[ofa-general] Allowing end-users to query for fabric information

Mike Heinz michael.heinz at qlogic.com
Mon Oct 6 08:27:05 PDT 2008 

Well,

I guess that's my point - I'd like to be able to create tools for
non-root users that would collect interesting information about the
fabric. As far as I know, this should be a safe operation, because the
SA should be protected by the m-key - but it seems that the policy in
OFED is that this is not a safe operation and access must be tightly
controlled.

While it's a trivial task to patch OFED to give non-root users access to
the /dev/infiniband/umad* devices, I certainly don't want to provide
tools to my users that create security holes in the fabric.

--
Michael Heinz
Principal Engineer, Qlogic Corporation
King of Prussia, Pennsylvania

-----Original Message-----
From: Hal Rosenstock [mailto:hal.rosenstock at gmail.com] 
Sent: Monday, October 06, 2008 11:16 AM
To: Mike Heinz
Cc: Roland Dreier; general at lists.openfabrics.org
Subject: Re: [ofa-general] Allowing end-users to query for fabric
information

Mike,

On Mon, Oct 6, 2008 at 11:09 AM, Mike Heinz <michael.heinz at qlogic.com>
wrote:
> Roland,
>
> I've been thinking about this some more and I have to say I'm still a 
> bit confused. Are you saying that any root user on any node of the 
> fabric can change the routing tables? Isn't the ability to access and 
> alter subnet information controlled via the management key?

There are two levels to this. First you must be able to send the MAD and
once that can happen the receiving SMA performs the usual MKey checks
which depend on the protection level assuming it is an SM class MAD like
the one to change the routing tables.

-- Hal

>
>
> --
> Michael Heinz
> Principal Engineer, Qlogic Corporation King of Prussia, Pennsylvania
>
> -----Original Message-----
> From: general-bounces at lists.openfabrics.org
> [mailto:general-bounces at lists.openfabrics.org] On Behalf Of Mike Heinz
> Sent: Monday, September 22, 2008 3:19 PM
> To: Roland Dreier
> Cc: general at lists.openfabrics.org
> Subject: RE: [ofa-general] Allowing end-users to query for fabric 
> information
>
> Thanks for the explanation.
>
>
> --
> Michael Heinz
> Principal Engineer, Qlogic Corporation King of Prussia, Pennsylvania
>
> -----Original Message-----
> From: Roland Dreier [mailto:rdreier at cisco.com]
> Sent: Monday, September 22, 2008 3:18 PM
> To: Mike Heinz
> Cc: general at lists.openfabrics.org
> Subject: Re: [ofa-general] Allowing end-users to query for fabric 
> information
>
>  > What was the reason for making this design choice? While I could  >

> certainly provide boot scripts to change the permissions to  > 
> /dev/infiniband/umad*, I'd rather understand why the decision was made
>> to restrict access.
>
> because /dev/infiniband/umadX allows full unfiltered access to 
> send/receive any MADs.  Including changing routing tables, bringing 
> ports down, etc.  Not stuff that unprivileged users should be able to 
> do.
>
> It would make sense to have a higher-level interface that only allows 
> safe queries without side effects, but that's quite a bit more work 
> than just changing permissions on device nodes.
>
>  - R.
> _______________________________________________
> general mailing list
> general at lists.openfabrics.org
> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general
>
> To unsubscribe, please visit
> http://openib.org/mailman/listinfo/openib-general
> _______________________________________________
> general mailing list
> general at lists.openfabrics.org
> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general
>
> To unsubscribe, please visit 
> http://openib.org/mailman/listinfo/openib-general
>

More information about the general mailing list