From 6f106a0a4ce15fe0678d4ffefd572e6978c72597 Mon Sep 17 00:00:00 2001 From: "Jason M. Bills" Date: Thu, 26 Aug 2021 13:18:00 -0700 Subject: Update to internal 0.70 Signed-off-by: Jason M. Bills --- ...fish-Deny-set-AccountLockDuration-to-zero.patch | 85 ++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0020-Redfish-Deny-set-AccountLockDuration-to-zero.patch (limited to 'meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0020-Redfish-Deny-set-AccountLockDuration-to-zero.patch') diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0020-Redfish-Deny-set-AccountLockDuration-to-zero.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0020-Redfish-Deny-set-AccountLockDuration-to-zero.patch new file mode 100644 index 000000000..cc9da3b8b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0020-Redfish-Deny-set-AccountLockDuration-to-zero.patch @@ -0,0 +1,85 @@ +From f75efac9eebea8bf8f548d10a8cbafa28f556a8f Mon Sep 17 00:00:00 2001 +From: Meera-Katta +Date: Wed, 7 Jul 2021 13:19:09 +0000 +Subject: [PATCH] Redfish: Deny set AccountLockDuration to zero +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Issue: Redfish schema says, no lockout shall occur in case of Account +LockoutDuration value is zero. But Linux PAM module documentation says, if +account lockout value is zero, account will be locked out indefinitely +after the number of failed login attempts. As per the current +implementation user can write any value into the PAM module. If user tried +to set unlock timeout value to zero, account will be locked out +indefinitely until administrator explicitly reenables it. + +Workaround: Denying user to set AccountLockDuration to zero from Redfish. +Setting ‘AccountLockDuration’ to 0 will be permitted only after +‘AccountLockoutCounterResetEnabled’ support is added. +Otherwise,account will be locked permanently after the AccountLockoutDuration +if ‘AccountLockDuration’ is set to zero, while +AccountLockoutThreshold is non zero. If someone wants no account lockout +irrespective of number of failed login attempts, it can be still achieved by +setting ‘AccountLockoutThreshold’ to zero +(instead of trying to set ‘AccountLockDuration’ to zero.) + +Tested: +1) Redfish Service Validator passed for this change. +2) Verified from Redfish +PATCH : https:///redfish/v1/AccountService +Body: +{"AccountLockoutDuration":0} + +Response: +{ + "AccountLockoutDuration@Message.ExtendedInfo": [ + { + "@odata.type": "#Message.v1_1_1.Message", + "Message": "The value unlockTimeout for the property + AccountLockoutDuration is not in the list of acceptable values.", + "MessageArgs": [ + "unlockTimeout", + "AccountLockoutDuration" + ], + "MessageId": "Base.1.8.1.PropertyValueNotInList", + "MessageSeverity": "Warning", + "Resolution": "Choose a value from the enumeration list that the + implementation can support and resubmit the request if the + operation failed." + } + ] +} + +Signed-off-by: Meera-Katta +--- + redfish-core/lib/account_service.hpp | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp +index e6fe205..42085fa 100644 +--- a/redfish-core/lib/account_service.hpp ++++ b/redfish-core/lib/account_service.hpp +@@ -1448,6 +1448,19 @@ inline void requestAccountServiceRoutes(App& app) + + if (unlockTimeout) + { ++ // Account will be locked permanently after the N number ++ // of failed login attempts if we set unlockTimeout value ++ // to be 0. ++ if (unlockTimeout.value() == 0) ++ { ++ BMCWEB_LOG_INFO ++ << "Unlock timeout value must be greater" ++ "than zero"; ++ messages::propertyValueNotInList(asyncResp->res, ++ "unlockTimeout", ++ "AccountLockoutDuration"); ++ return; ++ } + crow::connections::systemBus->async_method_call( + [asyncResp](const boost::system::error_code ec) { + if (ec) +-- +2.17.1 + -- cgit v1.2.3