From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id C9A39707A2 for ; Fri, 3 Jun 2022 13:51:34 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C09A97041 for ; Fri, 3 Jun 2022 13:51:04 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 4DC457038 for ; Fri, 3 Jun 2022 13:51:04 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 092294320E for ; Fri, 3 Jun 2022 13:50:58 +0200 (CEST) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pve-devel@lists.proxmox.com Date: Fri, 3 Jun 2022 13:50:46 +0200 Message-Id: <20220603115049.1908792-1-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.172 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [rpcenvironment.pm, perm-test8.pl] Subject: [pve-devel] [PATCH access-control 0/3] fix two propagation related bugs X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jun 2022 11:51:34 -0000 these patches fix two related bugs: - the propagation flag used for priv dumping was set randomly if two roles with a common priv exist on a path, one with and one without propagation - user/token priv intersection only took user privs into account that had propagation set the first can affect the second one negatively (if the first bug causes the propagation flag to be dropped, the second one will drop the priv from the merged set of privileges for priv-separated tokens). in both cases there is no possibility to elevate privileges: - bug #1 sometimes marks privs as non-propagated that are, but only for display, not for checking purposes - bug #2 causes a token to have less privileges than it should, not more Fabian Grünbichler (3): permissions: properly merge propagation flag permissions: fix token/user priv intersection permissions: add some more comments src/PVE/RPCEnvironment.pm | 44 +++++++++++++++++++++++++++++++++++---- src/test/perm-test8.pl | 2 +- src/test/test8.cfg | 2 ++ 3 files changed, 43 insertions(+), 5 deletions(-) -- 2.30.2