From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id B8B086AB60
 for <pve-devel@lists.proxmox.com>; Thu, 17 Mar 2022 10:31:23 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id AB356D49
 for <pve-devel@lists.proxmox.com>; Thu, 17 Mar 2022 10:30:53 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 92732D40
 for <pve-devel@lists.proxmox.com>; Thu, 17 Mar 2022 10:30:52 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 56E1C41B4B
 for <pve-devel@lists.proxmox.com>; Thu, 17 Mar 2022 10:30:52 +0100 (CET)
Date: Thu, 17 Mar 2022 10:30:37 +0100
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20220311112504.595964-1-o.bektas@proxmox.com>
 <20220311112504.595964-12-o.bektas@proxmox.com>
In-Reply-To: <<20220311112504.595964-12-o.bektas@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid)
Message-Id: <1647433600.6icgczfenm.astroid@nora.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.183 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [tfa.pm, accesscontrol.pm, proxmox.com]
Subject: Re: [pve-devel] [PATCH v2 access-control 11/12] api: allow
 superusers to edit tfa and password settings
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2022 09:31:23 -0000

On March 11, 2022 12:25 pm, Oguz Bektas wrote:
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> v1->v2:
> * also adapt change_password
> * didn't remove the comments in TFA.pm since it was still confusing witho=
ut them
>=20
>  src/PVE/API2/AccessControl.pm | 6 ++++++
>  src/PVE/API2/TFA.pm           | 7 +++++--
>  2 files changed, 11 insertions(+), 2 deletions(-)
>=20
> diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.p=
m
> index 5d78c6f..1b471f6 100644
> --- a/src/PVE/API2/AccessControl.pm
> +++ b/src/PVE/API2/AccessControl.pm
> @@ -378,9 +378,15 @@ __PACKAGE__->register_method ({
> =20
>  	$rpcenv->check_user_exist($userid);
> =20
> +	# check for SU privs on user groups
> +	my $is_superuser =3D $rpcenv->check($authuser, "/access/groups", ['Supe=
rUser'], 1);

I know this is modelled after userid-group, but it's a lot more=20
restrictive? I'd either use full userid-group semantics, or just=20
'/access' as path, the current one doesn't make much sense as a middle=20
ground.. I think I'd prefer '/access', given the issue further below..

but also, this check here is with $noerr set.. (ctd)

> +
>  	if ($authuser eq 'root@pam') {
>  	    # OK - root can change anything
>  	} else {
> +	    if ($is_superuser && $userid ne 'root@pam') {
> +		# OK - superusers can change any user's password except root@pam
> +	    }

and here you add an empty `if` with a side-effect free condition as only=20
place where the result of the check above is used.. so effectively,=20
nothing about this API path changes at all? how did you test this? what=20
was the expected change, "adapt change_password" doesn't really give me=20
a clue ;)

one could argue that if a user is SU anywhere, changing their password=20
should require SU as well (on '/access' ?) or be limited to the user=20
itself, similar to the semantics of 'root@pam'..

the 'user is SU anywhere' part doesn't exist yet and is a bit tricky=20
(handling of groups/..) or expensive (get list of all currently defined=20
ACL paths, query actual permissions on all of them).

changing another user's password already requires fairly high privileges:
- realm !=3D pam
- Realm.AllocateUser on realm
- User.Modify on user (i.e., either User.Modify on all groups or a group=20
  the user belongs to, like the other user-modification API endpoints)

there obviously is a pit-fall there though with the last part (add a SU=20
to some group without knowing about the implication that other users=20
with User.Modify on that group can now modify the SU, including changing=20
password if the other conditions are met).

>  	    if ($authuser eq $userid) {
>  		$rpcenv->check_user_enabled($userid);
>  		# OK - each user can change its own password
> diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
> index bee4dee..bab78ea 100644
> --- a/src/PVE/API2/TFA.pm
> +++ b/src/PVE/API2/TFA.pm
> @@ -102,13 +102,16 @@ my $TFA_UPDATE_INFO_SCHEMA =3D {

comment above this sub is now wrong..

>  my sub root_permission_check : prototype($$$$) {
>      my ($rpcenv, $authuser, $userid, $password) =3D @_;
> =20
> +    # authuser =3D the user making the change
> +    # userid =3D the user to be changed
>      ($userid, undef, my $realm) =3D PVE::AccessControl::verify_username(=
$userid);
>      $rpcenv->check_user_exist($userid);
> =20
> -    raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam'=
;
> +    my $is_superuser =3D $authuser eq 'root@pam' || $rpcenv->check($auth=
user, "/access/groups", ['SuperUser'], 1);

same as above applies here as well w.r.t. the checked path / semantics.

> +    raise_perm_exc() if $userid eq 'root@pam' && !$is_superuser; # root@=
pam can be only edited by superusers

if we add a check for the other direction (special restriction of who=20
can change a SU's password) above, the same semantics might make sense=20
here (i.e., changing a SU's TFA settings requires SU as well).

> =20
>      # Regular users need to confirm their password to change TFA setting=
s.
> -    if ($authuser ne 'root@pam') {
> +    if ($authuser ne 'root@pam') { # we still do password confirmation f=
or superusers like the other users
>  	raise_param_exc({ 'password' =3D> 'password is required to modify TFA d=
ata' })
>  	    if !defined($password);
> =20
> --=20
> 2.30.2
>=20
>=20
>=20
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>=20
>=20
>=20