From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id E636F6893A for ; Fri, 15 Jan 2021 08:52:48 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DBAA522096 for ; Fri, 15 Jan 2021 08:52:48 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 1B0B92208C for ; Fri, 15 Jan 2021 08:52:48 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id DBCB3449AC for ; Fri, 15 Jan 2021 08:52:47 +0100 (CET) Date: Fri, 15 Jan 2021 08:52:38 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox Backup Server development discussion References: <20210113162615.1258366-1-o.bektas@proxmox.com> <20210113162615.1258366-2-o.bektas@proxmox.com> In-Reply-To: <20210113162615.1258366-2-o.bektas@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid) Message-Id: <1610697147.xr18qftgq7.astroid@nora.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.028 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, access.rs] Subject: [pbs-devel] applied: [PATCH v3 proxmox-backup 2/2] access: restrict password changes on @pam realm to superuser X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jan 2021 07:52:49 -0000 On January 13, 2021 5:26 pm, Oguz Bektas wrote: > for behavior consistency with `update_user` >=20 > Signed-off-by: Oguz Bektas > --- > v2->v3: > * slightly change description s/Anybody/Everybody >=20 >=20 > src/api2/access.rs | 13 ++++++------- > 1 file changed, 6 insertions(+), 7 deletions(-) >=20 > diff --git a/src/api2/access.rs b/src/api2/access.rs > index 8866c944..61d0f74e 100644 > --- a/src/api2/access.rs > +++ b/src/api2/access.rs > @@ -245,7 +245,7 @@ fn create_ticket( > }, > }, > access: { > - description: "Anybody is allowed to change there own password. I= n addition, users with 'Permissions:Modify' privilege may change any passwo= rd.", > + description: "Everybody is allowed to change their own password.= In addition, users with 'Permissions:Modify' privilege may change any pass= word on @pbs realm.", > permission: &Permission::Anybody, > }, > )] > @@ -271,17 +271,16 @@ fn change_password( > =20 > let mut allowed =3D userid =3D=3D *current_user; > =20 > - if current_user =3D=3D "root@pam" { > - allowed =3D true; > - } > - > if !allowed { > let user_info =3D CachedUserInfo::new()?; > let privs =3D user_info.lookup_privs(¤t_auth, &[]); > - if (privs & PRIV_PERMISSIONS_MODIFY) !=3D 0 { > + if user_info.is_superuser(¤t_auth) { > allowed =3D true; > } > - } > + if (privs & PRIV_PERMISSIONS_MODIFY) !=3D 0 && userid.realm() != =3D "pam" { > + allowed =3D true; > + } > + }; > =20 > if !allowed { > bail!("you are not authorized to change the password."); > --=20 > 2.20.1 >=20 >=20 > _______________________________________________ > pbs-devel mailing list > pbs-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel >=20 >=20 >=20 =