Redfish security question (user enumeration)

Richard Hanley rhanley at google.com
Tue Feb 11 05:21:42 AEDT 2020


Joseph,

I agree that it is not a good idea to expose usernames in this context.

One possible compromise is to make the account collection discoverable, but
only put the users account into the response (unless it is an admin user).

-Richard

On Mon, Feb 10, 2020 at 9:36 AM Joseph Reynolds <jrey at linux.ibm.com> wrote:

> The Redfish spec recently changed to allow users with the Login
> privilege to enumerate all BMC users.  Previously only the admin user
> could do this.  I disagree with this change and believe it is an
> unnecessary information exposure.  Details are in the Redfish forum post.
>
>
> https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
>
> Are we okay with this?  Do we ask Redfish to change it back?  Please
> reply to this email or to the forum with your thoughts.
>
> Thanks,
> - Joseph
>
> References:
>
> The change was made to Redfish version 2019.4 > DSP2046 >
> Redfish-1.0.4-PrivilegeRegistry > ManagerAccountCollection > GET:
> https://www.dmtf.org/standards/redfish
>
> OpenBMC has the corresponding implementation change pending here:
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881
>
> This was discussed in the 2020-02-05 OpenBMC security working group
> meeting as agenda item 3.  Minutes:
>
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200210/d5dbd7b9/attachment-0001.htm>


More information about the openbmc mailing list