From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 8C3DB61758 for ; Wed, 9 Feb 2022 14:56:39 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 79C382E89 for ; Wed, 9 Feb 2022 14:56:09 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id D083C2E80 for ; Wed, 9 Feb 2022 14:56:08 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id AA23646C5F for ; Wed, 9 Feb 2022 14:56:08 +0100 (CET) Date: Wed, 9 Feb 2022 14:56:07 +0100 From: Wolfgang Bumiller To: Stefan Sterz Cc: pbs-devel@lists.proxmox.com Message-ID: <20220209135607.aevcpm3vkamjazrw@wobu-vie.proxmox.com> References: <20220207124825.1116194-1-s.sterz@proxmox.com> <20220207124825.1116194-2-s.sterz@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220207124825.1116194-2-s.sterz@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.391 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pbs-devel] [PATCH proxmox-backup 2/2] fix #3853: tape cli: add force flag to key change-passphrase X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2022 13:56:39 -0000 On Mon, Feb 07, 2022 at 01:48:25PM +0100, Stefan Sterz wrote: > Adds the '--force' flag to the proxmox-tape command allowing users > with root privileges to overwrite the passphrase of a given key. > > Signed-off-by: Stefan Sterz > --- > src/bin/proxmox_tape/encryption_key.rs | 23 +++++++++++++++++++++-- > 1 file changed, 21 insertions(+), 2 deletions(-) > > diff --git a/src/bin/proxmox_tape/encryption_key.rs b/src/bin/proxmox_tape/encryption_key.rs > index 156295fd..3dd9b58b 100644 > --- a/src/bin/proxmox_tape/encryption_key.rs > +++ b/src/bin/proxmox_tape/encryption_key.rs > @@ -146,11 +146,18 @@ fn show_key( > hint: { > schema: PASSWORD_HINT_SCHEMA, > }, > + force: { > + optional: true, > + type: bool, > + description: "Don't ask for the old passphrase and overwrite it. Root only.", > + default: false, > + }, > }, > }, > )] > /// Change the encryption key's password. > fn change_passphrase( > + force: bool, > mut param: Value, > rpcenv: &mut dyn RpcEnvironment, > ) -> Result<(), Error> { > @@ -159,11 +166,23 @@ fn change_passphrase( > bail!("unable to change passphrase - no tty"); > } > > - let password = tty::read_password("Current Tape Encryption Key Password: ")?; > + let effective_uid = nix::unistd::Uid::effective(); > + let running_uid = nix::unistd::Uid::current(); > + > + // if the `--force` flag is provided check if we are root > + if force && !effective_uid.is_root() && !running_uid.is_root() { > + bail!("the force flag requires root privileges"); > + } ^ Wrong place for this. Also, as a general note, checks such as this one should simply not be done by CLI tools unless they're actually installed as `setuid-root` since it's the OS' job to do permission checks. I may be running an unprivileged root (dropped capabilities, entered some restrictive AppArmor label), or I may actually be a *privileged* non-zero-uid for some reason as well...