From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 050D167935 for ; Wed, 13 Jan 2021 09:49:55 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id EF0E0E844 for ; Wed, 13 Jan 2021 09:49:54 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 5105BE839 for ; Wed, 13 Jan 2021 09:49:54 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 0D9064495A for ; Wed, 13 Jan 2021 09:49:54 +0100 (CET) Date: Wed, 13 Jan 2021 09:49:52 +0100 From: Wolfgang Bumiller To: Oguz Bektas Cc: pbs-devel@lists.proxmox.com Message-ID: <20210113084952.q4rjhtp5nrbf65gt@wobu-vie.proxmox.com> References: <20210112144006.931307-1-o.bektas@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210112144006.931307-1-o.bektas@proxmox.com> User-Agent: NeoMutt/20180716 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.053 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [user.rs] Subject: Re: [pbs-devel] [PATCH proxmox-backup] access: limit editing pam credentials to superuser X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jan 2021 08:49:55 -0000 On Tue, Jan 12, 2021 at 03:40:06PM +0100, Oguz Bektas wrote: > modifying @pam users' credentials should be only allowed for root@pam, > otherwise it can have unintended consequences. > > Signed-off-by: Oguz Bektas > --- > src/api2/access/user.rs | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs > index 484919bf..7c19db2f 100644 > --- a/src/api2/access/user.rs > +++ b/src/api2/access/user.rs > @@ -350,8 +350,11 @@ pub fn update_user( > email: Option, > delete: Option>, > digest: Option, > + rpcenv: &mut dyn RpcEnvironment, > ) -> Result<(), Error> { > > + let user_info = CachedUserInfo::new()?; > + > let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?; > > let (mut config, expected_digest) = user::config()?; > @@ -391,8 +394,13 @@ pub fn update_user( > data.expire = if expire > 0 { Some(expire) } else { None }; > } > > + > if let Some(password) = password { > + let source_auth_id = rpcenv.get_auth_id().unwrap().parse()?; > let authenticator = crate::auth::lookup_authenticator(userid.realm())?; > + if userid.realm() == "pam" && !user_info.is_superuser(&source_auth_id) { > + bail!("only superuser can edit this!"); And if you see this error message, do you know what "this" is referring to? > + } > authenticator.store_password(userid.name(), &password)?; > } > > -- > 2.20.1