Security Privilege separation & Sandboxing
Bus Name | Method | Owner | Sender Groups | Sender Users |
---|---|---|---|---|
xyz.openbmc_project.ObjectMapper | * | root | ipmi |
For dev-access the corresponding udev-rules should be provided. For sysfs-write access it's possible to change ownership (the group) at run-time.
Use DynamicUser feature.
Bus Name | Method | Owner | Sender Groups | Sender Users |
---|---|---|---|---|
xyz.openbmc_project.EntityManager | * | dynamic | ||
xyz.openbmc_project.FruDevice | * | dynamic |
Requires access to i2c devices and sysfs. The /tmp/overlays and /tmp/configuration should be moved to /run/entity-manager directory.
Path | Mode | User | Group |
---|---|---|---|
/dev/i2c-mux | 0660 | dynamic | i2c-rw |
/etc/fru/baseboard.fru.bin | 0644 | dynamic | dynamic |
/tmp/configuration/ | 0755 | dynamic | dynamic |
/tmp/configuration/last.json | 0644 | dynamic | dynamic |
/tmp/overlays | 0755 | dynamic | dynamic |
/var/configuration/system.json | 0644 | dynamic | dynamic |
/usr/share/entity-manager/blacklist.json | 0644 | dynamic | dynamic |
/usr/share/entity-manager/configurations/schemas/global.json | 0644 | dynamic | dynamic |
Use DynamicUser feature.
Bus Name | Method | Owner | Sender Groups | Sender Users |
---|---|---|---|---|
xyz.openbmc_project.Events | * | dynamic |
Use DynamicUser feature.
Bus Name | Method | Owner | Sender Groups | Sender Users |
---|---|---|---|---|
xyz.openbmc_project.HealthMon | * | dynamic | TBD |
Use DynamicUser feature.
Bus Name | Method | Owner | Sender Groups | Sender Users |
---|---|---|---|---|
xyz.openbmc_project.LedManager | * | dynamic | TBD |
Use DynamicUser feature.
Bus Name | Method | Owner | Sender Groups | Sender Users |
---|---|---|---|---|
xyz.openbmc_project.Network | * | dynamic | ipmi |
Use DynamicUser feature. Run as ipmi group to access shared files with phosphor-ipmi-net.
Bus Name | Method | Owner | Sender Groups | Sender Users |
---|---|---|---|---|
xyz.openbmc_project.Control.Host | * | dynamic | ipmi | |
xyz.openbmc_project.Ipmi.Host | * | dynamic | ipmi |
Path | Mode | User | Group |
---|---|---|---|
/var/lib/ipmi/ipmi_user.json | 0660 | dynamic | ipmi |
/var/lib/ipmi/channel_access_nv.json | 0660 | dynamic | ipmi |
/run/ipmi/channel_access_volatile.json | 0660 | dynamic | ipmi |
This daemon requires privileged counterpart to access PAM to authenticate & change passwords. It use dropbear PAM config.
Use DynamicUser feature. Run as ipmi group to access shared files with phosphor-ipmi-net.
Bus Name | Method | Owner | Sender Groups | Sender Users |
---|---|---|---|---|
xyz.openbmc_project.Ipmi.Channel | * | dynamic | ||
org.freedesktop.DBus.Introspectable |
Path | Mode | User | Group |
---|---|---|---|
/var/lib/ipmi/ipmi_user.json | 0660 | dynamic | ipmi |
/var/lib/ipmi/channel_access_nv.json | 0660 | dynamic | ipmi |
/run/ipmi/channel_access_volatile.json | 0660 | dynamic | ipmi |
User and group varies depending on actual unit configuration:
Endpoint / Unit | User | Group | Notes |
---|---|---|---|
ldap / bmcweb.service | bmcweb | bmcweb | |
https / bmcweb.service | bmcweb | bmcweb | |
ldap / | root | root | TODO |
Bus Name | Method | Owner | Sender Groups | Sender Users |
---|---|---|---|---|
xyz.openbmc_project.Certs.Manager.Server.Https | * | bmcweb | bmcweb | |
xyz.openbmc_project.Certs.Manager.Authority.Ldap | * | bmcweb | bmcweb | |
xyz.openbmc_project.Certs.Manager.Client.Ldap.conf | * | root | root |
Path | Mode | User | Group | Notes |
---|---|---|---|---|
/etc/ssl/certs | 0775 | root | bmcweb | Group should be changed to a common group that needs to manage certificates |
/etc/ssl/certs/authority | 0700 | bmcweb | bmcweb | |
/etc/ssl/certs/https | 0700 | bmcweb | bmcweb |
This daemon requires privileged counterpart to access PAM to authenticate & change passwords. It use webserver PAM config.
Run as bmcweb user and bmcweb group.
Path | Mode | User | Group |
---|---|---|---|
/etc/ssl/certs/authority | 0700 | bmcweb | bmcweb |
/etc/ssl/certs/https | 0700 | bmcweb | bmcweb |