Well, I guess that's my point - I'd like to be able to create tools for non-root users that would collect interesting information about the fabric. As far as I know, this should be a safe operation, because the SA should be protected by the m-key - but it seems that the policy in OFED is that this is not a safe operation and access must be tightly controlled.
While it's a trivial task to patch OFED to give non-root users access to the /dev/infiniband/umad* devices, I certainly don't want to provide tools to my users that create security holes in the fabric. -- Michael Heinz Principal Engineer, Qlogic Corporation King of Prussia, Pennsylvania -----Original Message----- From: Hal Rosenstock [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2008 11:16 AM To: Mike Heinz Cc: Roland Dreier; general@lists.openfabrics.org Subject: Re: [ofa-general] Allowing end-users to query for fabric information Mike, On Mon, Oct 6, 2008 at 11:09 AM, Mike Heinz <[EMAIL PROTECTED]> wrote: > Roland, > > I've been thinking about this some more and I have to say I'm still a > bit confused. Are you saying that any root user on any node of the > fabric can change the routing tables? Isn't the ability to access and > alter subnet information controlled via the management key? There are two levels to this. First you must be able to send the MAD and once that can happen the receiving SMA performs the usual MKey checks which depend on the protection level assuming it is an SM class MAD like the one to change the routing tables. -- Hal > > > -- > Michael Heinz > Principal Engineer, Qlogic Corporation King of Prussia, Pennsylvania > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mike Heinz > Sent: Monday, September 22, 2008 3:19 PM > To: Roland Dreier > Cc: general@lists.openfabrics.org > Subject: RE: [ofa-general] Allowing end-users to query for fabric > information > > Thanks for the explanation. > > > -- > Michael Heinz > Principal Engineer, Qlogic Corporation King of Prussia, Pennsylvania > > -----Original Message----- > From: Roland Dreier [mailto:[EMAIL PROTECTED] > Sent: Monday, September 22, 2008 3:18 PM > To: Mike Heinz > Cc: general@lists.openfabrics.org > Subject: Re: [ofa-general] Allowing end-users to query for fabric > information > > > What was the reason for making this design choice? While I could > > certainly provide boot scripts to change the permissions to > > /dev/infiniband/umad*, I'd rather understand why the decision was made >> to restrict access. > > because /dev/infiniband/umadX allows full unfiltered access to > send/receive any MADs. Including changing routing tables, bringing > ports down, etc. Not stuff that unprivileged users should be able to > do. > > It would make sense to have a higher-level interface that only allows > safe queries without side effects, but that's quite a bit more work > than just changing permissions on device nodes. > > - R. > _______________________________________________ > general mailing list > general@lists.openfabrics.org > http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general > > To unsubscribe, please visit > http://openib.org/mailman/listinfo/openib-general > _______________________________________________ > general mailing list > general@lists.openfabrics.org > http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general > > To unsubscribe, please visit > http://openib.org/mailman/listinfo/openib-general > _______________________________________________ general mailing list general@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
