All of lore.kernel.org
 help / color / mirror / Atom feed
From: Joseph Reynolds <jrey@linux.ibm.com>
To: James Feist <james.feist@linux.intel.com>,
	OpenBMC Maillist <openbmc@lists.ozlabs.org>
Cc: Gunnar Mills <gmills@linux.vnet.ibm.com>,
	Brad Bishop <bradleyb@fuzziesquirrel.com>,
	"Mihm, James" <james.mihm@intel.com>
Subject: Re: Functionality vs Security
Date: Wed, 12 Feb 2020 15:58:02 -0600	[thread overview]
Message-ID: <36a83c91-dfde-6048-14b5-f35a004f8e37@linux.ibm.com> (raw)
In-Reply-To: <62005ec9-e004-1041-7c5b-9272f8c2d854@linux.intel.com>

On 2/12/20 3:16 PM, James Feist wrote:
> In IRC yesterday I proposed the question of whether to change the 
> default of bmcweb to disable REST D-Bus, or to change it in our 
> meta-layers only. I created the patch here: 
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/29344 and I am 
> looking for feedback. While REST D-Bus does expose many useful APIs, 
> and phosphor-webui depends heavily on it, it does leak information to 
> any logged in user. This comes to the question, should we prefer 
> functionality by default or security by default? It is a compile 
> switch either way, so each user can still decide which they prefer. I 
> have the opinion that the default should be the safest configuration, 
> and if someone wants to change that, then they can accept the risk and 
> change the build flag.
>
> Thoughts?

Thanks for the email.  Some thoughts to help illuminate the situation....

OpenBMC ought to be "secure by default".  I agree the Rest-DBus APIs 
represent an unnecessary information exposure, albeit only to 
authenticated users.  That is, I have no doubt the APIs should be 
disabled by default.

I understand the reason why the D-Bus APIs are enabled-by-default is 
because they were developed first, before the Redfish APIs were 
available.  And I understand the direction and current efforts are to 
develop Redfish APIs to replace all D-Bus APIs, then disable the D-Bus 
APIs by default.

In that context, you are asking if this can happen now.  Let's explore that:

If we disable D-Bus APIs now, we'll also disable the web access. Users 
who don't use web access will not be affected.  Anyone who wants web 
access can easily configure their bmcweb recipe to re-enable the D-Bus 
APIs.  ==> In the future (a year from now?) when the web app is using 
only Redfish APIs (and no longer using any D-Bus APIs), the bmcweb 
recipes can be changed back.

(The project really needs a build-time  security configuration guide.)

- Joseph

BMCWEB_ENABLE_DBUS_REST:
https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt

>
> Thanks,
>
> James

  reply	other threads:[~2020-02-12 21:58 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-12 21:16 Functionality vs Security James Feist
2020-02-12 21:58 ` Joseph Reynolds [this message]
2020-02-12 22:13   ` Bruce Mitchell
2020-02-12 22:01 ` Brad Bishop
2020-02-12 22:06   ` James Feist
2020-02-12 22:36     ` Brad Bishop
2020-02-12 22:58       ` James Feist
2020-02-12 23:36         ` Brad Bishop
2020-02-12 22:25   ` Derick Montague
2020-02-13  0:05 ` Brad Bishop
2020-02-13  0:11   ` James Feist
2020-02-13  0:50     ` Brad Bishop
2020-02-13  0:52       ` James Feist
2020-02-13  3:05     ` Brad Bishop
2020-02-13  8:15       ` Mihm, James
2020-02-13 16:36         ` Brad Bishop
2020-02-13 21:09           ` Functionality vs Security - security assurance methodology Joseph Reynolds
2020-02-25 15:52         ` Functionality vs Security Patrick Williams
2020-02-26 23:26           ` Joseph Reynolds
2020-03-03 22:41             ` Patrick Williams

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=36a83c91-dfde-6048-14b5-f35a004f8e37@linux.ibm.com \
    --to=jrey@linux.ibm.com \
    --cc=bradleyb@fuzziesquirrel.com \
    --cc=gmills@linux.vnet.ibm.com \
    --cc=james.feist@linux.intel.com \
    --cc=james.mihm@intel.com \
    --cc=openbmc@lists.ozlabs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.