From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id F07B58A79A
 for <pve-devel@lists.proxmox.com>; Wed, 27 Jul 2022 11:06:56 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id E7A773584
 for <pve-devel@lists.proxmox.com>; Wed, 27 Jul 2022 11:06:26 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Wed, 27 Jul 2022 11:06:26 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id E7DCC42C82
 for <pve-devel@lists.proxmox.com>; Wed, 27 Jul 2022 11:06:25 +0200 (CEST)
Date: Wed, 27 Jul 2022 11:06:19 +0200
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Oguz Bektas <o.bektas@proxmox.com>, pve-devel@lists.proxmox.com
References: <20220602072450.55209-1-o.bektas@proxmox.com>
 <20220602072450.55209-6-o.bektas@proxmox.com>
In-Reply-To: <<20220602072450.55209-6-o.bektas@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid)
Message-Id: <1658908644.pyw4dmc60o.astroid@nora.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.013 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 POISEN_SPAM_PILL          0.1 Meta: its spam
 POISEN_SPAM_PILL_1        0.1 random spam to be learned in bayes
 POISEN_SPAM_PILL_3        0.1 random spam to be learned in bayes
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH v4 access-control 05/18] api: allow
 superusers to edit tfa and password settings
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2022 09:06:57 -0000

On June 2, 2022 9:24 am, Oguz Bektas wrote:
> - prevent non-SU to change SU passwords
> - warning messages on raise_perm_exc()
> - log who did the password change
> - has_superuser_anywhere helper
>=20
> Suggested-by: Fabian Gr=C3=BCnbichler <f.gruenbichler@proxmox.com>
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
>  src/PVE/API2/AccessControl.pm | 24 ++++++++++++++----------
>  src/PVE/API2/TFA.pm           | 16 +++++++++++++++-
>  src/PVE/RPCEnvironment.pm     | 15 +++++++++++++++
>  3 files changed, 44 insertions(+), 11 deletions(-)
>=20
> diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.p=
m
> index 5d78c6f..2a584ab 100644
> --- a/src/PVE/API2/AccessControl.pm
> +++ b/src/PVE/API2/AccessControl.pm
> @@ -378,23 +378,27 @@ __PACKAGE__->register_method ({
> =20
>  	$rpcenv->check_user_exist($userid);
> =20
> +	my $is_superuser =3D $rpcenv->check($authuser, "/access", ['SuperUser']=
, 1);
> +
>  	if ($authuser eq 'root@pam') {
>  	    # OK - root can change anything
> -	} else {
> -	    if ($authuser eq $userid) {
> -		$rpcenv->check_user_enabled($userid);
> -		# OK - each user can change its own password
> -	    } else {
> -		# only root may change root password
> -		raise_perm_exc() if $userid eq 'root@pam';
> -		# do not allow to change system user passwords
> -		raise_perm_exc() if $realm eq 'pam';
> +	} elsif ($authuser eq $userid) {
> +	    $rpcenv->check_user_enabled($userid);
> +	    # OK - each user can change its own password
> +	} else { # changing someone else's password
> +	    raise_perm_exc("only root\@pam may change their password!\n") if $u=
serid eq 'root@pam';
> +	    raise_perm_exc("changing system user passwords is not allowed!\n") =
if $realm eq 'pam';
> +
> +	    if (!$is_superuser) {
> +		# check if the target user has SU privileges
> +		raise_perm_exc("only superusers can change another superuser's passwor=
d!\n")
> +		    if $rpcenv->has_superuser_anywhere($userid);
>  	    }
>  	}
> =20
>  	PVE::AccessControl::domain_set_password($realm, $ruid, $param->{passwor=
d});
> =20
> -	PVE::Cluster::log_msg('info', 'root@pam', "changed password for user '$=
userid'");
> +	PVE::Cluster::log_msg('info', "$authuser", "changed password for user '=
$userid'");
> =20
>  	return undef;
>      }});
> diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
> index bee4dee..c1cdd5e 100644
> --- a/src/PVE/API2/TFA.pm
> +++ b/src/PVE/API2/TFA.pm
> @@ -96,22 +96,36 @@ my $TFA_UPDATE_INFO_SCHEMA =3D {
>  };
> =20
>  # Only root may modify root, regular users need to specify their passwor=
d.
> +# Only users with SU on /access may modify other users with SU anywhere
>  #
>  # Returns the userid returned from `verify_username`.
>  # Or ($userid, $realm) in list context.
>  my sub root_permission_check : prototype($$$$) {
>      my ($rpcenv, $authuser, $userid, $password) =3D @_;
> =20
> +    # authuser =3D the user making the change
> +    # userid =3D the user to be changed
> +
> +    if ($userid eq 'root@pam') {
> +	raise_perm_exc("only root\@pam may edit themselves!\n")
> +	    if $authuser ne 'root@pam';
> +    }

if ($foo && $bar) {
  baz();
}

or

baz() if $foo && $bar;

also, the escaping can be avoided if you just quote with '' instead of=20
"" in the message.

> +
>      ($userid, undef, my $realm) =3D PVE::AccessControl::verify_username(=
$userid);
>      $rpcenv->check_user_exist($userid);
> =20
> -    raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam'=
;
> +    my $is_superuser =3D $rpcenv->check($authuser, "/access", ['SuperUse=
r'], 1);

only used once, inside the next if, please move it there (I told you=20
this already?)

> =20
>      # Regular users need to confirm their password to change TFA setting=
s.
>      if ($authuser ne 'root@pam') {
>  	raise_param_exc({ 'password' =3D> 'password is required to modify TFA d=
ata' })
>  	    if !defined($password);
> =20
> +	if (!$is_superuser && $authuser ne $userid) {
> +	    raise_perm_exc("only superusers can change another superuser's TFA =
settings!\n")
> +		if $rpcenv->has_superuser_anywhere($userid);

could actually be ordered by order of expensiveness here, but it's not=20
too important..

if ($authuser ne $userid) {
  my $is_superuser =3D ...;
  raise_perm_exc..
    if !is_superuser && $rpcenv->has_superuser_anywhere(..);
}

or

raise_perm_exc
  if user_mismatch_check
    && isnt_superuser_check
    && has_superuser_check;

that way each check is only actually done if needed, after the previous=20
check made us go down further. the current way is just hard to parse=20
with no benefit at all.

> +	}
> +
>  	($authuser, my $auth_username, my $auth_realm) =3D
>  	    PVE::AccessControl::verify_username($authuser);

the whole code here is rather similar to the check in change_password,=20
have you thought about unifying them?

> =20
> diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
> index 4c55b25..5bcb4ba 100644
> --- a/src/PVE/RPCEnvironment.pm
> +++ b/src/PVE/RPCEnvironment.pm
> @@ -479,6 +479,21 @@ sub check_api2_permissions {
>      raise_perm_exc();
>  }
> =20
> +sub has_superuser_anywhere {
> +    my ($self, $username) =3D @_;
> +
> +    return 1 if $username eq 'root@pam';
> +
> +    # get all ACL paths from config and check for SU privilege
> +    my $acls =3D $self->{user_cfg}->{acl};
> +    my @acl_paths =3D keys(%$acls);
> +    @acl_paths =3D ['/'] if !@acl_paths;
> +    foreach my $path (@acl_paths) {
> +	return 1 if $self->check($username, $path, ['SuperUser'], 1);
> +    }
> +    return 0;
> +}

this is basically a reduced $rpcenv->get_effective_permissions with=20
early abort. some possible options:
- extend it (add a '$needle' parameter, early return 1 if any path=20
  matches that check)
- just use it (and drop the early abort)
- factor out the "get all ACL paths" part for re-using

else we risk missing this helper here if we ever add another layer of=20
indirection for ACL path resolution, like we currently have for pools..

> +
>  sub log_cluster_msg {
>      my ($self, $pri, $user, $msg) =3D @_;
> =20
> --=20
> 2.30.2
>=20
>=20