freeipmi-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Freeipmi-devel] user permissions for running freeipmi clis

From: Al Chu11
Subject: Re: [Freeipmi-devel] user permissions for running freeipmi clis
Date: Fri, 27 Feb 2009 09:18:05 -0800 
Hey Michal,

A bit of background here.  The first FreeIPMI releases implemented their
inband communication via iopl() calls in Linux.  These calls require
root and thus some checks were put in before the calls.

Later, support for other devices (openipmi's /dev/ipmi, sun's /dev/bmc)
were added.  I just left the root checks in there.  I can't speak for
Sun boxes, but I assume one can change the permissions on these devices
to allow non-root users to access the BMC.  I suppose root checks could
be left up to the system administrator setting permissions on /dev/*
instead of FreeIPMI just checking for root.  

Mirroring some of Andy's comments, I'm a bit reluctant to remove the
root checks though.  There are inherent IPMI security configurations
that are done inband (i.e. set BMC passwords) that really should only be
done by root.

Al

On Fri, 2009-02-27 at 12:27 +0100, Michal Bachorik - Sun Microsystems -
Prague Czech Republic wrote:
> Hi all,
> 
> we are trying to port freeipmi on opensolaris (most of the stuff done, 
> just paperwork remains) and we need to clarify one thing - freeipmi 
> requires (at least our ported version) an user with root permissions to 
> run certain commands. As we are using solaris BMC driver, we first 
> thought that the problem is in BMC driver but according the information 
> form some other (more BMC driver skilled guys) this is not the reason 
> and they suspect that it is matter of how freeipmi interprets the IPMI 
> user security.
> 
> Can some shed more light into it, please? Is it freeipmi who needs root 
> user?
> 
> Here is brief output how freeipmi clis behave when run under a non-root 
> account:
> 
> -->cd /usr/sbin/
> -->ls -la bmc-*
> -rwxr-xr-x   1 root     bin      1050148 Feb 19 19:09 bmc-config
> -rwxr-xr-x   1 root     bin       514956 Feb 19 19:09 bmc-device
> -rwxr-xr-x   1 root     bin       487364 Feb 19 19:09 bmc-info
> -rwxr-xr-x   1 root     bin       339560 Feb 19 19:09 bmc-watchdog
> -->ls -la ipmi-*
> -rwxr-xr-x   1 root     bin       527748 Feb 19 19:09 ipmi-chassis
> -rwxr-xr-x   1 root     bin       677276 Feb 19 19:09 ipmi-chassis-config
> -rwxr-xr-x   1 root     bin       679640 Feb 19 19:09 ipmi-fru
> -rwxr-xr-x   1 root     bin       138348 Feb 19 19:10 ipmi-locate
> -rwxr-xr-x   1 root     bin       471508 Feb 19 19:09 ipmi-oem
> -rwxr-xr-x   1 root     bin       474672 Feb 19 19:09 ipmi-raw
> -rwxr-xr-x   1 root     bin       641740 Feb 19 19:09 ipmi-sel
> -rwxr-xr-x   1 root     bin       736188 Feb 19 19:10 ipmi-sensors
> -rwxr-xr-x   1 root     bin       828848 Feb 19 19:10 ipmi-sensors-config
> 
> <non-root-user>@ge2:/usr/sbin> ./bmc-config --checkout
> ./bmc-config: permission denied
> <non-root-user>@ge2:/usr/sbin> ./bmc-device --get-acpi-power-state
> ./bmc-device: permission denied
> <non-root-user>@ge2:/usr/sbin> ./bmc-device --get-lan-statistics
> ./bmc-device: permission denied
> <non-root-user>@ge2:/usr/sbin> ./bmc-info
> ./bmc-info: permission denied
> <non-root-user>@ge2:/usr/sbin> ./bmc-watchdog -g
> bmc-watchdog: Error opening logfile 
> '/var/log/freeipmi/bmc-watchdog.log': Permission denied
> <non-root-user>@ge2:/usr/sbin> ./ipmi-chassis --get-status
> ./ipmi-chassis: permission denied
> <non-root-user>@ge2:/usr/sbin> ./ipmi-chassis-config --checkout
> ./ipmi-chassis-config: permission denied
> <non-root-user>@ge2:/usr/sbin> ./ipmi-fru -V
> ipmi-fru - 0.7.4
> Copyright (C) 2007-2008 Lawrence Livermore National Security, LLC.
> Copyright (C) 2007 The Regents of the University of California.
> This program is free software; you may redistribute it under the terms of
> the GNU General Public License.  This program has absolutely no warranty.
> <non-root-user>@ge2:/usr/sbin> ./ipmi-locate
> ./ipmi-locate: permission denied
> <non-root-user>@ge2:/usr/sbin> ./ipmi-oem -L
> OEM ID: supermicro
>    Command: reset-intrusion - reset motherboard intrusion flag.
> 
> <non-root-user>@ge2:/usr/sbin> ./ipmi-sel -i
> ./ipmi-sel: permission denied
> <non-root-user>@ge2:/usr/sbin> ./ipmi-sensors
> ./ipmi-sensors: permission denied
> <non-root-user>@ge2:/usr/sbin> ./ipmi-sensors-config --checkout
> ./ipmi-sensors-config: permission denied
> <non-root-user>@ge2:/usr/sbin> ./ipmimonitoring
> ./ipmimonitoring: permission denied
> <non-root-user>@ge2:/usr/sbin> ./ipmiping -i 1 ge2
> ipmiping ge2 (10.18.143.68)
> response timed out: rq_seq=25
> response timed out: rq_seq=26
> response timed out: rq_seq=27
> response timed out: rq_seq=28
> ^C--- ipmiping ge2 statistics ---
> 5 requests transmitted, 0 responses received in time, 100.0% packet loss
> <non-root-user>@ge2:/usr/sbin> ./ipmipower -h ge2 -s
> ge2: connection timeout
> 
> Regards,
> 
> Michal
> _______________________________________________
> Freeipmi-devel mailing list
> address@hidden
> http:// lists.gnu.org/mailman/listinfo/freeipmi-devel
-- 
Albert Chu
address@hidden
Computer Scientist
High Performance Systems Division
Lawrence Livermore National Laboratory
reply via email to
[Prev in Thread] Current Thread [Next in Thread]