From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH v1 access-control 2/5] tfa: allow superusers to edit root@pam tfa
Date: Thu, 10 Feb 2022 16:30:15 +0100 [thread overview]
Message-ID: <1644491985.9p51dbypw7.astroid@nora.none> (raw)
In-Reply-To: <<20220208131011.752134-3-o.bektas@proxmox.com>
On February 8, 2022 2:10 pm, Oguz Bektas wrote:
> users with the SU privilege are able to override the existing check for
> 'root@pam' when calling tfa-related endpoints of the API.
>
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> src/PVE/API2/TFA.pm | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
> index bee4dee..70555cc 100644
> --- a/src/PVE/API2/TFA.pm
> +++ b/src/PVE/API2/TFA.pm
> @@ -102,13 +102,16 @@ my $TFA_UPDATE_INFO_SCHEMA = {
> my sub root_permission_check : prototype($$$$) {
> my ($rpcenv, $authuser, $userid, $password) = @_;
>
> + # authuser = the user making the change
> + # userid = the user to be changed
> ($userid, undef, my $realm) = PVE::AccessControl::verify_username($userid);
> $rpcenv->check_user_exist($userid);
>
> - raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam';
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, "/access/groups", ['SuperUser'], 1);
> + raise_perm_exc() if $userid eq 'root@pam' && !$is_superuser; # root@pam can be only edited by himself or a SuperUser
can be shorted (root@pam is by definition a SuperUser), but IMHO, the
whole comment can be dropped - the variables have meaningful names
anyway?
some rationale why this was changed, but the very similar code in
PVE:API2::AccessControl->change_password is not adapted is also missing.
also, a similar mechanism exists in the other direction as well:
root@pam can create tickets for other users - should SuperUser also be
allowed to do that? if not, the reason for that exception should be
added to the relevant part as comment (or if it should, then the
relevant changes should be part of the series ;))
one more point - check_api2_permissions has the general 'no permission
specified in schema => only root@pam allowed' rule. obviously with the
semantics of 'superuser does not entail all privileges' that can't be
switched to superuser - but it means all the existing API calls without
specific permissions need to be checked and either adapted (e.g., with
an appropriate ACL with regular privilege + SuperUser), or marked as
root only with a reason. one way to do this would be to analyze the API
dump, or even forbid endpoints without a permission in the schema (e.g.
in the api verification code we run at build time), and switch the
remaining root-only endpoints to just have an explicit permission in the
schema that encodes that. obviously in any case the check in
check_api2_permissions needs to remain to catch anything that slipped
through.
>
> # Regular users need to confirm their password to change TFA settings.
> - if ($authuser ne 'root@pam') {
> + if ($authuser ne 'root@pam') { # we still do password confirmation for superusers like the other users
> raise_param_exc({ 'password' => 'password is required to modify TFA data' })
> if !defined($password);
>
> --
> 2.30.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
next prev parent reply other threads:[~2022-02-10 15:30 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-08 13:10 [pve-devel] [PATCH v1 access-control++ 0/5] SuperUser privilege Oguz Bektas
2022-02-08 13:10 ` [pve-devel] [PATCH v1 access-control 1/5] add default "SuperAdministrator" role with the new "SuperUser" privilege Oguz Bektas
2022-02-08 13:10 ` [pve-devel] [PATCH v1 access-control 2/5] tfa: allow superusers to edit root@pam tfa Oguz Bektas
[not found] ` <<20220208131011.752134-3-o.bektas@proxmox.com>
2022-02-10 15:30 ` Fabian Grünbichler [this message]
2022-02-08 13:10 ` [pve-devel] [PATCH v1 container 3/5] fix #2582: api: add checks for 'SuperUser' privilege for root-only options Oguz Bektas
[not found] ` <<20220208131011.752134-4-o.bektas@proxmox.com>
2022-02-10 15:30 ` Fabian Grünbichler
2022-02-08 13:10 ` [pve-devel] [PATCH v1 manager 4/5] change 'root@pam' checks with 'SuperUser' capability check Oguz Bektas
[not found] ` <<20220208131011.752134-5-o.bektas@proxmox.com>
2022-02-10 15:29 ` Fabian Grünbichler
2022-02-25 10:13 ` Dominik Csapak
2022-02-25 12:24 ` Thomas Lamprecht
2022-02-08 13:10 ` [pve-devel] [PATCH v1 qemu-server 5/5] add SuperUser privilege checks for root-only options Oguz Bektas
[not found] ` <<20220208131011.752134-6-o.bektas@proxmox.com>
2022-02-10 15:29 ` Fabian Grünbichler
2022-02-10 15:28 ` [pve-devel] [PATCH v1 access-control++ 0/5] SuperUser privilege Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1644491985.9p51dbypw7.astroid@nora.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox