[Ovmsdev] Command security

Stephen Casner casner at acm.org
Sun Mar 18 15:23:32 HKT 2018 

Mark asked me to check whether the 'secure' flag is set appropriately
in the various command invocation contexts.  I began with the console
command list where there are a number of questionable settings.  My
assumption going in is that all someone should be able to do before
enabling is to look at status that does not include sensitive info.
However, there are several commands that do more.

All of these commands are at least partially enabled in non-secure
mode:

OVMS > ?
boot                 BOOT framework
echo                 Test getchar
enable               Enter secure mode
event                EVENT framework
exit                 End console session
help                 Ask for help
metrics              METRICS framework
module               MODULE framework
network              NETWORK framework
notify               NOTIFICATION framework
obdii                OBDII framework
server               OVMS Server Connection framework
simcom               SIMCOM framework
time                 TIME framework
vehicle              Vehicle framework

The harmless ones are 'boot', which just shows status, 'echo', 'exit'
and 'help'.  Of course, 'enable' needs to be here to change state.
But I have questions about all the others:

1. obdii, server and simcom appear to allow their full functionality,
including starting and stopping operations, in non-secure mode.  That
seems wrong.

2. event, metrics and notify all allow tracing to be turned on or
off.  Is that safe?

3. time allows setting the time in non-secure mode.  That may not be
critical in this system, but could mess up timed activities.

4. Setting the vehicle module should require being enabled, no?

5. Is it OK to list the metrics in non-secure mode?  Is any of that
information sensitive enough that it should be prevented?  (We don't
have the option to show some metrics and not others at this point.)

6. The module command only allowed the subcommand 'factory' which did
not allow any subcommand, so the right fix there is to just make the
whole command require secure mode.  This observation exposed a bug in
the code to construct the usage string, which I fixed.

So, basically, the question is what do we want someone to be able to
do in non-secure mode?

                                                        -- Steve

More information about the OvmsDev mailing list