Re: [RFC][PATCH] socket interface for IPMI

[Corey Minyard <cminyard@mvista.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd prefer a list of valid users, with root always allowed.  I don't 
know how easy this is with a sysctl, but it shouldn't be too bad, I 
would think.

- -Corey

Louis Zhuang wrote:

|Hmmm, security is a big problem. I can not find an elegant way to do ACL
|because these is no "inode" in sockfs... But how about making only root
|be able to open IPMI socket like PACKET socket? Or else we can implement
|a sysctl to indicate the legal user of the IPMI socket.
|
|Any comments?
|
|  - Louis
|On Thu, 2003-03-13 at 01:07, Corey Minyard wrote:
|
|>I agree, and I've thought hard about this in the past.  The code looks
|>clean, and the design is straightforward.  However, I have not figured
|>out how to handle security.  In your implementation, anyone can open an
|>IPMI socket, which is a bad thing.  I like that fact that administrators
|>can set the permissions on the device any way they like (so it can
|>belong to root, a maintenance user, ACLs can be used, etc.)
|>
|>Any thoughts on that?  Once that problem is solved, I would like to
|>include this.
|>
|>- -Corey
|>
|>Louis Zhuang wrote:
|>
|>|Dear Corey,
|>|    I'd like to propose a socket interface for IPMI. IMHO, IPMI is like a
|>|mini-network so it is natural to manipulate IPMI by socket. Following
|>|code demostrate the interface's usage.
|>|P.S. the patch is a quick and dirty implementation with full of holes,
|>|I'll refine it if you like to adopt it, so do not blame me at this time
|>|;-).
|>|
|
|
|
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+dgWXmUvlb4BhfF4RApBsAJ9AS4aAskvQLDNtYhW5PzjGUtZ/jgCfSDvF
d5Op76MZgz5Kgg8kHHiJWCU=
=MSck
-----END PGP SIGNATURE-----