From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Oguz Bektas <o.bektas@proxmox.com>, pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH v4 access-control 03/18] api: acl: only allow granting SU privilege if user already has it
Date: Wed, 27 Jul 2022 11:06:01 +0200 [thread overview]
Message-ID: <1658908164.916h8m0nx2.astroid@nora.none> (raw)
In-Reply-To: <<20220602072450.55209-4-o.bektas@proxmox.com>
On June 2, 2022 9:24 am, Oguz Bektas wrote:
> also check for 'propagate' bit on the target path to verify if the
> user can grant SU privileges on there.
>
> Co-authored-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> src/PVE/API2/ACL.pm | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/src/PVE/API2/ACL.pm b/src/PVE/API2/ACL.pm
> index 857c672..f8d4914 100644
> --- a/src/PVE/API2/ACL.pm
> +++ b/src/PVE/API2/ACL.pm
> @@ -134,6 +134,10 @@ __PACKAGE__->register_method ({
> code => sub {
> my ($param) = @_;
>
> + my $rpcenv = PVE::RPCEnvironment::get();
> + my $authuser = $rpcenv->get_user();
> + my $is_superuser = $rpcenv->check($authuser, $param->{path}, ['SuperUser'], 1);
> +
> if (!($param->{users} || $param->{groups} || $param->{tokens})) {
> raise_param_exc({ map { $_ => "either 'users', 'groups' or 'tokens' is required." } qw(users groups tokens) });
> }
> @@ -160,6 +164,18 @@ __PACKAGE__->register_method ({
> die "role '$role' does not exist\n"
> if !$cfg->{roles}->{$role};
>
> + my $role_privs = $cfg->{roles}->{$role};
> + my $role_contains_superuser = grep { $_ eq 'SuperUser' } keys %$role_privs;
> + if ($role_contains_superuser) {
> + die "only superusers can grant/remove this role!\n"
> + if !$is_superuser;
> +
> + my $user_perms = $rpcenv->permissions($authuser, $param->{path});
> + my $has_propagate = $user_perms->{SuperUser}; # check if user has SU with propagate bit on the target path
> + die "cannot grant SU on '$param->{path}' without having 'propagate' bit!\n"
> + if !$has_propagate;
this only needs to be checked if the updated ACL also has the propagate
bit set. also, it doesn't need to be checked for every role that is
referenced by the ACL (it's not dependent on the role at all, but just
on the combination of authid and path and propagate parameter).
> + }
> +
> foreach my $group (split_list($param->{groups})) {
>
> die "group '$group' does not exist\n"
> --
> 2.30.2
>
>
next prev parent reply other threads:[~2022-07-27 9:06 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-02 7:24 [pve-devel] [PATCH v4 access-control++ 00/18] SuperUser privilege Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 access-control 01/18] add "SuperAdministrator" role with the new "SuperUser" privilege Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 access-control 02/18] RPC env: add SuperUser API permission for GUI capabilities Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 access-control 03/18] api: acl: only allow granting SU privilege if user already has it Oguz Bektas
[not found] ` <<20220602072450.55209-4-o.bektas@proxmox.com>
2022-07-27 9:06 ` Fabian Grünbichler [this message]
2022-06-02 7:24 ` [pve-devel] [PATCH v4 access-control 04/18] api: roles: only allow modifying roles to add/remove SU if user has SU themselves Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 access-control 05/18] api: allow superusers to edit tfa and password settings Oguz Bektas
[not found] ` <<20220602072450.55209-6-o.bektas@proxmox.com>
2022-07-27 9:06 ` Fabian Grünbichler
2022-06-02 7:24 ` [pve-devel] [PATCH v4 qemu-server 06/18] api: allow SU privileged users to edit root-only options for VM configs Oguz Bektas
[not found] ` <<20220602072450.55209-7-o.bektas@proxmox.com>
2022-07-27 9:06 ` Fabian Grünbichler
2022-06-02 7:24 ` [pve-devel] [PATCH v4 qemu-server 07/18] migration tests: mock $rpcenv->check subroutine Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 qemu-server 08/18] api: allow superusers to use 'skiplock' option Oguz Bektas
[not found] ` <<20220602072450.55209-9-o.bektas@proxmox.com>
2022-07-27 9:07 ` Fabian Grünbichler
2022-06-02 7:24 ` [pve-devel] [PATCH v4 qemu-server 09/18] parse_backup_hints: add comment for root shortcut and fix typos Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 manager 10/18] api: backup: allow SUs to use 'tmpdir', 'dumpdir' and 'script' options Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 manager 11/18] api: vzdump: allow SUs to use 'bwlimit' and 'ionice' parameters Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 manager 12/18] api: always drop to login prompt for non-root users on terminal proxy calls Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 manager 13/18] ui: include "SuperUser" in privilege selector Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 manager 14/18] ui: lxc features: check for SU instead of 'root@pam' Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 manager 15/18] ui: adapt sensible 'root@pam' checks to SU Oguz Bektas
[not found] ` <<20220602072450.55209-16-o.bektas@proxmox.com>
2022-07-27 9:07 ` Fabian Grünbichler
2022-06-02 7:24 ` [pve-devel] [PATCH v4 container 16/18] fix #2582: api: add checks for 'SuperUser' privilege for root-only options Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 storage 17/18] check_volume_access: allow superusers to pass arbitrary fs paths Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 docs 18/18] pveum: add SU privilege and SA role Oguz Bektas
[not found] ` <<20220602072450.55209-19-o.bektas@proxmox.com>
2022-07-27 9:08 ` Fabian Grünbichler
[not found] ` <<20220602072450.55209-1-o.bektas@proxmox.com>
2022-07-27 9:10 ` [pve-devel] [PATCH v4 access-control++ 00/18] SuperUser privilege Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1658908164.916h8m0nx2.astroid@nora.none \
--to=f.gruenbichler@proxmox.com \
--cc=o.bektas@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox