Change the permission of the session database
bmcweb_persistent_data.json have all the session info,
any user having less privilege can get access to this file
which is having sensitive data(user authentication token)
This commit fixes this bug by allowing the read write permission
to the owner and group and others would not be having either read
or write permission.
TestedBy: -> Create the redfish session
-> check the permission of the file.
-> Stop the bmcweb and remove the session file
restart the bmcweb and check the permission
of the file.
-> Create the session again and perfrom the
GET request on Manager,AccountService to verify the
other operation is working.
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I1e69ac147a2cfc3dff150322aee1f430ac552a5a
diff --git a/include/persistent_data_middleware.hpp b/include/persistent_data_middleware.hpp
index b384f02..1162fc5 100644
--- a/include/persistent_data_middleware.hpp
+++ b/include/persistent_data_middleware.hpp
@@ -8,6 +8,7 @@
#include <boost/uuid/uuid.hpp>
#include <boost/uuid/uuid_generators.hpp>
#include <boost/uuid/uuid_io.hpp>
+#include <filesystem>
#include <nlohmann/json.hpp>
#include <pam_authenticate.hpp>
#include <random>
@@ -20,13 +21,16 @@
namespace persistent_data
{
+namespace fs = std::filesystem;
+
class Middleware
{
- // todo(ed) should read this from a fixed location somewhere, not CWD
- static constexpr const char* filename = "bmcweb_persistent_data.json";
int jsonRevision = 1;
public:
+ // todo(ed) should read this from a fixed location somewhere, not CWD
+ static constexpr const char* filename = "bmcweb_persistent_data.json";
+
struct Context
{
};
@@ -151,6 +155,12 @@
void writeData()
{
std::ofstream persistentFile(filename);
+
+ // set the permission of the file to 640
+ fs::perms permission = fs::perms::owner_read | fs::perms::owner_write |
+ fs::perms::group_read;
+ fs::permissions(filename, permission);
+
nlohmann::json data{
{"sessions", SessionStore::getInstance().authTokens},
{"system_uuid", systemUuid},