[ofa-general] [PATCH] infiniband-diags: terminate perl scripts with error if not root

Hal Rosenstock hrosenstock at xsigo.com
Thu May 22 11:08:00 PDT 2008 

On Thu, 2008-05-22 at 08:17 -0700, Hal Rosenstock wrote:
> Tim,
> 
> On Thu, 2008-05-22 at 08:15 -0700, Timothy A. Meier wrote:
> > Sasha,
> > 
> > Trivial patch to enforce root for these perl scripts.  More importantly, 
> > doesn't silently fail if not root, and returns an error code.
> 
> Should these enforce root or be based on udev permissions for umad which
> default to root ?
> 
> -- Hal
> 
> > plain text document attachment (0001-infiniband-diags-terminate-perl-
> > scripts-with-error.patch)
> > >From f4058a22d31dc31f0e8ecdffcc42bff065eefcce Mon Sep 17 00:00:00 2001
> > From: Tim Meier <meier3 at llnl.gov>
> > Date: Wed, 21 May 2008 16:40:18 -0700
> > Subject: [PATCH] infiniband-diags: terminate perl scripts with error if not root
> > 
> > Adds the "auth_check" routine at the beginning of each main, which
> > terminates with an error if not invoked as root.
> > 
> > Signed-off-by: Tim Meier <meier3 at llnl.gov>
> > ---
> >  infiniband-diags/scripts/IBswcountlimits.pm  |   10 ++++++++++
> >  infiniband-diags/scripts/ibfindnodesusing.pl |    1 +
> >  infiniband-diags/scripts/ibidsverify.pl      |    1 +
> >  infiniband-diags/scripts/iblinkinfo.pl       |    1 +
> >  infiniband-diags/scripts/ibprintca.pl        |    1 +
> >  infiniband-diags/scripts/ibprintrt.pl        |    1 +
> >  infiniband-diags/scripts/ibprintswitch.pl    |    1 +
> >  infiniband-diags/scripts/ibqueryerrors.pl    |    1 +
> >  infiniband-diags/scripts/ibswportwatch.pl    |    1 +
> >  9 files changed, 18 insertions(+), 0 deletions(-)
> > 
> > diff --git a/infiniband-diags/scripts/IBswcountlimits.pm b/infiniband-diags/scripts/IBswcountlimits.pm
> > index 9bc356f..0b7563e 100755
> > --- a/infiniband-diags/scripts/IBswcountlimits.pm
> > +++ b/infiniband-diags/scripts/IBswcountlimits.pm
> > @@ -123,6 +123,16 @@ sub check_counters
> >  "Total number of packets, excluding link packets, received on all VLs to the port"
> >  );
> >  
> > +# =========================================================================
> > +#  only root is authorized, terminate with msg and err code
> > +#
> > +sub auth_check
> > +{
> > +	if ( $> != 0 ) {
> > +		die "Permission denied, must be root\n";
> > +	}

I think all that's needed is a slightly more sophisticated auth_check
than this :-) It could easily be a follow on patch to this.

-- Hal

> > +}
> > +
> >  sub check_data_counters
> >  {
> >  	my $print_action = $_[0];
> > diff --git a/infiniband-diags/scripts/ibfindnodesusing.pl b/infiniband-diags/scripts/ibfindnodesusing.pl
> > index 1bf0987..49003af 100755
> > --- a/infiniband-diags/scripts/ibfindnodesusing.pl
> > +++ b/infiniband-diags/scripts/ibfindnodesusing.pl
> > @@ -168,6 +168,7 @@ sub compress_hostlist
> >  #
> >  sub main
> >  {
> > +	auth_check;
> >  	my $found_switch = undef;
> >  	my $cache_file = get_cache_file($ca_name, $ca_port);
> >  	open IBNET_TOPO, "<$cache_file" or die "Failed to open ibnet topology\n";
> > diff --git a/infiniband-diags/scripts/ibidsverify.pl b/infiniband-diags/scripts/ibidsverify.pl
> > index de78e6b..b857166 100755
> > --- a/infiniband-diags/scripts/ibidsverify.pl
> > +++ b/infiniband-diags/scripts/ibidsverify.pl
> > @@ -163,6 +163,7 @@ sub insert_portguid
> >  
> >  sub main
> >  {
> > +	auth_check;
> >  	if ($regenerate_map
> >  		|| !(-f "$IBswcountlimits::cache_dir/ibnetdiscover.topology"))
> >  	{
> > diff --git a/infiniband-diags/scripts/iblinkinfo.pl b/infiniband-diags/scripts/iblinkinfo.pl
> > index a195474..4bb9598 100755
> > --- a/infiniband-diags/scripts/iblinkinfo.pl
> > +++ b/infiniband-diags/scripts/iblinkinfo.pl
> > @@ -98,6 +98,7 @@ my $extra_smpquery_params = get_ca_name_port_param_string($ca_name, $ca_port);
> >  
> >  sub main
> >  {
> > +	auth_check;
> >  	get_link_ends($regenerate_map, $ca_name, $ca_port);
> >  	if (defined($direct_route)) {
> >  		# convert DR to guid, then use original single_switch option
> > diff --git a/infiniband-diags/scripts/ibprintca.pl b/infiniband-diags/scripts/ibprintca.pl
> > index 38b4330..d5c5fba 100755
> > --- a/infiniband-diags/scripts/ibprintca.pl
> > +++ b/infiniband-diags/scripts/ibprintca.pl
> > @@ -88,6 +88,7 @@ if ($target_hca eq "") {
> >  #
> >  sub main
> >  {
> > +	auth_check;
> >  	my $found_hca = undef;
> >  	open IBNET_TOPO, "<$cache_file" or die "Failed to open ibnet topology\n";
> >  	my $in_hca = "no";
> > diff --git a/infiniband-diags/scripts/ibprintrt.pl b/infiniband-diags/scripts/ibprintrt.pl
> > index 86dcb64..c6070ff 100755
> > --- a/infiniband-diags/scripts/ibprintrt.pl
> > +++ b/infiniband-diags/scripts/ibprintrt.pl
> > @@ -88,6 +88,7 @@ if ($target_rt eq "") {
> >  #
> >  sub main
> >  {
> > +	auth_check;
> >  	my $found_rt = undef;
> >  	open IBNET_TOPO, "<$cache_file" or die "Failed to open ibnet topology\n";
> >  	my $in_rt = "no";
> > diff --git a/infiniband-diags/scripts/ibprintswitch.pl b/infiniband-diags/scripts/ibprintswitch.pl
> > index 6712201..41a5131 100755
> > --- a/infiniband-diags/scripts/ibprintswitch.pl
> > +++ b/infiniband-diags/scripts/ibprintswitch.pl
> > @@ -87,6 +87,7 @@ if ($target_switch eq "") {
> >  #
> >  sub main
> >  {
> > +	auth_check;
> >  	my $found_switch = undef;
> >  	open IBNET_TOPO, "<$cache_file" or die "Failed to open ibnet topology\n";
> >  	my $in_switch = "no";
> > diff --git a/infiniband-diags/scripts/ibqueryerrors.pl b/infiniband-diags/scripts/ibqueryerrors.pl
> > index c807c02..3330687 100755
> > --- a/infiniband-diags/scripts/ibqueryerrors.pl
> > +++ b/infiniband-diags/scripts/ibqueryerrors.pl
> > @@ -185,6 +185,7 @@ $cache_file = get_cache_file($ca_name, $ca_port);
> >  
> >  sub main
> >  {
> > +	auth_check;
> >  	if (@IBswcountlimits::suppress_errors) {
> >  		my $msg = join(",", @IBswcountlimits::suppress_errors);
> >  		print "Suppressing: $msg\n";
> > diff --git a/infiniband-diags/scripts/ibswportwatch.pl b/infiniband-diags/scripts/ibswportwatch.pl
> > index 6d6ba1c..76398fa 100755
> > --- a/infiniband-diags/scripts/ibswportwatch.pl
> > +++ b/infiniband-diags/scripts/ibswportwatch.pl
> > @@ -157,6 +157,7 @@ my $sw_port = $ARGV[1];
> >  
> >  sub main
> >  {
> > +	auth_check;
> >  	clear_counters;
> >  	get_new_counts($sw_addr, $sw_port);
> >  	while ($cycle != 0) {
> > _______________________________________________
> > general mailing list
> > general at lists.openfabrics.org
> > http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general
> > 
> > To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
> 
> _______________________________________________
> general mailing list
> general at lists.openfabrics.org
> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general
> 
> To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general

More information about the general mailing list