REMOTE ACCESS FROM BIOS W/H RESTRICTIONS

[Spoiled_Kitten]

Hi all, 
I want to have it so my server pc can be accessed from bios but only certain functions can be used by certain people, say they can only manage some files instead of getting full access to my server but i am able to have full access.

[Windows7ge]

When password protecting the BIOS I believe most of the time it's either full access or no access you can't allow people to change some system parameters while blocking others. It's pretty all or nothing the BIOS isn't that sophisticated.

 

Does this server have IPMI/iDRAC/ILO?

[Spoiled_Kitten]

1 minute ago, Windows7ge said:

When password protecting the BIOS I believe most of the time it's either full access or no access you can't allow people to change some system parameters while blocking others. It's pretty all or nothing the BIOS isn't that sophisticated.

 

Does this server has IPMI/iDRAC/ILO?

I have not got the MB  yet but I am planning on getting it soon along with some other things. i was planning on running  a minecraft server of it and want to have some mods in my chat on discord be able to reset, bring to previous backup (with authentication from me), start all that but not be able to access the rest of the files on the server.

[Jarsky]

Nope, you shouldn't have people needing to access the BIOS like that. its either you can access it or you cant. 

BIOS can be reset by clearing the CMOS so its pointless have role based access. 

 

8 minutes ago, Spoiled_Kitten said:

say they can only manage some files instead of getting full access to my server but i am able to have full access.

 

Are you sure you mean BIOS? BIOS doesn't give you access to the file system....

[Electronics Wizardy]

Just now, Spoiled_Kitten said:

I have not got the MB  yet but I am planning on getting it soon along with some other things. i was planning on running  a minecraft server of it and want to have some mods in my chat on discord be able to reset, bring to previous backup (with authentication from me), start all that but not be able to access the rest of the files on the server.

Your probably better off install a hypervisor, then giving mods permissions to change some vms. That way they can hard reset vms that have the server running, but can only control the vms they should be able to, and not the full server.

[Spoiled_Kitten]

Just now, Jarsky said:

Nope, you shouldn't have people needing to access the BIOS like that. its either you can access it or you cant. 

BIOS can be reset by clearing the CMOS so its pointless have role based access. 

 

 

Are you sure you mean BIOS? BIOS doesn't give you access to the file system....

I want the server to be able to remotely be turned on and off (will be using arduino with web client to do so) and the remote access to start from bios so if i am say overseas and need to change thing i can but that same remote access client to be doing as i said above

\

 

[Spoiled_Kitten]

2 minutes ago, Electronics Wizardy said:

Your probably better off install a hypervisor, then giving mods permissions to change some vms. That way they can hard reset vms that have the server running, but can only control the vms they should be able to, and not the full server.

I dont want it to be hosting a virtual machine as that will lower performance on the server and the cpu will already be having enough trouble. The server is currently on a realm (bedrock edition) and has huge trouble loading terrain, and performance drops.

 

 

[Electronics Wizardy]

Just now, Spoiled_Kitten said:

I want the server to be able to remotely be turned on and off (will be using arduino with web client to do so) and the remote access to start from bios so if i am say overseas and need to change thing i canreply but that same remote access client to be doing as i said above

\

 

does the server have impi or simmilar? THat would allow you to do out of band management like that.

[Electronics Wizardy]

Just now, Spoiled_Kitten said:

I dont want it to be hosting a virtual machine as that will lower performance on the server and the cpu will already be having enough trouble

 

Ther performance cut is very small, less than 3% normally, so I wouldn't worry about that. VMS make this much easier, so Id run vms if at all possible.

[Spoiled_Kitten]

1 minute ago, Electronics Wizardy said:

does the server have impi or simmilar? THat would allow you to do out of band management like that.

impi?

[Windows7ge]

1 minute ago, Spoiled_Kitten said:

I have not got the MB  yet but I am planning on getting it soon along with some other things. i was planning on running  a minecraft server of it and want to have some mods in my chat on discord be able to reset, bring to previous backup (with authentication from me), start all that but not be able to access the rest of the files on the server.

Giving them access to the IPMI and by extension the BIOS is full administration access. You can't create users with lesser access that's not what the tool is for.

 

Electronics Wizardy's hypervisor suggestion would be a much better route. You can setup some OS/application level permissions as to what they are allowed access to.

[Electronics Wizardy]

1 minute ago, Spoiled_Kitten said:

impi?

what server do you have? Most vers from dell/hp/supermicro have a impi or out of band managemnet option that lets you control the server, and access the bios and screen in a web utility

[Spoiled_Kitten]

1 minute ago, Windows7ge said:

Giving them access to the IPMI and by extension the BIOS is full administration access. You can't create users with lesser access that's not what the tool is for.

 

Electronics Wizardy's hypervisor suggestion would be a much better route. You can setup some OS/application level permissions as to what they are allowed access to.

So would i be able to only let them access certain files and run certain applications? My hope is for there to be a web client that you can press say reset and it will run a command to reset but there also be access for remote access if the web client for the easy commands fails. If that makes sense

 

[Electronics Wizardy]

1 minute ago, Spoiled_Kitten said:

So would i be able to only let them access certain files and run certain applications? My hope is for there to be a web client that you can press say reset and it will run a command to reset but there also be access for remote access if the web client for the easy commands fails. If that makes sense

 

Really you want a hypervisor, it will make this very easy

 

With impi, normally its everything or nothing, so you would need a box in the middle to only allow some commands, and thats gonna be a lot of work.

[Windows7ge]

2 minutes ago, Spoiled_Kitten said:

So would i be able to only let them access certain files and run certain applications? My hope is for there to be a web client that you can press say reset and it will run a command to reset but there also be access for remote access if the web client for the easy commands fails. If that makes sense

 

You'd probably have to spin something up custom to get that experience since you wouldn't want to publish your server's WebUI to the Internet. Allowing SSH connections and restricting their user accounts would suffice for rebooting VMs among most other tasks.

[Spoiled_Kitten]

could i have it so that there is a password?

3 minutes ago, Windows7ge said:

You'd probably have to spin something up custom to get that experience since you wouldn't want to publish your server's WebUI to the Internet. Allowing SSH connections and restricting their user accounts would suffice for rebooting VMs among most other tasks.

 

[Spoiled_Kitten]

This is for Linux Ubuntu BTW

 

[Windows7ge]

2 minutes ago, Spoiled_Kitten said:

could i have it so that there is a password?

 

For them to SSH in they'd need one. You can either allow or not allow them access to use sudo. That right there would lock them out of most system functions.

[Spoiled_Kitten]

1 minute ago, Windows7ge said:

For them to SSH in they'd need one. You can either allow or not allow them access to use sudo. That right there would lock them out of most system functions.

so i just use hypervisor? it is a simply program to setup right? no port forwarding or anything?

[Windows7ge]

12 minutes ago, Spoiled_Kitten said:

so i just use hypervisor? it is a simply program to setup right? no port forwarding or anything?

A hypervisor. Hypervisor is a word that describes a group of Operating Systems and/or applications for use in virtualization. The word in itself is not a application (though someone is probably using it somewhere as one).

 

If you want to use Ubuntu you can install the virt-manager & ovmf packages. This will include QEMU and UEFI support for your VMs. From there you can create user accounts on the system.

 

If you want to host any server for people to use you usually have to do some Port Forwarding. Adding another port to the list to allow SSH access shouldn't be a big deal unless you have one of those ISPs that charge you for every port you want to open.

[Spoiled_Kitten]

Just now, Windows7ge said:

A hypervisor. Hypervisor is a word that describes a group of Operating Systems and/or applications for use in virtualization. The word in itself is not a application (though someone is probably using it somewhere as one).

 

If you want to use Ubuntu you can install the virt-manager & ovmf packages. This will include QEMU and UEFI support for your VMs. From there you can create user accounts on the system.

 

If you want to host any server for people to use you usually have to do some Port Forwarding. Adding another port to the list to allow SSH access shouldn't be a big deal unless you have one of those ISPs that charge you for every port you want to open.

Yeah i dont have one of those isp's just the ones that give you terrible speed.

[Windows7ge]

1 minute ago, Spoiled_Kitten said:

Yeah i dont have one of those isp's just the ones that give you terrible speed.

Well then it's your lucky day because SSH (unless you're transferring files) is extremely light on bandwidth. To the point where it won't even exist compared to the game traffic.

[Spoiled_Kitten]

1 minute ago, Windows7ge said:

Well then it's your lucky day because SSH (unless you're transferring files) is extremely light on bandwidth. To the point where it won't even exist compared to the game traffic.

Thats awesome! I get like 30mb/s on a good day usually 20mb/s so i hope it wont use much bandwidth!

[Windows7ge]

3 minutes ago, Spoiled_Kitten said:

Thats awesome! I get like 30mb/s on a good day usually 20mb/s so i hope it wont use much bandwidth!

If it's only going to be used as an administrative tool then it shouldn't see continuous regular use either. Only when something needs a reset.

[Spoiled_Kitten]

1 minute ago, Windows7ge said:

If it's only going to be used as an administrative tool then it shouldn't see continuous regular use either. Only when something needs a reset.

Awesome! thanks for you help! Cya around! I'm going to mark this as solved now.