From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>
Subject: [pbs-devel] applied: [PATCH v3 proxmox-backup 2/2] access: restrict password changes on @pam realm to superuser
Date: Fri, 15 Jan 2021 08:52:38 +0100 [thread overview]
Message-ID: <1610697147.xr18qftgq7.astroid@nora.none> (raw)
In-Reply-To: <20210113162615.1258366-2-o.bektas@proxmox.com>
On January 13, 2021 5:26 pm, Oguz Bektas wrote:
> for behavior consistency with `update_user`
>
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> v2->v3:
> * slightly change description s/Anybody/Everybody
>
>
> src/api2/access.rs | 13 ++++++-------
> 1 file changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/src/api2/access.rs b/src/api2/access.rs
> index 8866c944..61d0f74e 100644
> --- a/src/api2/access.rs
> +++ b/src/api2/access.rs
> @@ -245,7 +245,7 @@ fn create_ticket(
> },
> },
> access: {
> - description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
> + description: "Everybody is allowed to change their own password. In addition, users with 'Permissions:Modify' privilege may change any password on @pbs realm.",
> permission: &Permission::Anybody,
> },
> )]
> @@ -271,17 +271,16 @@ fn change_password(
>
> let mut allowed = userid == *current_user;
>
> - if current_user == "root@pam" {
> - allowed = true;
> - }
> -
> if !allowed {
> let user_info = CachedUserInfo::new()?;
> let privs = user_info.lookup_privs(¤t_auth, &[]);
> - if (privs & PRIV_PERMISSIONS_MODIFY) != 0 {
> + if user_info.is_superuser(¤t_auth) {
> allowed = true;
> }
> - }
> + if (privs & PRIV_PERMISSIONS_MODIFY) != 0 && userid.realm() != "pam" {
> + allowed = true;
> + }
> + };
>
> if !allowed {
> bail!("you are not authorized to change the password.");
> --
> 2.20.1
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>
>
next prev parent reply other threads:[~2021-01-15 7:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-13 16:26 [pbs-devel] [PATCH v3 proxmox-backup 1/2] access: limit editing pam credentials " Oguz Bektas
2021-01-13 16:26 ` [pbs-devel] [PATCH v3 proxmox-backup 2/2] access: restrict password changes on @pam realm " Oguz Bektas
2021-01-15 7:52 ` Fabian Grünbichler [this message]
2021-01-15 7:52 ` [pbs-devel] applied: [PATCH v3 proxmox-backup 1/2] access: limit editing pam credentials " Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1610697147.xr18qftgq7.astroid@nora.none \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox