From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id A195167AAC for ; Wed, 13 Jan 2021 12:29:35 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 989F510FF6 for ; Wed, 13 Jan 2021 12:29:05 +0100 (CET) Received: from gaia.proxmox.com (212-186-127-178.static.upcbusiness.at [212.186.127.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 6CAF910FE9 for ; Wed, 13 Jan 2021 12:29:01 +0100 (CET) Received: from gaia.proxmox.com (localhost.localdomain [127.0.0.1]) by gaia.proxmox.com (8.15.2/8.15.2/Debian-14~deb10u1) with ESMTP id 10DBReFI307552; Wed, 13 Jan 2021 12:27:40 +0100 Received: (from oguz@localhost) by gaia.proxmox.com (8.15.2/8.15.2/Submit) id 10DBReh0307551; Wed, 13 Jan 2021 12:27:40 +0100 From: Oguz Bektas To: pbs-devel@lists.proxmox.com Date: Wed, 13 Jan 2021 12:27:36 +0100 Message-Id: <20210113112736.307324-2-o.bektas@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210113112736.307324-1-o.bektas@proxmox.com> References: <20210113112736.307324-1-o.bektas@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 1 AWL -0.652 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods KHOP_HELO_FCRDNS 0.4 Relay HELO differs from its IP's reverse DNS NO_DNS_FOR_FROM 0.379 Envelope sender has no MX or A DNS records SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [access.rs] Subject: [pbs-devel] [PATCH v2 proxmox-backup 2/2] access: restrictions for editing passwords X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jan 2021 11:29:35 -0000 this endpoint isn't used anywhere yet, but it's better to make it consistent with `update_user` password behavior. Signed-off-by: Oguz Bektas --- v1: * change this for behavior consistency in case it gets used src/api2/access.rs | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/api2/access.rs b/src/api2/access.rs index 8866c944..4d485a80 100644 --- a/src/api2/access.rs +++ b/src/api2/access.rs @@ -245,7 +245,7 @@ fn create_ticket( }, }, access: { - description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.", + description: "Anybody is allowed to change their own password. In addition, users with 'Permissions:Modify' privilege may change any password from @pbs realm.", permission: &Permission::Anybody, }, )] @@ -271,17 +271,16 @@ fn change_password( let mut allowed = userid == *current_user; - if current_user == "root@pam" { - allowed = true; - } - if !allowed { let user_info = CachedUserInfo::new()?; let privs = user_info.lookup_privs(¤t_auth, &[]); - if (privs & PRIV_PERMISSIONS_MODIFY) != 0 { + if user_info.is_superuser(¤t_auth) { allowed = true; } - } + if (privs & PRIV_PERMISSIONS_MODIFY) != 0 && userid.realm() != "pam" { + allowed = true; + } + }; if !allowed { bail!("you are not authorized to change the password."); -- 2.20.1