search

openbmc / bmcweb

A do everything Redfish, KVM, GUI, and DBus webserver for OpenBMC
Apache License 2.0
156 stars 131 forks source link

Disabled user still can login and send redfish requests #174

Closed leocheng-tw closed 3 years ago

leocheng-tw commented 3 years ago

Hi Teams,

I reproduced this issue.

  1. Create a redfish user with any privilege, but it should not be enabled. curl -u root: -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts/ -d '{"UserName":"user_1", "Password":"TestPwd123", "RoleId":"Operator", "Enabled":false}' { "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_0_0.Message", "Message": "The resource has been created successfully", "MessageArgs": [], "MessageId": "Base.1.4.0.Created", "Resolution": "None", "Severity": "OK" } ] }

  2. Check the created user. curl -u root: -k -X GET https://${bmc}/redfish/v1/AccountService/Accounts/user_1 { "@odata.id": "/redfish/v1/AccountService/Accounts/user_1", "@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount", "AccountTypes": [ "Redfish" ], "Description": "User Account", "Enabled": false, "Id": "user_1", "Links": { "Role": { "@odata.id": "/redfish/v1/AccountService/Roles/Operator" } }, "Locked": false, "Locked@Redfish.AllowableValues": [ "false" ], "Name": "User Account", "Password": null, "PasswordChangeRequired": false, "RoleId": "Operator", "UserName": "user_1" }

  3. Try to send request with the created user curl -u user_1:TestPwd123 -k -X GET https://${bmc}/redfish/v1/AccountService/Accounts/user_1 { "@odata.id": "/redfish/v1/AccountService/Accounts/user_1", "@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount", "AccountTypes": [ "Redfish" ], "Description": "User Account", "Enabled": false, "Id": "user_1", "Links": { "Role": { "@odata.id": "/redfish/v1/AccountService/Roles/Operator" } }, "Locked": false, "Locked@Redfish.AllowableValues": [ "false" ], "Name": "User Account", "Password": null, "PasswordChangeRequired": false, "RoleId": "Operator", "UserName": "user_1" }

Though the user is not enabled but it still can login and send Redfish request.

edtanous commented 3 years ago

This is likely a bug with phosphor-user-manager, or its interactions with PAM. Can you please capture a dbus monitor log of the events around this and (likely) file a bug with phosphor-user-manager?

leocheng-tw commented 3 years ago

I saved the message of busctl introspect. I'm not sure if this the information you want or not. wp_busctl_introspect.txt

leocheng-tw commented 3 years ago

The dbus monitor log (busctl monitor) is as attachment. 20210122_wp_dbus_monitor_2.txt

edtanous commented 3 years ago

@ratagupt Blame shows you authored the user enable/disable code, can you reproduce the above?

leocheng-tw commented 3 years ago

In phosphor-user-manager, if user is disabled, the expired date would be "1970-01-02". We changed BMC into current date and user didn't send redfish request. I'll close this issue, thanks for help.