Re: [ewg] [GIT PULL] RDMA/nes: fix incorrect unlock in nes_process_mac_intr
Tung, Chien Tin wrote: Vlad, Please pull my git for this commit: RDMA/nes: fix incorrect unlock in nes_process_mac_intr at: git://sofa.openfabrics.org/~ctung/ofed-1.5.git ofed_kernel_1_5 Thanks, Chien -- Chien Tung | chien.tin.t...@intel.com Done, Regards, Vladimir ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
[ewg] ofa_1_5_kernel 20100526-0200 daily build status
This email was generated automatically, please do not reply git_url: git://git.openfabrics.org/ofed_1_5/linux-2.6.git git_branch: ofed_kernel_1_5 Common build parameters: Passed: Passed on i686 with linux-2.6.18 Passed on i686 with linux-2.6.19 Passed on i686 with linux-2.6.21.1 Passed on i686 with linux-2.6.26 Passed on i686 with linux-2.6.24 Passed on i686 with linux-2.6.22 Passed on i686 with linux-2.6.27 Passed on x86_64 with linux-2.6.16.60-0.54.5-smp Passed on x86_64 with linux-2.6.16.60-0.21-smp Passed on x86_64 with linux-2.6.18 Passed on x86_64 with linux-2.6.18-128.el5 Passed on x86_64 with linux-2.6.18-194.el5 Passed on x86_64 with linux-2.6.18-164.el5 Passed on x86_64 with linux-2.6.19 Passed on x86_64 with linux-2.6.18-93.el5 Passed on x86_64 with linux-2.6.21.1 Passed on x86_64 with linux-2.6.20 Passed on x86_64 with linux-2.6.22 Passed on x86_64 with linux-2.6.26 Passed on x86_64 with linux-2.6.24 Passed on x86_64 with linux-2.6.25 Passed on x86_64 with linux-2.6.27 Passed on x86_64 with linux-2.6.27.19-5-smp Passed on x86_64 with linux-2.6.9-67.ELsmp Passed on x86_64 with linux-2.6.9-78.ELsmp Passed on x86_64 with linux-2.6.9-89.ELsmp Passed on ia64 with linux-2.6.18 Passed on ia64 with linux-2.6.19 Passed on ia64 with linux-2.6.21.1 Passed on ia64 with linux-2.6.23 Passed on ia64 with linux-2.6.22 Passed on ia64 with linux-2.6.26 Passed on ia64 with linux-2.6.24 Passed on ia64 with linux-2.6.25 Passed on ppc64 with linux-2.6.18 Passed on ppc64 with linux-2.6.19 Failed: ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
Re: [ewg] Allowing ib dignostics to be run without being logged in as root.
On Tue, May 25, 2010 at 7:21 PM, Woodruff, Robert J robert.j.woodr...@intel.com wrote: Hal wrote, If you really want any user to do this, is changing umad permissions sufficient ? This is less of a security hole than setuid but does open things up for malicious users. -- Hal I wanted to avoid doing this as it would allow some malicious user to just open /dev/umad and send random mads and cause big problems with the fabric. I was thinking that if the applications like perfquery are trusted to not allow someone to do anything malicious, then having them run as setuid root would not open a security hole ? I don't know exactly how setuid programs are exploited to obtain general root access but I've heard this. sudo sounds like if would allow them to run any command as root ID, which I think is a larger security hole than just setting the one or few trusted applications to setuid root. But then, I am not a security expert so I may not know all of the possible issues with setting a command to setuid root. sudo can be configured for specific commands to be allowed to specific users. -- Hal woody ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
Re: [ewg] Allowing ib dignostics to be run without being logged in as root.
Hal wrote, sudo can be configured for specific commands to be allowed to specific users. Then perhaps that is a safer way to do it, but it would put more work on the system admin to set it up for people, but if setting the permissions of the commands to setuid root opens up a security hole, we would not want that. Does anyone know if setting the permissions to setuid root does actually open up a security hole ? woody ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
Re: [ewg] Allowing ib dignostics to be run without being logged in as root.
The issue is that it is entirely dependent on the security integrity of the application with the setuid bit set. If someone can insert code, or swap a dynamically linked library with their own alternative, it becomes possible to have your own code executed as root. The system is then completely compromised. -Original Message- From: ewg-boun...@lists.openfabrics.org [mailto:ewg-boun...@lists.openfabrics.org] On Behalf Of Woodruff, Robert J Sent: 26 May 2010 17:19 To: Hal Rosenstock Cc: EWG Subject: Re: [ewg] Allowing ib dignostics to be run without being logged in as root. Hal wrote, sudo can be configured for specific commands to be allowed to specific users. Then perhaps that is a safer way to do it, but it would put more work on the system admin to set it up for people, but if setting the permissions of the commands to setuid root opens up a security hole, we would not want that. Does anyone know if setting the permissions to setuid root does actually open up a security hole ? woody ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
Re: [ewg] Allowing ib dignostics to be run without being logged in as root.
On Wed, May 26, 2010 at 12:29 PM, Informatix solutions rich...@informatix-sol.com wrote: The issue is that it is entirely dependent on the security integrity of the application with the setuid bit set. If someone can insert code, or swap a dynamically linked library with their own alternative, it becomes possible to have your own code executed as root. The system is then completely compromised. The IB diags do use dynamically linked libs (libibmad and libibumad). -- Hal -Original Message- From: ewg-boun...@lists.openfabrics.org [mailto:ewg-boun...@lists.openfabrics.org] On Behalf Of Woodruff, Robert J Sent: 26 May 2010 17:19 To: Hal Rosenstock Cc: EWG Subject: Re: [ewg] Allowing ib dignostics to be run without being logged in as root. Hal wrote, sudo can be configured for specific commands to be allowed to specific users. Then perhaps that is a safer way to do it, but it would put more work on the system admin to set it up for people, but if setting the permissions of the commands to setuid root opens up a security hole, we would not want that. Does anyone know if setting the permissions to setuid root does actually open up a security hole ? woody ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
[ewg] new libnes daily library
Vlad, I've updated libnes library: http://www.openfabrics.org/downloads/nes/libnes-1.0.1-0.3.g8d69734.tar.gz latest.txt has been updated with the new file name. The new library has this commit: commit 8d697346deeed723d69c284e597c0ebcb11dc602 Author: Mirek Walukiewicz miroslaw.walukiew...@intel.com Date: Wed May 26 17:30:26 2010 +0200 libnes: RAW ETH QP fixes Fix a problem with hang-up of RAW ETH CQ poll when now entry valid Fix a problem with coreection of RAW ETH QP head on transmit Signed-off-by: Mirek Walukiewicz miroslaw.walukiew...@intel.com Thanks, Chien -- Chien Tung | chien.tin.t...@intel.com ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
Re: [ewg] Allowing ib dignostics to be run without being logged in as root.
If the application is statically linked and trusted, then, is there no security issue ? -Original Message- From: Informatix solutions [mailto:rich...@informatix-sol.com] Sent: Wednesday, May 26, 2010 9:30 AM To: Woodruff, Robert J; 'Hal Rosenstock' Cc: 'EWG' Subject: RE: [ewg] Allowing ib dignostics to be run without being logged in as root. The issue is that it is entirely dependent on the security integrity of the application with the setuid bit set. If someone can insert code, or swap a dynamically linked library with their own alternative, it becomes possible to have your own code executed as root. The system is then completely compromised. -Original Message- From: ewg-boun...@lists.openfabrics.org [mailto:ewg-boun...@lists.openfabrics.org] On Behalf Of Woodruff, Robert J Sent: 26 May 2010 17:19 To: Hal Rosenstock Cc: EWG Subject: Re: [ewg] Allowing ib dignostics to be run without being logged in as root. Hal wrote, sudo can be configured for specific commands to be allowed to specific users. Then perhaps that is a safer way to do it, but it would put more work on the system admin to set it up for people, but if setting the permissions of the commands to setuid root opens up a security hole, we would not want that. Does anyone know if setting the permissions to setuid root does actually open up a security hole ? woody ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
Re: [ewg] Allowing ib dignostics to be run without being logged in as root.
On 05/27/2010 02:19 AM, Woodruff, Robert J wrote: Hal wrote, sudo can be configured for specific commands to be allowed to specific users. Then perhaps that is a safer way to do it, but it would put more work on the system admin to set it up for people, but if setting the permissions of the commands to setuid root opens up a security hole, we would not want that. From an experienced SysAdmin perspective, the less setuid/setgid programs there are on a system the better. If a system could have them *all* removed, that would be great. :) Security types generally don't like them either, regarding them as a point of weakness due to circumventing finer grained access controls (sudo, ACLs, RBAC, etc). setuid/setgid binaries are also included (and queried) in *every* system audit. Good security practise will generally change the binaries back to being non-setuid/non-setgid (ie normal perms) unless there's a Very Good Reason for them to be otherwise. I have personally had to secure/harden many *nix systems over the years, plus write detailed technical best practice guides for multi-national corporates on how to do it on more than one occasion. Last time was in roughly 2006, and setuid/setgid stuff was regarded as bad old practise at that time. I'd expect it would be even less favoured now. Does anyone know if setting the permissions to setuid root does actually open up a security hole ? Not directly. It just creates lots of secondary hassles for SysAdmins, Security Admins, policy enforcement software, and monitoring software because it introduces another vector for attack. People having a need for setuid or setgid root for these binaries can most definitely do it themselves as part of their roll out. Not sure if that perspective helps, but you do seem to be asking. :) Regards and best wishes, Justin Clift woody -- Salasaga - Open Source eLearning IDE http://www.salasaga.org ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
Re: [ewg] Allowing ib dignostics to be run without being logged in as root.
To steer the conversation in a different direction. Perhaps there is a need to have a second umad device file which allows only for Get operations? I know this could be some work and I don't know if it could be completely done (I have not thought through all the details). [*] I know there is some discussion on the interface for userspace apps and MAD's on the developers mailing list. Is this a requirement we should look into more? I know we have some need for this and now Woody has this need as well. Thoughts? Ira [*] NOTE: I am not directly volunteering to do this work ;-) But I have been interested in changing the user level MAD libraries in the past so I think I could help. On Wed, 26 May 2010 09:51:53 -0700 Justin Clift jus...@salasaga.org wrote: On 05/27/2010 02:19 AM, Woodruff, Robert J wrote: Hal wrote, sudo can be configured for specific commands to be allowed to specific users. Then perhaps that is a safer way to do it, but it would put more work on the system admin to set it up for people, but if setting the permissions of the commands to setuid root opens up a security hole, we would not want that. From an experienced SysAdmin perspective, the less setuid/setgid programs there are on a system the better. If a system could have them *all* removed, that would be great. :) Security types generally don't like them either, regarding them as a point of weakness due to circumventing finer grained access controls (sudo, ACLs, RBAC, etc). setuid/setgid binaries are also included (and queried) in *every* system audit. Good security practise will generally change the binaries back to being non-setuid/non-setgid (ie normal perms) unless there's a Very Good Reason for them to be otherwise. I have personally had to secure/harden many *nix systems over the years, plus write detailed technical best practice guides for multi-national corporates on how to do it on more than one occasion. Last time was in roughly 2006, and setuid/setgid stuff was regarded as bad old practise at that time. I'd expect it would be even less favoured now. Does anyone know if setting the permissions to setuid root does actually open up a security hole ? Not directly. It just creates lots of secondary hassles for SysAdmins, Security Admins, policy enforcement software, and monitoring software because it introduces another vector for attack. People having a need for setuid or setgid root for these binaries can most definitely do it themselves as part of their roll out. Not sure if that perspective helps, but you do seem to be asking. :) Regards and best wishes, Justin Clift woody -- Salasaga - Open Source eLearning IDE http://*www.*salasaga.org ___ ewg mailing list ewg@lists.openfabrics.org http://*lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
[ewg] [PATCH] ofa_kernel madeye.c
This is a simple fix. Several of the snoop filters in ./drivers/infiniband/util/madeye.c don't switch the attribute id to host byte order before checking it. Signed-off-by: Michael Heinz michael.he...@qlogic.com diff --git a/drivers/infiniband/util/madeye.c b/drivers/infiniband/util/madeye.c index 0cda06c..2c650a3 100644 --- a/drivers/infiniband/util/madeye.c +++ b/drivers/infiniband/util/madeye.c @@ -401,7 +401,7 @@ static void snoop_smi_handler(struct ib_mad_agent *mad_agent, if (!smp hdr-mgmt_class != mgmt_class) return; - if (attr_id hdr-attr_id != attr_id) + if (attr_id be16_to_cpu(hdr-attr_id) != attr_id) return; printk(Madeye:sent SMP\n); @@ -413,7 +413,7 @@ static void recv_smi_handler(struct ib_mad_agent *mad_agent, { if (!smp mad_recv_wc-recv_buf.mad-mad_hdr.mgmt_class != mgmt_class) return; - if (attr_id mad_recv_wc-recv_buf.mad-mad_hdr.attr_id != attr_id) + if (attr_id be16_to_cpu(mad_recv_wc-recv_buf.mad-mad_hdr.attr_id) != attr_id) return; printk(Madeye:recv SMP\n); @@ -446,7 +446,7 @@ static void snoop_gsi_handler(struct ib_mad_agent *mad_agent, if (!gmp hdr-mgmt_class != mgmt_class) return; - if (attr_id hdr-attr_id != attr_id) + if (attr_id be16_to_cpu(hdr-attr_id) != attr_id) return; printk(Madeye:sent GMP\n); @@ -468,7 +468,7 @@ static void recv_gsi_handler(struct ib_mad_agent *mad_agent, if (!gmp hdr-mgmt_class != mgmt_class) return; - if (attr_id mad_recv_wc-recv_buf.mad-mad_hdr.attr_id != attr_id) + if (attr_id be16_to_cpu(mad_recv_wc-recv_buf.mad-mad_hdr.attr_id) != attr_id) return; printk(Madeye:recv GMP\n); ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
[ewg] Question: When should patches be submitted to EWG and when should they be submitted to linux-rdma?
The subject says it all. If I have a patch that can be applied against either the current OFED git repository or against the upstream kernel - where do I post it? ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
Re: [ewg] Question: When should patches be submitted to EWG and when should they be submitted to linux-rdma?
The subject says it all. If I have a patch that can be applied against either the current OFED git repository or against the upstream kernel - where do I post it? What do you want to happen to the patch? If you want it applied to the upstream kernel, then send it to me and linux-rdma. If you want it applied to an OFED tree, send it to ewg. -- Roland Dreier rola...@cisco.com || For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
Re: [ewg] Question: When should patches be submitted to EWG and when should they be submitted to linux-rdma?
My preference for bug fixes is that they be applied so that they go into the upstream kernel - assuming they don't require EWG-only changes. But I need to understand the correlation between the two source trees - if you accept a bug fix for the upstream kernel, will that end up in OFED as well, or do I need to submit the patch to both groups? -Original Message- From: Roland Dreier [mailto:rdre...@cisco.com] Sent: Wednesday, May 26, 2010 4:50 PM To: Mike Heinz Cc: openfabrics-...@openib.org Subject: Re: [ewg] Question: When should patches be submitted to EWG and when should they be submitted to linux-rdma? The subject says it all. If I have a patch that can be applied against either the current OFED git repository or against the upstream kernel - where do I post it? What do you want to happen to the patch? If you want it applied to the upstream kernel, then send it to me and linux-rdma. If you want it applied to an OFED tree, send it to ewg. -- Roland Dreier rola...@cisco.com || For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
Re: [ewg] Allowing ib dignostics to be run without being lo gged in as root.
It's better to be statically linked. However all setuid programs present a threat. The challenge as a security administrator is to assess and minimize the threat. Smaller programs where you can inspect and understand the program are more trustable than large complex programs. Richard - Reply message - From: Woodruff, Robert J robert.j.woodr...@intel.com Date: Wed, May 26, 2010 17:43 Subject: [ewg] Allowing ib dignostics to be run without being logged in as root. To: richard.crouc...@informatix-sol.com richard.crouc...@informatix-sol.com, 'Hal Rosenstock' hal.rosenst...@gmail.com Cc: 'EWG' openfabrics-...@openib.org If the application is statically linked and trusted, then, is there no security issue ? -Original Message- From: Informatix solutions [mailto:rich...@informatix-sol.com] Sent: Wednesday, May 26, 2010 9:30 AM To: Woodruff, Robert J; 'Hal Rosenstock' Cc: 'EWG' Subject: RE: [ewg] Allowing ib dignostics to be run without being logged in as root. The issue is that it is entirely dependent on the security integrity of the application with the setuid bit set. If someone can insert code, or swap a dynamically linked library with their own alternative, it becomes possible to have your own code executed as root. The system is then completely compromised. -Original Message- From: ewg-boun...@lists.openfabrics.org [mailto:ewg-boun...@lists.openfabrics.org] On Behalf Of Woodruff, Robert J Sent: 26 May 2010 17:19 To: Hal Rosenstock Cc: EWG Subject: Re: [ewg] Allowing ib dignostics to be run without being logged in as root. Hal wrote, sudo can be configured for specific commands to be allowed to specific users. Then perhaps that is a safer way to do it, but it would put more work on the system admin to set it up for people, but if setting the permissions of the commands to setuid root opens up a security hole, we would not want that. Does anyone know if setting the permissions to setuid root does actually open up a security hole ? woody ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
Re: [ewg] Question: When should patches be submitted to EWG and when should they be submitted to linux-rdma?
In general, we would like kernel code to be reviewed and accepted (or at least queued for acceptance) upstream first and then submitted to to the ewg for the next OFED release. There are sometimes exceptions where things go into OFED before being accepted upstream but in general, we would like to follow the model where they are submitted upsteam first if possible. Some things, like backport patches or OFED installation scripts, are only mainatained by the EWG, so in those cases, they only need to be submitted to the EWG list. Hope this helps. woody -Original Message- From: ewg-boun...@lists.openfabrics.org [mailto:ewg-boun...@lists.openfabrics.org] On Behalf Of Mike Heinz Sent: Wednesday, May 26, 2010 1:34 PM To: openfabrics-...@openib.org Subject: [ewg] Question: When should patches be submitted to EWG and when should they be submitted to linux-rdma? The subject says it all. If I have a patch that can be applied against either the current OFED git repository or against the upstream kernel - where do I post it? ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
Re: [ewg] Question: When should patches be submitted to EWG and when should they be submitted to linux-rdma?
On Wed, 26 May 2010 13:58:41 -0700 Mike Heinz michael.he...@qlogic.com wrote: My preference for bug fixes is that they be applied so that they go into the upstream kernel - assuming they don't require EWG-only changes. But I need to understand the correlation between the two source trees - if you accept a bug fix for the upstream kernel, will that end up in OFED as well, or do I need to submit the patch to both groups? There is a reason upstream is called upstream. If you get it into the upstream kernel it will flow down and everyone will get it. If you only submit to EWG then it will stay there in OFED purgatory. That is not to say you can't submit to OFED for critical things which your customers need but that should be an exception rather than the rule. Ira -Original Message- From: Roland Dreier [mailto:rdre...@cisco.com] Sent: Wednesday, May 26, 2010 4:50 PM To: Mike Heinz Cc: openfabrics-...@openib.org Subject: Re: [ewg] Question: When should patches be submitted to EWG and when should they be submitted to linux-rdma? The subject says it all. If I have a patch that can be applied against either the current OFED git repository or against the upstream kernel - where do I post it? What do you want to happen to the patch? If you want it applied to the upstream kernel, then send it to me and linux-rdma. If you want it applied to an OFED tree, send it to ewg. -- Roland Dreier rola...@cisco.com || For corporate legal information go to: http://*www.*cisco.com/web/about/doing_business/legal/cri/index.html ___ ewg mailing list ewg@lists.openfabrics.org http://*lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg ___ ewg mailing list ewg@lists.openfabrics.org http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg