all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pbs-devel] [PATCH v2 proxmox-backup 1/2] access: limit editing pam credentials to superuser
@ 2021-01-13 11:27 Oguz Bektas
  2021-01-13 11:27 ` [pbs-devel] [PATCH v2 proxmox-backup 2/2] access: restrictions for editing passwords Oguz Bektas
  2021-01-13 12:07 ` [pbs-devel] [PATCH v2 proxmox-backup 1/2] access: limit editing pam credentials to superuser Fabian Grünbichler
  0 siblings, 2 replies; 3+ messages in thread
From: Oguz Bektas @ 2021-01-13 11:27 UTC (permalink / raw)
  To: pbs-devel

modifying @pam users credentials should be only possible for root@pam,
otherwise it can have unintended consequences.

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
v1->v2:
* change error message to be more descriptive
* remove empty line
* create CachedUserInfo in the if-branch


 src/api2/access/user.rs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
index 484919bf..4c861c5f 100644
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@@ -350,6 +350,7 @@ pub fn update_user(
     email: Option<String>,
     delete: Option<Vec<DeletableProperty>>,
     digest: Option<String>,
+    rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<(), Error> {
 
     let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
@@ -392,7 +393,12 @@ pub fn update_user(
     }
 
     if let Some(password) = password {
+        let user_info = CachedUserInfo::new()?;
+        let source_auth_id = rpcenv.get_auth_id().unwrap().parse()?;
         let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
+        if userid.realm() == "pam" && !user_info.is_superuser(&source_auth_id) {
+            bail!("only superuser can edit pam credentials!");
+        }
         authenticator.store_password(userid.name(), &password)?;
     }
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 3+ messages in thread
* [pbs-devel] [PATCH v2 proxmox-backup 2/2] access: restrictions for editing passwords
  2021-01-13 11:27 [pbs-devel] [PATCH v2 proxmox-backup 1/2] access: limit editing pam credentials to superuser Oguz Bektas
@ 2021-01-13 11:27 ` Oguz Bektas
  2021-01-13 12:07 ` [pbs-devel] [PATCH v2 proxmox-backup 1/2] access: limit editing pam credentials to superuser Fabian Grünbichler
  1 sibling, 0 replies; 3+ messages in thread
From: Oguz Bektas @ 2021-01-13 11:27 UTC (permalink / raw)
  To: pbs-devel

this endpoint isn't used anywhere yet, but it's better to make it
consistent with `update_user` password behavior.

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
v1:
* change this for behavior consistency in case it gets used

 src/api2/access.rs | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/api2/access.rs b/src/api2/access.rs
index 8866c944..4d485a80 100644
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@@ -245,7 +245,7 @@ fn create_ticket(
         },
     },
     access: {
-        description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
+        description: "Anybody is allowed to change their own password. In addition, users with 'Permissions:Modify' privilege may change any password from @pbs realm.",
         permission: &Permission::Anybody,
     },
 )]
@@ -271,17 +271,16 @@ fn change_password(
 
     let mut allowed = userid == *current_user;
 
-    if current_user == "root@pam" {
-        allowed = true;
-    }
-
     if !allowed {
         let user_info = CachedUserInfo::new()?;
         let privs = user_info.lookup_privs(&current_auth, &[]);
-        if (privs & PRIV_PERMISSIONS_MODIFY) != 0 {
+        if user_info.is_superuser(&current_auth) {
             allowed = true;
         }
-    }
+        if (privs & PRIV_PERMISSIONS_MODIFY) != 0 && userid.realm() != "pam" {
+            allowed = true;
+        }
+    };
 
     if !allowed {
         bail!("you are not authorized to change the password.");
-- 
2.20.1




^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [pbs-devel] [PATCH v2 proxmox-backup 1/2] access: limit editing pam credentials to superuser
  2021-01-13 11:27 [pbs-devel] [PATCH v2 proxmox-backup 1/2] access: limit editing pam credentials to superuser Oguz Bektas
  2021-01-13 11:27 ` [pbs-devel] [PATCH v2 proxmox-backup 2/2] access: restrictions for editing passwords Oguz Bektas
@ 2021-01-13 12:07 ` Fabian Grünbichler
  1 sibling, 0 replies; 3+ messages in thread
From: Fabian Grünbichler @ 2021-01-13 12:07 UTC (permalink / raw)
  To: Proxmox Backup Server development discussion

On January 13, 2021 12:27 pm, Oguz Bektas wrote:
> modifying @pam users credentials should be only possible for root@pam,
> otherwise it can have unintended consequences.
> 
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> v1->v2:
> * change error message to be more descriptive
> * remove empty line
> * create CachedUserInfo in the if-branch
> 
> 
>  src/api2/access/user.rs | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
> index 484919bf..4c861c5f 100644
> --- a/src/api2/access/user.rs
> +++ b/src/api2/access/user.rs
> @@ -350,6 +350,7 @@ pub fn update_user(
>      email: Option<String>,
>      delete: Option<Vec<DeletableProperty>>,
>      digest: Option<String>,
> +    rpcenv: &mut dyn RpcEnvironment,
>  ) -> Result<(), Error> {
>  
>      let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
> @@ -392,7 +393,12 @@ pub fn update_user(
>      }
>  
>      if let Some(password) = password {
> +        let user_info = CachedUserInfo::new()?;
> +        let source_auth_id = rpcenv.get_auth_id().unwrap().parse()?;
>          let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
> +        if userid.realm() == "pam" && !user_info.is_superuser(&source_auth_id) {
> +            bail!("only superuser can edit pam credentials!");
> +        }

1.) that code reads weird, authenticator should be declared and 
initialized after the check
2.) regular PAM users can now no longer self-service change their own password

>          authenticator.store_password(userid.name(), &password)?;
>      }
>  
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
> 
> 
> 




^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-01-13 12:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-13 11:27 [pbs-devel] [PATCH v2 proxmox-backup 1/2] access: limit editing pam credentials to superuser Oguz Bektas
2021-01-13 11:27 ` [pbs-devel] [PATCH v2 proxmox-backup 2/2] access: restrictions for editing passwords Oguz Bektas
2021-01-13 12:07 ` [pbs-devel] [PATCH v2 proxmox-backup 1/2] access: limit editing pam credentials to superuser Fabian Grünbichler

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal