Security: BMCWEB_ENABLE_DBUS_REST=ON enables information leak #114
Comments
|
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/29344 closes this issue |
aahmed-2
added a commit
to aahmed-2/bmcweb
that referenced
this issue
Aug 16, 2021
REST D-Bus, while providing useful functionality, also allows authenticated users access to privileged information that may be above their permission level. This change sets the default to disabled. Users if they wish can turn it back on in their own layers. A lot of functionality previously provided by REST D-Bus is now available on Redfish with more coming all the time. Note: phosphor-webui uses the REST D-Bus so a user of that will have to enable this in their layer. webui-vue, the replacement for phosphor-webui, uses Redfish. See here [1]. Resolves openbmc/bmcweb/issues/114 [1] https://github.com/openbmc/webui-vue Tested: Rest D-Bus was disabled Change-Id: I35682b113287b3be4e19b033d0296790b204d8e0 Signed-off-by: James Feist <james.feist@linux.intel.com> Signed-off-by: Ali Ahmed <ama213000@gmail.com>
rfrandse
pushed a commit
to ibm-openbmc/bmcweb
that referenced
this issue
Aug 17, 2021
REST D-Bus, while providing useful functionality, also allows authenticated users access to privileged information that may be above their permission level. This change sets the default to disabled. Users if they wish can turn it back on in their own layers. A lot of functionality previously provided by REST D-Bus is now available on Redfish with more coming all the time. Note: phosphor-webui uses the REST D-Bus so a user of that will have to enable this in their layer. webui-vue, the replacement for phosphor-webui, uses Redfish. See here [1]. Resolves openbmc/bmcweb/issues/114 [1] https://github.com/openbmc/webui-vue Tested: Rest D-Bus was disabled Change-Id: I35682b113287b3be4e19b033d0296790b204d8e0 Signed-off-by: James Feist <james.feist@linux.intel.com> Signed-off-by: Ali Ahmed <ama213000@gmail.com>
aahmed-2
added a commit
to aahmed-2/bmcweb
that referenced
this issue
Sep 2, 2021
REST D-Bus, while providing useful functionality, also allows authenticated users access to privileged information that may be above their permission level. This change sets the default to disabled. Users if they wish can turn it back on in their own layers. A lot of functionality previously provided by REST D-Bus is now available on Redfish with more coming all the time. Note: phosphor-webui uses the REST D-Bus so a user of that will have to enable this in their layer. webui-vue, the replacement for phosphor-webui, uses Redfish. See here [1]. Resolves openbmc/bmcweb/issues/114 [1] https://github.com/openbmc/webui-vue Tested: Rest D-Bus was disabled Change-Id: I35682b113287b3be4e19b033d0296790b204d8e0 Signed-off-by: James Feist <james.feist@linux.intel.com> Signed-off-by: Ali Ahmed <ama213000@gmail.com>
aahmed-2
pushed a commit
to aahmed-2/bmcweb
that referenced
this issue
Sep 13, 2021
REST D-Bus, while providing useful functionality, also allows authenticated users access to privileged information that may be above their permission level. This change sets the default to disabled. Users if they wish can turn it back on in their own layers. A lot of functionality previously provided by REST D-Bus is now available on Redfish with more coming all the time. Note: phosphor-webui uses the REST D-Bus so a user of that will have to enable this in their layer. webui-vue, the replacement for phosphor-webui, uses Redfish. See here [1]. Resolves openbmc/bmcweb/issues/114 [1] https://github.com/openbmc/webui-vue Tested: Rest D-Bus was disabled Change-Id: I35682b113287b3be4e19b033d0296790b204d8e0 Signed-off-by: James Feist <james.feist@linux.intel.com> Signed-off-by: Ali Ahmed <ama213000@gmail.com>
aahmed-2
pushed a commit
to aahmed-2/bmcweb
that referenced
this issue
Sep 16, 2021
REST D-Bus, while providing useful functionality, also allows authenticated users access to privileged information that may be above their permission level. This change sets the default to disabled. Users if they wish can turn it back on in their own layers. A lot of functionality previously provided by REST D-Bus is now available on Redfish with more coming all the time. Note: phosphor-webui uses the REST D-Bus so a user of that will have to enable this in their layer. webui-vue, the replacement for phosphor-webui, uses Redfish. See here [1]. Resolves openbmc/bmcweb/issues/114 [1] https://github.com/openbmc/webui-vue Tested: Rest D-Bus was disabled Change-Id: I35682b113287b3be4e19b033d0296790b204d8e0 Signed-off-by: James Feist <james.feist@linux.intel.com> Signed-off-by: Ali Ahmed <ama213000@gmail.com>
rfrandse
pushed a commit
to ibm-openbmc/bmcweb
that referenced
this issue
Sep 23, 2021
REST D-Bus, while providing useful functionality, also allows authenticated users access to privileged information that may be above their permission level. This change sets the default to disabled. Users if they wish can turn it back on in their own layers. A lot of functionality previously provided by REST D-Bus is now available on Redfish with more coming all the time. Note: phosphor-webui uses the REST D-Bus so a user of that will have to enable this in their layer. webui-vue, the replacement for phosphor-webui, uses Redfish. See here [1]. Resolves openbmc/bmcweb/issues/114 [1] https://github.com/openbmc/webui-vue Tested: Rest D-Bus was disabled Change-Id: I35682b113287b3be4e19b033d0296790b204d8e0 Signed-off-by: James Feist <james.feist@linux.intel.com> Signed-off-by: Ali Ahmed <ama213000@gmail.com>
rfrandse
pushed a commit
to ibm-openbmc/bmcweb
that referenced
this issue
Oct 14, 2021
REST D-Bus, while providing useful functionality, also allows authenticated users access to privileged information that may be above their permission level. This change sets the default to disabled. Users if they wish can turn it back on in their own layers. A lot of functionality previously provided by REST D-Bus is now available on Redfish with more coming all the time. Note: phosphor-webui uses the REST D-Bus so a user of that will have to enable this in their layer. webui-vue, the replacement for phosphor-webui, uses Redfish. See here [1]. Resolves openbmc/bmcweb/issues/114 [1] https://github.com/openbmc/webui-vue Tested: Rest D-Bus was disabled Change-Id: I35682b113287b3be4e19b033d0296790b204d8e0 Signed-off-by: James Feist <james.feist@linux.intel.com> Signed-off-by: Ali Ahmed <ama213000@gmail.com>
gtmills
pushed a commit
to gtmills/bmcweb
that referenced
this issue
Dec 12, 2022
REST D-Bus, while providing useful functionality, also allows authenticated users access to privileged information that may be above their permission level. This change sets the default to disabled. Users if they wish can turn it back on in their own layers. A lot of functionality previously provided by REST D-Bus is now available on Redfish with more coming all the time. Note: phosphor-webui uses the REST D-Bus so a user of that will have to enable this in their layer. webui-vue, the replacement for phosphor-webui, uses Redfish. See here [1]. Resolves openbmc/bmcweb/issues/114 [1] https://github.com/openbmc/webui-vue Tested: Rest D-Bus was disabled Change-Id: I35682b113287b3be4e19b033d0296790b204d8e0 Signed-off-by: James Feist <james.feist@linux.intel.com> Signed-off-by: Ali Ahmed <ama213000@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rest D-BUS allows lower privileged users to gain access to privileged information by direct D-Bus access. The default of this should be disabled.
The text was updated successfully, but these errors were encountered: