Operator" Privilege Role Allowed to Configure Network Settings #284
Description
Is this the right place to submit this?
- This is not a security vulnerability or a crashing bug
- This is not a question about how to use OpenBMC
- This is not a bug in an OpenBMC fork or a bug in code still under code review.
- This is not a request for a new feature.
Bug Description
The "operator" privilege role is currently allowed to configure network settings. This behavior is unexpected as network configuration should be restricted to roles with higher privileges, such as "admin". This is per the spec: https://github.com/openbmc/docs/blob/master/architecture/user-management.md
operator | Users are allowed to view and control basic operations. This includes reboot of the host, etc. But users are not allowed to change other configuration like user, network, etc.
Links to code:
An operator privilege user role is assigned ConfigureComponents here: https://github.com/openbmc/bmcweb/blob/master/redfish-core/include/privileges.hpp#L247-L253
https://github.com/openbmc/bmcweb/blob/master/redfish-core/lib/roles.hpp#L66
Link to privilege registry that defines privilegeSetConfigureComponents :
https://github.com/openbmc/bmcweb/blob/master/redfish-core/include/registries/privilege_registry.hpp#L23
Link to privilege registry that defines patchEthernetInterface:
https://github.com/openbmc/bmcweb/blob/master/redfish-core/include/registries/privilege_registry.hpp#L580
Link to ethernet.hpp that handles the PATCH request using the above privilege: https://github.com/openbmc/bmcweb/blob/master/redfish-core/lib/ethernet.hpp#L2258
The code above is not according to the spec in user-management.md which does not allow an operator to change network configuration.
Version
67c9d4e715c705cd05fd04f7c8cd4fad300a4666
Additional Information - Logs from testing on QEMU:
Added a test user to operator priv group
Jul 24 19:26:26 romulus useradd[332]: add 'test' to group 'web'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to group 'redfish'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to group 'priv-operator'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to group 'ipmi'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to shadow group 'web'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to shadow group 'redfish'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to shadow group 'priv-operator'
Jul 24 19:26:26 romulus useradd[332]: add 'test' to shadow group 'ipmi'
Jul 24 19:26:27 romulus phosphor-user-manager[257]: User 'test' created successfully
Sent a PATCH request to update the host name from the test user
Jul 24 20:45:43 romulus bmcweb[182]: pam_succeed_if(webserver:auth): requirement "user ingroup redfish" was met by user "test"
Jul 24 20:45:44 romulus systemd[1]: Starting Hostname Service...
Jul 24 20:45:44 romulus systemd[1]: Started Hostname Service.
Jul 24 20:45:45 dcscm systemd-resolved[138]: System hostname changed to 'dcscm'.
Jul 24 20:46:15 dcscm systemd[1]: systemd-hostnamed.service: Deactivated successfully.