Redfish security question (user enumeration)
Gunnar Mills
gmills at linux.vnet.ibm.com
Wed Feb 12 07:07:14 AEDT 2020
On 2/10/2020 12:21 PM, Richard Hanley wrote:
>
> One possible compromise is to make the account collection
> discoverable, but only put the users account into the response (unless
> it is an admin user).
>
>
> On Mon, Feb 10, 2020 at 9:36 AM Joseph Reynolds <jrey at linux.ibm.com
> <mailto:jrey at linux.ibm.com>> wrote:
>
> The Redfish spec recently changed to allow users with the Login
> privilege to enumerate all BMC users. Previously only the admin user
> could do this. I disagree with this change and believe it is an
> unnecessary information exposure. Details are in the Redfish
> forum post.
>
> https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
>
>
> OpenBMC has the corresponding implementation change pending here:
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881
>
>
This was discussed in the Redfish call today. Redfish will update the
documentation and registry to make clear only the current account will
be shown in the AccountCollection if the user lacks the ConfigureUsers
privilege (Richard's suggestion). A response in the thread explains the
same.
Thanks,
Gunnar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200211/c881365e/attachment.htm>
More information about the openbmc
mailing list