[pbs-devel] [PATCH v2 proxmox-backup 1/2] access: limit editing pam credentials to superuser

[pbs-devel] [PATCH v2 proxmox-backup 1/2] access: limit editing pam credentials to superuser

[Oguz Bektas]

modifying @pam users credentials should be only possible for root@pam,
otherwise it can have unintended consequences.

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
v1->v2:
* change error message to be more descriptive
* remove empty line
* create CachedUserInfo in the if-branch


 src/api2/access/user.rs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
index 484919bf..4c861c5f 100644
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@@ -350,6 +350,7 @@ pub fn update_user(
     email: Option<String>,
     delete: Option<Vec<DeletableProperty>>,
     digest: Option<String>,
+    rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<(), Error> {
 
     let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
@@ -392,7 +393,12 @@ pub fn update_user(
     }
 
     if let Some(password) = password {
+        let user_info = CachedUserInfo::new()?;
+        let source_auth_id = rpcenv.get_auth_id().unwrap().parse()?;
         let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
+        if userid.realm() == "pam" && !user_info.is_superuser(&source_auth_id) {
+            bail!("only superuser can edit pam credentials!");
+        }
         authenticator.store_password(userid.name(), &password)?;
     }
 
-- 
2.20.1

[pbs-devel] [PATCH v2 proxmox-backup 2/2] access: restrictions for editing passwords

[Oguz Bektas]

this endpoint isn't used anywhere yet, but it's better to make it
consistent with `update_user` password behavior.

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
v1:
* change this for behavior consistency in case it gets used

 src/api2/access.rs | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/api2/access.rs b/src/api2/access.rs
index 8866c944..4d485a80 100644
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@@ -245,7 +245,7 @@ fn create_ticket(
         },
     },
     access: {
-        description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
+        description: "Anybody is allowed to change their own password. In addition, users with 'Permissions:Modify' privilege may change any password from @pbs realm.",
         permission: &Permission::Anybody,
     },
 )]
@@ -271,17 +271,16 @@ fn change_password(
 
     let mut allowed = userid == *current_user;
 
-    if current_user == "root@pam" {
-        allowed = true;
-    }
-
     if !allowed {
         let user_info = CachedUserInfo::new()?;
         let privs = user_info.lookup_privs(&current_auth, &[]);
-        if (privs & PRIV_PERMISSIONS_MODIFY) != 0 {
+        if user_info.is_superuser(&current_auth) {
             allowed = true;
         }
-    }
+        if (privs & PRIV_PERMISSIONS_MODIFY) != 0 && userid.realm() != "pam" {
+            allowed = true;
+        }
+    };
 
     if !allowed {
         bail!("you are not authorized to change the password.");
-- 
2.20.1

Re: [pbs-devel] [PATCH v2 proxmox-backup 1/2] access: limit editing pam credentials to superuser

[Fabian Grünbichler]

On January 13, 2021 12:27 pm, Oguz Bektas wrote:
> modifying @pam users credentials should be only possible for root@pam,
> otherwise it can have unintended consequences.
> 
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> v1->v2:
> * change error message to be more descriptive
> * remove empty line
> * create CachedUserInfo in the if-branch
> 
> 
>  src/api2/access/user.rs | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
> index 484919bf..4c861c5f 100644
> --- a/src/api2/access/user.rs
> +++ b/src/api2/access/user.rs
> @@ -350,6 +350,7 @@ pub fn update_user(
>      email: Option<String>,
>      delete: Option<Vec<DeletableProperty>>,
>      digest: Option<String>,
> +    rpcenv: &mut dyn RpcEnvironment,
>  ) -> Result<(), Error> {
>  
>      let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
> @@ -392,7 +393,12 @@ pub fn update_user(
>      }
>  
>      if let Some(password) = password {
> +        let user_info = CachedUserInfo::new()?;
> +        let source_auth_id = rpcenv.get_auth_id().unwrap().parse()?;
>          let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
> +        if userid.realm() == "pam" && !user_info.is_superuser(&source_auth_id) {
> +            bail!("only superuser can edit pam credentials!");
> +        }

1.) that code reads weird, authenticator should be declared and 
initialized after the check
2.) regular PAM users can now no longer self-service change their own password

>          authenticator.store_password(userid.name(), &password)?;
>      }
>  
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
> 
> 
>