<non-root-user>@ge2:/usr/sbin> ./bmc-watchdog -g
bmc-watchdog: Error opening logfile
'/var/log/freeipmi/bmc-watchdog.log': Permission denied
<non-root-user>@ge2:/usr/sbin> ./ipmi-chassis --get-status
./ipmi-chassis: permission denied
<non-root-user>@ge2:/usr/sbin> ./ipmi-chassis-config --checkout
./ipmi-chassis-config: permission denied <non-root-user>@ge2:/usr/sbin>
./ipmi-fru -V ipmi-fru - 0.7.4 Copyright (C) 2007-2008 Lawrence
Livermore National Security, LLC.
Copyright (C) 2007 The Regents of the University of California.
This program is free software; you may redistribute it under the terms
of the GNU General Public License.  This program has absolutely no
warranty.
<non-root-user>@ge2:/usr/sbin> ./ipmi-locate
./ipmi-locate: permission denied
<non-root-user>@ge2:/usr/sbin> ./ipmi-oem -L OEM ID: supermicro
   Command: reset-intrusion - reset motherboard intrusion flag.

<non-root-user>@ge2:/usr/sbin> ./ipmi-sel -i
./ipmi-sel: permission denied
<non-root-user>@ge2:/usr/sbin> ./ipmi-sensors
./ipmi-sensors: permission denied
<non-root-user>@ge2:/usr/sbin> ./ipmi-sensors-config --checkout
./ipmi-sensors-config: permission denied <non-root-user>@ge2:/usr/sbin>
./ipmimonitoring
./ipmimonitoring: permission denied
<non-root-user>@ge2:/usr/sbin> ./ipmiping -i 1 ge2 ipmiping ge2
(10.18.143.68) response timed out: rq_seq=25 response timed out:
rq_seq=26 response timed out: rq_seq=27 response timed out: rq_seq=28
^C--- ipmiping ge2 statistics ---
5 requests transmitted, 0 responses received in time, 100.0% packet loss
<non-root-user>@ge2:/usr/sbin> ./ipmipower -h ge2 -s
ge2: connection timeout

Regards,

Michal

The information contained in this document is CONFIDENTIAL and property of 
Kontron. Any unauthorized review, use, disclosure or distribution is prohibited 
without express written consent of Kontron. If you are not the intended 
recipient, please contact the sender and destroy all copies of the original 
message and enclosed attachments.


Attachment: michal_bachorik.vcf
Description: Vcard


reply via email to

[Prev in Thread] Current Thread [Next in Thread]