From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id B7DC48A792
 for <pve-devel@lists.proxmox.com>; Wed, 27 Jul 2022 11:06:39 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id A5F2B357A
 for <pve-devel@lists.proxmox.com>; Wed, 27 Jul 2022 11:06:09 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Wed, 27 Jul 2022 11:06:08 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 7477642C82
 for <pve-devel@lists.proxmox.com>; Wed, 27 Jul 2022 11:06:07 +0200 (CEST)
Date: Wed, 27 Jul 2022 11:06:01 +0200
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Oguz Bektas <o.bektas@proxmox.com>, pve-devel@lists.proxmox.com
References: <20220602072450.55209-1-o.bektas@proxmox.com>
 <20220602072450.55209-4-o.bektas@proxmox.com>
In-Reply-To: <<20220602072450.55209-4-o.bektas@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid)
Message-Id: <1658908164.916h8m0nx2.astroid@nora.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.163 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH v4 access-control 03/18] api: acl: only
 allow granting SU privilege if user already has it
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2022 09:06:39 -0000

On June 2, 2022 9:24 am, Oguz Bektas wrote:
> also check for 'propagate' bit on the target path to verify if the
> user can grant SU privileges on there.
>=20
> Co-authored-by: Fabian Gr=C3=BCnbichler <f.gruenbichler@proxmox.com>
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
>  src/PVE/API2/ACL.pm | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
>=20
> diff --git a/src/PVE/API2/ACL.pm b/src/PVE/API2/ACL.pm
> index 857c672..f8d4914 100644
> --- a/src/PVE/API2/ACL.pm
> +++ b/src/PVE/API2/ACL.pm
> @@ -134,6 +134,10 @@ __PACKAGE__->register_method ({
>      code =3D> sub {
>  	my ($param) =3D @_;
> =20
> +	my $rpcenv =3D PVE::RPCEnvironment::get();
> +	my $authuser =3D $rpcenv->get_user();
> +	my $is_superuser =3D $rpcenv->check($authuser, $param->{path}, ['SuperU=
ser'], 1);
> +
>  	if (!($param->{users} || $param->{groups} || $param->{tokens})) {
>  	    raise_param_exc({ map { $_ =3D> "either 'users', 'groups' or 'token=
s' is required." } qw(users groups tokens) });
>  	}
> @@ -160,6 +164,18 @@ __PACKAGE__->register_method ({
>  		    die "role '$role' does not exist\n"
>  			if !$cfg->{roles}->{$role};
> =20
> +		    my $role_privs =3D $cfg->{roles}->{$role};
> +		    my $role_contains_superuser =3D grep { $_ eq 'SuperUser' } keys %$=
role_privs;
> +		    if ($role_contains_superuser) {
> +			die "only superusers can grant/remove this role!\n"
> +			    if !$is_superuser;
> +
> +			my $user_perms =3D $rpcenv->permissions($authuser, $param->{path});
> +			my $has_propagate =3D $user_perms->{SuperUser}; # check if user has S=
U with propagate bit on the target path
> +			die "cannot grant SU on '$param->{path}' without having 'propagate' b=
it!\n"
> +			    if !$has_propagate;

this only needs to be checked if the updated ACL also has the propagate=20
bit set. also, it doesn't need to be checked for every role that is=20
referenced by the ACL (it's not dependent on the role at all, but just=20
on the combination of authid and path and propagate parameter).

> +		    }
> +
>  		    foreach my $group (split_list($param->{groups})) {
> =20
>  			die "group '$group' does not exist\n"
> --=20
> 2.30.2
>=20
>=20