From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 360BB707AD for ; Fri, 3 Jun 2022 13:51:39 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DFD82706E for ; Fri, 3 Jun 2022 13:51:08 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 57053704C for ; Fri, 3 Jun 2022 13:51:08 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 1E56A43A09 for ; Fri, 3 Jun 2022 13:51:02 +0200 (CEST) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pve-devel@lists.proxmox.com Date: Fri, 3 Jun 2022 13:50:47 +0200 Message-Id: <20220603115049.1908792-2-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220603115049.1908792-1-f.gruenbichler@proxmox.com> References: <20220603115049.1908792-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.171 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [rpcenvironment.pm] Subject: [pve-devel] [PATCH access-control 1/3] permissions: properly merge propagation flag X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jun 2022 11:51:39 -0000 when multiple roles are defined on a path that share a privilege, this randomly took the propagation flag for the priv from the last role encountered. since perl hashes are iterated randomly, this means the propagation flag was sometimes set correctly, and sometimes not. note that this propagation flag is only used for display/dumping purposes, and for intersection with token privs (see next commit). actual handling of propagation happens on the role level in PVE::AccessControl::roles(). modified test case (spuriously) fails without the fix. Signed-off-by: Fabian Grünbichler --- src/PVE/RPCEnvironment.pm | 2 +- src/test/test8.cfg | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm index ed5625e..b5da4f2 100644 --- a/src/PVE/RPCEnvironment.pm +++ b/src/PVE/RPCEnvironment.pm @@ -74,7 +74,7 @@ my $compile_acl_path = sub { foreach my $role (keys %$roles) { if (my $privset = $cfg->{roles}->{$role}) { foreach my $p (keys %$privset) { - $privs->{$p} = $roles->{$role}; + $privs->{$p} ||= $roles->{$role}; } } } diff --git a/src/test/test8.cfg b/src/test/test8.cfg index 2f85bfd..d5c7e86 100644 --- a/src/test/test8.cfg +++ b/src/test/test8.cfg @@ -16,6 +16,8 @@ role:customer:VM.Audit,VM.PowerMgmt: role:vm_admin:VM.Audit,VM.Allocate,Permissions.Modify,VM.Console: acl:1:/vms:@testgroup1:vm_admin: +acl:0:/vms/300:max@pve:customer: +acl:1:/vms/300:max@pve:vm_admin: acl:1:/vms/100/:alex@pve,max@pve:customer: acl:1:/storage/nfs1:@testgroup2:storage_manager: acl:1:/users:max@pve:Administrator: -- 2.30.2