From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 3732B68187
 for <pbs-devel@lists.proxmox.com>; Fri, 15 Jan 2021 08:52:52 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 2E32022036
 for <pbs-devel@lists.proxmox.com>; Fri, 15 Jan 2021 08:52:22 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 4F32F2202C
 for <pbs-devel@lists.proxmox.com>; Fri, 15 Jan 2021 08:52:21 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 16FEE447F7
 for <pbs-devel@lists.proxmox.com>; Fri, 15 Jan 2021 08:52:21 +0100 (CET)
Date: Fri, 15 Jan 2021 08:52:11 +0100
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox Backup Server development discussion <pbs-devel@lists.proxmox.com>
References: <20210113162615.1258366-1-o.bektas@proxmox.com>
In-Reply-To: <20210113162615.1258366-1-o.bektas@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid)
Message-Id: <1610696077.f5m2htfx2v.astroid@nora.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.028 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [user.rs, proxmox.com]
Subject: [pbs-devel] applied: [PATCH v3 proxmox-backup 1/2] access: limit
 editing pam credentials to superuser
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2021 07:52:52 -0000

with fixup removing unnecessary ref/deref and moving the realm lookup=20
back before saving the config, as it is our safeguard against bogus=20
realms:

diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
index d9458524..f03389f8 100644
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@@ -236,17 +236,20 @@ pub fn create_user(
=20
     config.set_data(user.userid.as_str(), "user", &user)?;
=20
+    let realm =3D user.userid.realm();
+
+    // Fails if realm does not exist!
+    let authenticator =3D crate::auth::lookup_authenticator(realm)?;
+
     user::save_config(&config)?;
=20
     if let Some(password) =3D password {
         let user_info =3D CachedUserInfo::new()?;
         let current_auth_id: Authid =3D rpcenv.get_auth_id().unwrap().pars=
e()?;
-        let target_realm =3D &userZZ.userid.realm();
-        if *target_realm =3D=3D "pam" && !user_info.is_superuser(&current_=
auth_id) {
+        if realm =3D=3D "pam" && !user_info.is_superuser(&current_auth_id)=
 {
             bail!("only superuser can edit pam credentials!");
         }
-        let authenticator =3D crate::auth::lookup_authenticator(target_rea=
lm)?;
-        authenticator.store_password(&user.userid.name(), &password)?;
+        authenticator.store_password(user.userid.name(), &password)?;
     }
=20
     Ok(())

On January 13, 2021 5:26 pm, Oguz Bektas wrote:
> modifying @pam users credentials should be only possible for root@pam,
> otherwise it can have unintended consequences.
>=20
> also enforce the same limit on user creation (except self_service check,
> since it makes no sense during user creation)
>=20
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> v2->v3:
> * apply restrictions for 'create_user' as well
> * make if condition more readable with variables
> * fix issue with regular pam users being unable to edit their own
> passwords (self_service)
>=20
>=20
>  src/api2/access/user.rs | 25 +++++++++++++++++++++----
>  1 file changed, 21 insertions(+), 4 deletions(-)
>=20
> diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
> index 484919bf..d9458524 100644
> --- a/src/api2/access/user.rs
> +++ b/src/api2/access/user.rs
> @@ -218,7 +218,11 @@ pub fn list_users(
>      },
>  )]
>  /// Create new user.
> -pub fn create_user(password: Option<String>, param: Value) -> Result<(),=
 Error> {
> +pub fn create_user(
> +    password: Option<String>,
> +    param: Value,
> +    rpcenv: &mut dyn RpcEnvironment
> +) -> Result<(), Error> {
> =20
>      let _lock =3D open_file_locked(user::USER_CFG_LOCKFILE, std::time::D=
uration::new(10, 0), true)?;
> =20
> @@ -230,14 +234,19 @@ pub fn create_user(password: Option<String>, param:=
 Value) -> Result<(), Error>
>          bail!("user '{}' already exists.", user.userid);
>      }
> =20
> -    let authenticator =3D crate::auth::lookup_authenticator(&user.userid=
.realm())?;
> -
>      config.set_data(user.userid.as_str(), "user", &user)?;
> =20
>      user::save_config(&config)?;
> =20
>      if let Some(password) =3D password {
> -        authenticator.store_password(user.userid.name(), &password)?;
> +        let user_info =3D CachedUserInfo::new()?;
> +        let current_auth_id: Authid =3D rpcenv.get_auth_id().unwrap().pa=
rse()?;
> +        let target_realm =3D &user.userid.realm();
> +        if *target_realm =3D=3D "pam" && !user_info.is_superuser(&curren=
t_auth_id) {
> +            bail!("only superuser can edit pam credentials!");
> +        }
> +        let authenticator =3D crate::auth::lookup_authenticator(target_r=
ealm)?;
> +        authenticator.store_password(&user.userid.name(), &password)?;
>      }
> =20
>      Ok(())
> @@ -350,6 +359,7 @@ pub fn update_user(
>      email: Option<String>,
>      delete: Option<Vec<DeletableProperty>>,
>      digest: Option<String>,
> +    rpcenv: &mut dyn RpcEnvironment,
>  ) -> Result<(), Error> {
> =20
>      let _lock =3D open_file_locked(user::USER_CFG_LOCKFILE, std::time::D=
uration::new(10, 0), true)?;
> @@ -392,6 +402,13 @@ pub fn update_user(
>      }
> =20
>      if let Some(password) =3D password {
> +        let user_info =3D CachedUserInfo::new()?;
> +        let current_auth_id: Authid =3D rpcenv.get_auth_id().unwrap().pa=
rse()?;
> +        let self_service =3D current_auth_id.user() =3D=3D &userid;
> +        let target_realm =3D userid.realm();
> +        if !self_service && target_realm =3D=3D "pam" && !user_info.is_s=
uperuser(&current_auth_id) {
> +            bail!("only superuser can edit pam credentials!");
> +        }
>          let authenticator =3D crate::auth::lookup_authenticator(userid.r=
ealm())?;
>          authenticator.store_password(userid.name(), &password)?;
>      }
> --=20
> 2.20.1
>=20
>=20
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>=20
>=20
>=20
=