From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 831B467AEB for ; Wed, 13 Jan 2021 17:27:41 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 787EE13943 for ; Wed, 13 Jan 2021 17:27:41 +0100 (CET) Received: from gaia.proxmox.com (212-186-127-178.static.upcbusiness.at [212.186.127.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 7EE7B13933 for ; Wed, 13 Jan 2021 17:27:37 +0100 (CET) Received: from gaia.proxmox.com (localhost.localdomain [127.0.0.1]) by gaia.proxmox.com (8.15.2/8.15.2/Debian-14~deb10u1) with ESMTP id 10DGQFJG1258433; Wed, 13 Jan 2021 17:26:15 +0100 Received: (from oguz@localhost) by gaia.proxmox.com (8.15.2/8.15.2/Submit) id 10DGQFSQ1258429; Wed, 13 Jan 2021 17:26:15 +0100 From: Oguz Bektas To: pbs-devel@lists.proxmox.com Date: Wed, 13 Jan 2021 17:26:14 +0100 Message-Id: <20210113162615.1258366-1-o.bektas@proxmox.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 1 AWL -0.645 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods KHOP_HELO_FCRDNS 0.4 Relay HELO differs from its IP's reverse DNS NO_DNS_FOR_FROM 0.379 Envelope sender has no MX or A DNS records SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [user.rs] Subject: [pbs-devel] [PATCH v3 proxmox-backup 1/2] access: limit editing pam credentials to superuser X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jan 2021 16:27:41 -0000 modifying @pam users credentials should be only possible for root@pam, otherwise it can have unintended consequences. also enforce the same limit on user creation (except self_service check, since it makes no sense during user creation) Signed-off-by: Oguz Bektas --- v2->v3: * apply restrictions for 'create_user' as well * make if condition more readable with variables * fix issue with regular pam users being unable to edit their own passwords (self_service) src/api2/access/user.rs | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs index 484919bf..d9458524 100644 --- a/src/api2/access/user.rs +++ b/src/api2/access/user.rs @@ -218,7 +218,11 @@ pub fn list_users( }, )] /// Create new user. -pub fn create_user(password: Option, param: Value) -> Result<(), Error> { +pub fn create_user( + password: Option, + param: Value, + rpcenv: &mut dyn RpcEnvironment +) -> Result<(), Error> { let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?; @@ -230,14 +234,19 @@ pub fn create_user(password: Option, param: Value) -> Result<(), Error> bail!("user '{}' already exists.", user.userid); } - let authenticator = crate::auth::lookup_authenticator(&user.userid.realm())?; - config.set_data(user.userid.as_str(), "user", &user)?; user::save_config(&config)?; if let Some(password) = password { - authenticator.store_password(user.userid.name(), &password)?; + let user_info = CachedUserInfo::new()?; + let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + let target_realm = &user.userid.realm(); + if *target_realm == "pam" && !user_info.is_superuser(¤t_auth_id) { + bail!("only superuser can edit pam credentials!"); + } + let authenticator = crate::auth::lookup_authenticator(target_realm)?; + authenticator.store_password(&user.userid.name(), &password)?; } Ok(()) @@ -350,6 +359,7 @@ pub fn update_user( email: Option, delete: Option>, digest: Option, + rpcenv: &mut dyn RpcEnvironment, ) -> Result<(), Error> { let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?; @@ -392,6 +402,13 @@ pub fn update_user( } if let Some(password) = password { + let user_info = CachedUserInfo::new()?; + let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + let self_service = current_auth_id.user() == &userid; + let target_realm = userid.realm(); + if !self_service && target_realm == "pam" && !user_info.is_superuser(¤t_auth_id) { + bail!("only superuser can edit pam credentials!"); + } let authenticator = crate::auth::lookup_authenticator(userid.realm())?; authenticator.store_password(userid.name(), &password)?; } -- 2.20.1