* [pbs-devel] [PATCH v3 proxmox-backup 1/2] access: limit editing pam credentials to superuser
@ 2021-01-13 16:26 Oguz Bektas
2021-01-13 16:26 ` [pbs-devel] [PATCH v3 proxmox-backup 2/2] access: restrict password changes on @pam realm " Oguz Bektas
2021-01-15 7:52 ` [pbs-devel] applied: [PATCH v3 proxmox-backup 1/2] access: limit editing pam credentials " Fabian Grünbichler
0 siblings, 2 replies; 4+ messages in thread
From: Oguz Bektas @ 2021-01-13 16:26 UTC (permalink / raw)
To: pbs-devel
modifying @pam users credentials should be only possible for root@pam,
otherwise it can have unintended consequences.
also enforce the same limit on user creation (except self_service check,
since it makes no sense during user creation)
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
v2->v3:
* apply restrictions for 'create_user' as well
* make if condition more readable with variables
* fix issue with regular pam users being unable to edit their own
passwords (self_service)
src/api2/access/user.rs | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
index 484919bf..d9458524 100644
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@@ -218,7 +218,11 @@ pub fn list_users(
},
)]
/// Create new user.
-pub fn create_user(password: Option<String>, param: Value) -> Result<(), Error> {
+pub fn create_user(
+ password: Option<String>,
+ param: Value,
+ rpcenv: &mut dyn RpcEnvironment
+) -> Result<(), Error> {
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
@@ -230,14 +234,19 @@ pub fn create_user(password: Option<String>, param: Value) -> Result<(), Error>
bail!("user '{}' already exists.", user.userid);
}
- let authenticator = crate::auth::lookup_authenticator(&user.userid.realm())?;
-
config.set_data(user.userid.as_str(), "user", &user)?;
user::save_config(&config)?;
if let Some(password) = password {
- authenticator.store_password(user.userid.name(), &password)?;
+ let user_info = CachedUserInfo::new()?;
+ let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
+ let target_realm = &user.userid.realm();
+ if *target_realm == "pam" && !user_info.is_superuser(¤t_auth_id) {
+ bail!("only superuser can edit pam credentials!");
+ }
+ let authenticator = crate::auth::lookup_authenticator(target_realm)?;
+ authenticator.store_password(&user.userid.name(), &password)?;
}
Ok(())
@@ -350,6 +359,7 @@ pub fn update_user(
email: Option<String>,
delete: Option<Vec<DeletableProperty>>,
digest: Option<String>,
+ rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
@@ -392,6 +402,13 @@ pub fn update_user(
}
if let Some(password) = password {
+ let user_info = CachedUserInfo::new()?;
+ let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
+ let self_service = current_auth_id.user() == &userid;
+ let target_realm = userid.realm();
+ if !self_service && target_realm == "pam" && !user_info.is_superuser(¤t_auth_id) {
+ bail!("only superuser can edit pam credentials!");
+ }
let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
authenticator.store_password(userid.name(), &password)?;
}
--
2.20.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pbs-devel] [PATCH v3 proxmox-backup 2/2] access: restrict password changes on @pam realm to superuser
2021-01-13 16:26 [pbs-devel] [PATCH v3 proxmox-backup 1/2] access: limit editing pam credentials to superuser Oguz Bektas
@ 2021-01-13 16:26 ` Oguz Bektas
2021-01-15 7:52 ` [pbs-devel] applied: " Fabian Grünbichler
2021-01-15 7:52 ` [pbs-devel] applied: [PATCH v3 proxmox-backup 1/2] access: limit editing pam credentials " Fabian Grünbichler
1 sibling, 1 reply; 4+ messages in thread
From: Oguz Bektas @ 2021-01-13 16:26 UTC (permalink / raw)
To: pbs-devel
for behavior consistency with `update_user`
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
v2->v3:
* slightly change description s/Anybody/Everybody
src/api2/access.rs | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/src/api2/access.rs b/src/api2/access.rs
index 8866c944..61d0f74e 100644
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@@ -245,7 +245,7 @@ fn create_ticket(
},
},
access: {
- description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
+ description: "Everybody is allowed to change their own password. In addition, users with 'Permissions:Modify' privilege may change any password on @pbs realm.",
permission: &Permission::Anybody,
},
)]
@@ -271,17 +271,16 @@ fn change_password(
let mut allowed = userid == *current_user;
- if current_user == "root@pam" {
- allowed = true;
- }
-
if !allowed {
let user_info = CachedUserInfo::new()?;
let privs = user_info.lookup_privs(¤t_auth, &[]);
- if (privs & PRIV_PERMISSIONS_MODIFY) != 0 {
+ if user_info.is_superuser(¤t_auth) {
allowed = true;
}
- }
+ if (privs & PRIV_PERMISSIONS_MODIFY) != 0 && userid.realm() != "pam" {
+ allowed = true;
+ }
+ };
if !allowed {
bail!("you are not authorized to change the password.");
--
2.20.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pbs-devel] applied: [PATCH v3 proxmox-backup 1/2] access: limit editing pam credentials to superuser
2021-01-13 16:26 [pbs-devel] [PATCH v3 proxmox-backup 1/2] access: limit editing pam credentials to superuser Oguz Bektas
2021-01-13 16:26 ` [pbs-devel] [PATCH v3 proxmox-backup 2/2] access: restrict password changes on @pam realm " Oguz Bektas
@ 2021-01-15 7:52 ` Fabian Grünbichler
1 sibling, 0 replies; 4+ messages in thread
From: Fabian Grünbichler @ 2021-01-15 7:52 UTC (permalink / raw)
To: Proxmox Backup Server development discussion
with fixup removing unnecessary ref/deref and moving the realm lookup
back before saving the config, as it is our safeguard against bogus
realms:
diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
index d9458524..f03389f8 100644
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@@ -236,17 +236,20 @@ pub fn create_user(
config.set_data(user.userid.as_str(), "user", &user)?;
+ let realm = user.userid.realm();
+
+ // Fails if realm does not exist!
+ let authenticator = crate::auth::lookup_authenticator(realm)?;
+
user::save_config(&config)?;
if let Some(password) = password {
let user_info = CachedUserInfo::new()?;
let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
- let target_realm = &userZZ.userid.realm();
- if *target_realm == "pam" && !user_info.is_superuser(¤t_auth_id) {
+ if realm == "pam" && !user_info.is_superuser(¤t_auth_id) {
bail!("only superuser can edit pam credentials!");
}
- let authenticator = crate::auth::lookup_authenticator(target_realm)?;
- authenticator.store_password(&user.userid.name(), &password)?;
+ authenticator.store_password(user.userid.name(), &password)?;
}
Ok(())
On January 13, 2021 5:26 pm, Oguz Bektas wrote:
> modifying @pam users credentials should be only possible for root@pam,
> otherwise it can have unintended consequences.
>
> also enforce the same limit on user creation (except self_service check,
> since it makes no sense during user creation)
>
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> v2->v3:
> * apply restrictions for 'create_user' as well
> * make if condition more readable with variables
> * fix issue with regular pam users being unable to edit their own
> passwords (self_service)
>
>
> src/api2/access/user.rs | 25 +++++++++++++++++++++----
> 1 file changed, 21 insertions(+), 4 deletions(-)
>
> diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
> index 484919bf..d9458524 100644
> --- a/src/api2/access/user.rs
> +++ b/src/api2/access/user.rs
> @@ -218,7 +218,11 @@ pub fn list_users(
> },
> )]
> /// Create new user.
> -pub fn create_user(password: Option<String>, param: Value) -> Result<(), Error> {
> +pub fn create_user(
> + password: Option<String>,
> + param: Value,
> + rpcenv: &mut dyn RpcEnvironment
> +) -> Result<(), Error> {
>
> let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
>
> @@ -230,14 +234,19 @@ pub fn create_user(password: Option<String>, param: Value) -> Result<(), Error>
> bail!("user '{}' already exists.", user.userid);
> }
>
> - let authenticator = crate::auth::lookup_authenticator(&user.userid.realm())?;
> -
> config.set_data(user.userid.as_str(), "user", &user)?;
>
> user::save_config(&config)?;
>
> if let Some(password) = password {
> - authenticator.store_password(user.userid.name(), &password)?;
> + let user_info = CachedUserInfo::new()?;
> + let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
> + let target_realm = &user.userid.realm();
> + if *target_realm == "pam" && !user_info.is_superuser(¤t_auth_id) {
> + bail!("only superuser can edit pam credentials!");
> + }
> + let authenticator = crate::auth::lookup_authenticator(target_realm)?;
> + authenticator.store_password(&user.userid.name(), &password)?;
> }
>
> Ok(())
> @@ -350,6 +359,7 @@ pub fn update_user(
> email: Option<String>,
> delete: Option<Vec<DeletableProperty>>,
> digest: Option<String>,
> + rpcenv: &mut dyn RpcEnvironment,
> ) -> Result<(), Error> {
>
> let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
> @@ -392,6 +402,13 @@ pub fn update_user(
> }
>
> if let Some(password) = password {
> + let user_info = CachedUserInfo::new()?;
> + let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
> + let self_service = current_auth_id.user() == &userid;
> + let target_realm = userid.realm();
> + if !self_service && target_realm == "pam" && !user_info.is_superuser(¤t_auth_id) {
> + bail!("only superuser can edit pam credentials!");
> + }
> let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
> authenticator.store_password(userid.name(), &password)?;
> }
> --
> 2.20.1
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pbs-devel] applied: [PATCH v3 proxmox-backup 2/2] access: restrict password changes on @pam realm to superuser
2021-01-13 16:26 ` [pbs-devel] [PATCH v3 proxmox-backup 2/2] access: restrict password changes on @pam realm " Oguz Bektas
@ 2021-01-15 7:52 ` Fabian Grünbichler
0 siblings, 0 replies; 4+ messages in thread
From: Fabian Grünbichler @ 2021-01-15 7:52 UTC (permalink / raw)
To: Proxmox Backup Server development discussion
On January 13, 2021 5:26 pm, Oguz Bektas wrote:
> for behavior consistency with `update_user`
>
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> v2->v3:
> * slightly change description s/Anybody/Everybody
>
>
> src/api2/access.rs | 13 ++++++-------
> 1 file changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/src/api2/access.rs b/src/api2/access.rs
> index 8866c944..61d0f74e 100644
> --- a/src/api2/access.rs
> +++ b/src/api2/access.rs
> @@ -245,7 +245,7 @@ fn create_ticket(
> },
> },
> access: {
> - description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
> + description: "Everybody is allowed to change their own password. In addition, users with 'Permissions:Modify' privilege may change any password on @pbs realm.",
> permission: &Permission::Anybody,
> },
> )]
> @@ -271,17 +271,16 @@ fn change_password(
>
> let mut allowed = userid == *current_user;
>
> - if current_user == "root@pam" {
> - allowed = true;
> - }
> -
> if !allowed {
> let user_info = CachedUserInfo::new()?;
> let privs = user_info.lookup_privs(¤t_auth, &[]);
> - if (privs & PRIV_PERMISSIONS_MODIFY) != 0 {
> + if user_info.is_superuser(¤t_auth) {
> allowed = true;
> }
> - }
> + if (privs & PRIV_PERMISSIONS_MODIFY) != 0 && userid.realm() != "pam" {
> + allowed = true;
> + }
> + };
>
> if !allowed {
> bail!("you are not authorized to change the password.");
> --
> 2.20.1
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-01-15 7:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-13 16:26 [pbs-devel] [PATCH v3 proxmox-backup 1/2] access: limit editing pam credentials to superuser Oguz Bektas
2021-01-13 16:26 ` [pbs-devel] [PATCH v3 proxmox-backup 2/2] access: restrict password changes on @pam realm " Oguz Bektas
2021-01-15 7:52 ` [pbs-devel] applied: " Fabian Grünbichler
2021-01-15 7:52 ` [pbs-devel] applied: [PATCH v3 proxmox-backup 1/2] access: limit editing pam credentials " Fabian Grünbichler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox