From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 6DACB61DF7 for ; Thu, 10 Feb 2022 16:30:53 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 63D1B1F27E for ; Thu, 10 Feb 2022 16:30:23 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 493051F275 for ; Thu, 10 Feb 2022 16:30:22 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 22BA046DD7 for ; Thu, 10 Feb 2022 16:30:22 +0100 (CET) Date: Thu, 10 Feb 2022 16:30:15 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20220208131011.752134-1-o.bektas@proxmox.com> <20220208131011.752134-3-o.bektas@proxmox.com> In-Reply-To: <<20220208131011.752134-3-o.bektas@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid) Message-Id: <1644491985.9p51dbypw7.astroid@nora.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.193 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [tfa.pm, proxmox.com] Subject: Re: [pve-devel] [PATCH v1 access-control 2/5] tfa: allow superusers to edit root@pam tfa X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2022 15:30:53 -0000 On February 8, 2022 2:10 pm, Oguz Bektas wrote: > users with the SU privilege are able to override the existing check for > 'root@pam' when calling tfa-related endpoints of the API. >=20 > Signed-off-by: Oguz Bektas > --- > src/PVE/API2/TFA.pm | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) >=20 > diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm > index bee4dee..70555cc 100644 > --- a/src/PVE/API2/TFA.pm > +++ b/src/PVE/API2/TFA.pm > @@ -102,13 +102,16 @@ my $TFA_UPDATE_INFO_SCHEMA =3D { > my sub root_permission_check : prototype($$$$) { > my ($rpcenv, $authuser, $userid, $password) =3D @_; > =20 > + # authuser =3D the user making the change > + # userid =3D the user to be changed > ($userid, undef, my $realm) =3D PVE::AccessControl::verify_username(= $userid); > $rpcenv->check_user_exist($userid); > =20 > - raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam'= ; > + my $is_superuser =3D $authuser eq 'root@pam' || $rpcenv->check($auth= user, "/access/groups", ['SuperUser'], 1); > + raise_perm_exc() if $userid eq 'root@pam' && !$is_superuser; # root@= pam can be only edited by himself or a SuperUser can be shorted (root@pam is by definition a SuperUser), but IMHO, the=20 whole comment can be dropped - the variables have meaningful names=20 anyway? some rationale why this was changed, but the very similar code in=20 PVE:API2::AccessControl->change_password is not adapted is also missing.=20 also, a similar mechanism exists in the other direction as well:=20 root@pam can create tickets for other users - should SuperUser also be=20 allowed to do that? if not, the reason for that exception should be=20 added to the relevant part as comment (or if it should, then the=20 relevant changes should be part of the series ;)) one more point - check_api2_permissions has the general 'no permission=20 specified in schema =3D> only root@pam allowed' rule. obviously with the=20 semantics of 'superuser does not entail all privileges' that can't be=20 switched to superuser - but it means all the existing API calls without=20 specific permissions need to be checked and either adapted (e.g., with=20 an appropriate ACL with regular privilege + SuperUser), or marked as=20 root only with a reason. one way to do this would be to analyze the API=20 dump, or even forbid endpoints without a permission in the schema (e.g.=20 in the api verification code we run at build time), and switch the=20 remaining root-only endpoints to just have an explicit permission in the=20 schema that encodes that. obviously in any case the check in=20 check_api2_permissions needs to remain to catch anything that slipped=20 through. > =20 > # Regular users need to confirm their password to change TFA setting= s. > - if ($authuser ne 'root@pam') { > + if ($authuser ne 'root@pam') { # we still do password confirmation f= or superusers like the other users > raise_param_exc({ 'password' =3D> 'password is required to modify TFA d= ata' }) > if !defined($password); > =20 > --=20 > 2.30.2 >=20 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20 >=20 >=20