1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
From f75efac9eebea8bf8f548d10a8cbafa28f556a8f Mon Sep 17 00:00:00 2001
From: Meera-Katta <meerax.katta@linux.intel.com>
Date: Wed, 7 Jul 2021 13:19:09 +0000
Subject: [PATCH] Redfish: Deny set AccountLockDuration to zero
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Issue: Redfish schema says, no lockout shall occur in case of Account
LockoutDuration value is zero. But Linux PAM module documentation says, if
account lockout value is zero, account will be locked out indefinitely
after the number of failed login attempts. As per the current
implementation user can write any value into the PAM module. If user tried
to set unlock timeout value to zero, account will be locked out
indefinitely until administrator explicitly reenables it.
Workaround: Denying user to set AccountLockDuration to zero from Redfish.
Setting ‘AccountLockDuration’ to 0 will be permitted only after
‘AccountLockoutCounterResetEnabled’ support is added.
Otherwise,account will be locked permanently after the AccountLockoutDuration
if ‘AccountLockDuration’ is set to zero, while
AccountLockoutThreshold is non zero. If someone wants no account lockout
irrespective of number of failed login attempts, it can be still achieved by
setting ‘AccountLockoutThreshold’ to zero
(instead of trying to set ‘AccountLockDuration’ to zero.)
Tested:
1) Redfish Service Validator passed for this change.
2) Verified from Redfish
PATCH : https://<BMC IP>/redfish/v1/AccountService
Body:
{"AccountLockoutDuration":0}
Response:
{
"AccountLockoutDuration@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The value unlockTimeout for the property
AccountLockoutDuration is not in the list of acceptable values.",
"MessageArgs": [
"unlockTimeout",
"AccountLockoutDuration"
],
"MessageId": "Base.1.8.1.PropertyValueNotInList",
"MessageSeverity": "Warning",
"Resolution": "Choose a value from the enumeration list that the
implementation can support and resubmit the request if the
operation failed."
}
]
}
Signed-off-by: Meera-Katta <meerax.katta@linux.intel.com>
---
redfish-core/lib/account_service.hpp | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index e6fe205..42085fa 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -1448,6 +1448,19 @@ inline void requestAccountServiceRoutes(App& app)
if (unlockTimeout)
{
+ // Account will be locked permanently after the N number
+ // of failed login attempts if we set unlockTimeout value
+ // to be 0.
+ if (unlockTimeout.value() == 0)
+ {
+ BMCWEB_LOG_INFO
+ << "Unlock timeout value must be greater"
+ "than zero";
+ messages::propertyValueNotInList(asyncResp->res,
+ "unlockTimeout",
+ "AccountLockoutDuration");
+ return;
+ }
crow::connections::systemBus->async_method_call(
[asyncResp](const boost::system::error_code ec) {
if (ec)
--
2.17.1
|
