Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Operator" Privilege Role Allowed to Configure Network Settings #284

Open
4 tasks done
FarahRasheed1 opened this issue Jul 23, 2024 · 5 comments
Open
4 tasks done

Comments

@FarahRasheed1
Copy link
Contributor

FarahRasheed1 commented Jul 23, 2024

Is this the right place to submit this?

  • This is not a security vulnerability or a crashing bug
  • This is not a question about how to use OpenBMC
  • This is not a bug in an OpenBMC fork or a bug in code still under code review.
  • This is not a request for a new feature.

Bug Description

The "operator" privilege role is currently allowed to configure network settings. This behavior is unexpected as network configuration should be restricted to roles with higher privileges, such as "admin". This is per the spec: https://github.com/openbmc/docs/blob/master/architecture/user-management.md

operator | Users are allowed to view and control basic operations. This includes reboot of the host, etc. But users are not allowed to change other configuration like user, network, etc.

Links to code:

An operator privilege user role is assigned ConfigureComponents here: https://github.com/openbmc/bmcweb/blob/master/redfish-core/include/privileges.hpp#L247-L253
https://github.com/openbmc/bmcweb/blob/master/redfish-core/lib/roles.hpp#L66

Link to privilege registry that defines privilegeSetConfigureComponents :
https://github.com/openbmc/bmcweb/blob/master/redfish-core/include/registries/privilege_registry.hpp#L23

Link to privilege registry that defines patchEthernetInterface:
https://github.com/openbmc/bmcweb/blob/master/redfish-core/include/registries/privilege_registry.hpp#L580

Link to ethernet.hpp that handles the PATCH request using the above privilege: https://github.com/openbmc/bmcweb/blob/master/redfish-core/lib/ethernet.hpp#L2258

The code above is not according to the spec in user-management.md which does not allow an operator to change network configuration.

Version

67c9d4e715c705cd05fd04f7c8cd4fad300a4666

Additional Information - Logs from testing on QEMU:

Added a test user to operator priv group

Jul 24 19:26:26 romulus useradd[332]: add 'test' to group 'web'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to group 'redfish'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to group 'priv-operator'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to group 'ipmi'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to shadow group 'web'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to shadow group 'redfish'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to shadow group 'priv-operator'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to shadow group 'ipmi'
Jul 24 19:26:27 romulus phosphor-user-manager[257]: User 'test' created successfully

Sent a PATCH request to update the host name from the test user

Jul 24 20:45:43 romulus bmcweb[182]: pam_succeed_if(webserver:auth): requirement "user ingroup redfish" was met by user "test"
Jul 24 20:45:44 romulus systemd[1]: Starting Hostname Service...
Jul 24 20:45:44 romulus systemd[1]: Started Hostname Service.
Jul 24 20:45:45 dcscm systemd-resolved[138]: System hostname changed to 'dcscm'.
Jul 24 20:46:15 dcscm systemd[1]: systemd-hostnamed.service: Deactivated successfully.

@FarahRasheed1
Copy link
Contributor Author

Note that parse_registries.py script is used to auto gen the privilege registry using the redfish spec.

@edtanous
Copy link
Contributor

latest bmcweb

This isn't a version. The "latest" changes every day.

The "operator" privilege role is currently allowed to configure network settings.

https://github.com/DMTF/Redfish-Publications/blob/5b217908b5378b24e4f390c063427d7a707cd308/registries/Redfish_1.5.0_PrivilegeRegistry.json#L3517

Shows that this the URI in question would be a SubordinateOverride that limit this further, which was never implemented. So far as I'm aware, there has been no effort to try to implement SubordinateOverrides in bmcweb.

https://gerrit.openbmc.org/c/openbmc/bmcweb/+/59570/12 Makes mention of it, but I'm not aware of any patchsets being sent.

For what it's worth, we've discussed in the past simply removing the Operator privilege level, as there seems to be very little use of it, and nobody willing to maintain the distinction between an "Operator" and an "Administrator" of the BMC.

@FarahRasheed1
Copy link
Contributor Author

FarahRasheed1 commented Jul 23, 2024

This isn't a version. The "latest" changes every day.

Yea, I wasn't sure what to use there, so I saw what the previous issue in the "open issues" list had done and used it: #272. Will update in a bit.

@edtanous
Copy link
Contributor

Please edit your initial post and add the requested information. Which platform you tested on, and which openbmc/openbmc sha1 you used.

@FarahRasheed1
Copy link
Contributor Author

Updated the bug description.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants