Discussion:
[Openipmi-developer] [PATCH RFC] lanserv: Ignore user allowed_auths if it's zero
Alan Ott
2017-03-28 21:17:29 UTC
Permalink
Per-user allowed_auths are stored in the persistence file, but there's
no way to change them from their defaults, which is 0 (no allowed auths)
for users which are not in lan.conf (ie: for users which are added using
the IPMI interface). Ignoring user allowed_auths when they are 0 will
cause ipmi_sim to use the per-privilege allowed_auths for the user's
privilege level instead.

Signed-off-by: Alan Ott <***@softiron.co.uk>
---
lanserv/lanserv_ipmi.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lanserv/lanserv_ipmi.c b/lanserv/lanserv_ipmi.c
index 67bf74a..d6eeb1f 100644
--- a/lanserv/lanserv_ipmi.c
+++ b/lanserv/lanserv_ipmi.c
@@ -665,7 +665,7 @@ handle_get_session_challenge(lanserv_data_t *lan, msg_t *msg)
return;
}

- if (!(user->allowed_auths & (1 << authtype))) {
+ if (user->allowed_auths && !(user->allowed_auths & (1 << authtype))) {
lan->sysinfo->log(lan->sysinfo, SESSION_CHALLENGE_FAILED, msg,
"Session challenge failed: Invalid authorization type");
return_err(lan, msg, NULL, IPMI_INVALID_DATA_FIELD_CC);
@@ -895,14 +895,14 @@ handle_temp_session(lanserv_data_t *lan, msg_t *msg)
"Activate session failed: Invalid user idx: 0x%x", user_idx);
return;
}
- if (! (user->allowed_auths & (1 << auth))) {
+ if (user->allowed_auths && ! (user->allowed_auths & (1 << auth))) {
lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg,
"Activate session failed: Requested auth %d was invalid for"
" user 0x%x",
auth, user_idx);
return;
}
- if (! (user->allowed_auths & (1 << msg->authtype))) {
+ if (user->allowed_auths && ! (user->allowed_auths & (1 << msg->authtype))) {
lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg,
"Activate session failed: Message auth %d was invalid for"
" user 0x%x",
--
2.5.0
Corey Minyard
2017-04-12 00:39:03 UTC
Permalink
Post by Alan Ott
Per-user allowed_auths are stored in the persistence file, but there's
no way to change them from their defaults, which is 0 (no allowed auths)
for users which are not in lan.conf (ie: for users which are added using
the IPMI interface). Ignoring user allowed_auths when they are 0 will
cause ipmi_sim to use the per-privilege allowed_auths for the user's
privilege level instead.
Well, this was pretty hard. I'm not sure where the per-user
allowed_auths came
from, I don't see any evidence that there is anything like that in the
spec. The
only thing that it says is that the auth in the Get Session Challenge
and Activate
Session commands must match, but there's no real way to do that because
the point of this is to avoid DOS attacks, and so you can't really save
info for
the other command.

So my proposal would be to just delete the per-user allowed_auths. Does that
make sense?

Thanks,

-corey
Post by Alan Ott
---
lanserv/lanserv_ipmi.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lanserv/lanserv_ipmi.c b/lanserv/lanserv_ipmi.c
index 67bf74a..d6eeb1f 100644
--- a/lanserv/lanserv_ipmi.c
+++ b/lanserv/lanserv_ipmi.c
@@ -665,7 +665,7 @@ handle_get_session_challenge(lanserv_data_t *lan, msg_t *msg)
return;
}
- if (!(user->allowed_auths & (1 << authtype))) {
+ if (user->allowed_auths && !(user->allowed_auths & (1 << authtype))) {
lan->sysinfo->log(lan->sysinfo, SESSION_CHALLENGE_FAILED, msg,
"Session challenge failed: Invalid authorization type");
return_err(lan, msg, NULL, IPMI_INVALID_DATA_FIELD_CC);
@@ -895,14 +895,14 @@ handle_temp_session(lanserv_data_t *lan, msg_t *msg)
"Activate session failed: Invalid user idx: 0x%x", user_idx);
return;
}
- if (! (user->allowed_auths & (1 << auth))) {
+ if (user->allowed_auths && ! (user->allowed_auths & (1 << auth))) {
lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg,
"Activate session failed: Requested auth %d was invalid for"
" user 0x%x",
auth, user_idx);
return;
}
- if (! (user->allowed_auths & (1 << msg->authtype))) {
+ if (user->allowed_auths && ! (user->allowed_auths & (1 << msg->authtype))) {
lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg,
"Activate session failed: Message auth %d was invalid for"
" user 0x%x",
Alan Ott
2017-04-17 21:09:22 UTC
Permalink
Post by Corey Minyard
Post by Alan Ott
Per-user allowed_auths are stored in the persistence file, but there's
no way to change them from their defaults, which is 0 (no allowed auths)
for users which are not in lan.conf (ie: for users which are added using
the IPMI interface). Ignoring user allowed_auths when they are 0 will
cause ipmi_sim to use the per-privilege allowed_auths for the user's
privilege level instead.
Well, this was pretty hard. I'm not sure where the per-user
allowed_auths came
from, I don't see any evidence that there is anything like that in the
spec. The
only thing that it says is that the auth in the Get Session Challenge
and Activate
Session commands must match, but there's no real way to do that because
the point of this is to avoid DOS attacks, and so you can't really
save info for
the other command.
So my proposal would be to just delete the per-user allowed_auths. Does that
make sense?
Makes perfect sense to me. Thanks!

Alan.

Loading...