Skip to content

Security Privilege separation & Sandboxing

Jump to bottom Edit New page
Anton D. Kachalov edited this page Oct 31, 2020 · 4 revisions

Common

Users & groups

ACL

Bus Name Method Owner Sender Groups Sender Users
xyz.openbmc_project.ObjectMapper * root ipmi

Files

For dev-access the corresponding udev-rules should be provided. For sysfs-write access it's possible to change ownership (the group) at run-time.

entity-manager

Users & groups

Use DynamicUser feature.

ACL

Bus Name Method Owner Sender Groups Sender Users
xyz.openbmc_project.EntityManager * dynamic
xyz.openbmc_project.FruDevice * dynamic

Files

Requires access to i2c devices and sysfs. The /tmp/overlays and /tmp/configuration should be moved to /run/entity-manager directory.

Path Mode User Group
/dev/i2c-mux 0660 dynamic i2c-rw
/etc/fru/baseboard.fru.bin 0644 dynamic dynamic
/tmp/configuration/ 0755 dynamic dynamic
/tmp/configuration/last.json 0644 dynamic dynamic
/tmp/overlays 0755 dynamic dynamic
/var/configuration/system.json 0644 dynamic dynamic
/usr/share/entity-manager/blacklist.json 0644 dynamic dynamic
/usr/share/entity-manager/configurations/schemas/global.json 0644 dynamic dynamic

phosphor-dbus-monitor

Users & groups

Use DynamicUser feature.

ACL

Bus Name Method Owner Sender Groups Sender Users
xyz.openbmc_project.Events * dynamic

phosphor-health-monitor

Users & groups

Use DynamicUser feature.

ACL

Bus Name Method Owner Sender Groups Sender Users
xyz.openbmc_project.HealthMon * dynamic TBD

Files

phosphor-led-manager

Users & groups

Use DynamicUser feature.

ACL

Bus Name Method Owner Sender Groups Sender Users
xyz.openbmc_project.LedManager * dynamic TBD

Files

phosphor-network

Users & groups

Use DynamicUser feature.

ACL

Bus Name Method Owner Sender Groups Sender Users
xyz.openbmc_project.Network * dynamic ipmi

Files

phosphor-ipmi-host

Users & groups

Use DynamicUser feature. Run as ipmi group to access shared files with phosphor-ipmi-net.

ACL

Bus Name Method Owner Sender Groups Sender Users
xyz.openbmc_project.Control.Host * dynamic ipmi
xyz.openbmc_project.Ipmi.Host * dynamic ipmi

Files

Path Mode User Group
/var/lib/ipmi/ipmi_user.json 0660 dynamic ipmi
/var/lib/ipmi/channel_access_nv.json 0660 dynamic ipmi
/run/ipmi/channel_access_volatile.json 0660 dynamic ipmi

phosphor-ipmi-net

This daemon requires privileged counterpart to access PAM to authenticate & change passwords. It use dropbear PAM config.

Users & groups

Use DynamicUser feature. Run as ipmi group to access shared files with phosphor-ipmi-net.

ACL

Bus Name Method Owner Sender Groups Sender Users
xyz.openbmc_project.Ipmi.Channel * dynamic
org.freedesktop.DBus.Introspectable

Files

Path Mode User Group
/var/lib/ipmi/ipmi_user.json 0660 dynamic ipmi
/var/lib/ipmi/channel_access_nv.json 0660 dynamic ipmi
/run/ipmi/channel_access_volatile.json 0660 dynamic ipmi

phosphor-certificate-manager

Users & groups

User and group varies depending on actual unit configuration:

Endpoint / Unit User Group Notes
ldap / bmcweb.service bmcweb bmcweb
https / bmcweb.service bmcweb bmcweb
ldap / root root TODO

ACL

Bus Name Method Owner Sender Groups Sender Users
xyz.openbmc_project.Certs.Manager.Server.Https * bmcweb bmcweb
xyz.openbmc_project.Certs.Manager.Authority.Ldap * bmcweb bmcweb
xyz.openbmc_project.Certs.Manager.Client.Ldap.conf * root root

Files

Path Mode User Group Notes
/etc/ssl/certs 0775 root bmcweb Group should be changed to a common group that needs to manage certificates
/etc/ssl/certs/authority 0700 bmcweb bmcweb
/etc/ssl/certs/https 0700 bmcweb bmcweb

bmcweb

This daemon requires privileged counterpart to access PAM to authenticate & change passwords. It use webserver PAM config.

Users & groups

Run as bmcweb user and bmcweb group.

Files

Path Mode User Group
/etc/ssl/certs/authority 0700 bmcweb bmcweb
/etc/ssl/certs/https 0700 bmcweb bmcweb
Add a custom footer
Add a custom sidebar
Clone this wiki locally