From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <w.bumiller@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 61AB683914
 for <pve-devel@lists.proxmox.com>; Mon,  6 Dec 2021 15:13:06 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 5553B20A7B
 for <pve-devel@lists.proxmox.com>; Mon,  6 Dec 2021 15:13:06 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 9C57620A70
 for <pve-devel@lists.proxmox.com>; Mon,  6 Dec 2021 15:13:05 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 590A544793
 for <pve-devel@lists.proxmox.com>; Mon,  6 Dec 2021 15:13:05 +0100 (CET)
Date: Mon, 6 Dec 2021 15:13:04 +0100 (CET)
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: =?UTF-8?Q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>,
 Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Message-ID: <618137007.738.1638799984540@webmail.proxmox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.5-Rev31
X-Originating-Client: open-xchange-appsuite
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.422 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH access-control 1/2] tfa: when modifying
 others, verify the current user's password
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2021 14:13:06 -0000


> On 12/06/2021 3:06 PM Fabian Gr=C3=BCnbichler <f.gruenbichler@proxmox.com=
> wrote:
>=20
> =20
> doesn't work for me
>=20
> On December 6, 2021 2:36 pm, Wolfgang Bumiller wrote:
> > this was wrong as it asked for the password of the
> > to-be-edited user instead, which makes no sense
> >=20
> > Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> > ---
> >  src/PVE/API2/TFA.pm | 10 ++++++----
> >  1 file changed, 6 insertions(+), 4 deletions(-)
> >=20
> > diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
> > index be696e1..343374e 100644
> > --- a/src/PVE/API2/TFA.pm
> > +++ b/src/PVE/API2/TFA.pm
> > @@ -101,7 +101,7 @@ my $TFA_UPDATE_INFO_SCHEMA =3D {
> >  my sub root_permission_check : prototype($$$$) {
> >      my ($rpcenv, $authuser, $userid, $password) =3D @_;
> > =20
> > -    ($userid, my $ruid, my $realm) =3D PVE::AccessControl::verify_user=
name($userid);
> > +    ($userid, undef, my $realm) =3D PVE::AccessControl::verify_usernam=
e($userid);
> >      $rpcenv->check_user_exist($userid);
> > =20
> >      raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pa=
m';
> > @@ -111,11 +111,13 @@ my sub root_permission_check : prototype($$$$) {
> >  =09raise_param_exc({ 'password' =3D> 'password is required to modify T=
FA data' })
> >  =09    if !defined($password);
> > =20
> > +=09($authuser, my $ruid, my $auth_realm) =3D PVE::AccessControl::verif=
y_username($authuser);
> > +
> >  =09my $domain_cfg =3D cfs_read_file('domains.cfg');
> > -=09my $cfg =3D $domain_cfg->{ids}->{$realm};
> > -=09die "auth domain '$realm' does not exist\n" if !$cfg;
> > +=09my $cfg =3D $domain_cfg->{ids}->{$auth_realm};
> > +=09die "auth domain '$auth_realm' does not exist\n" if !$cfg;
> >  =09my $plugin =3D PVE::Auth::Plugin->lookup($cfg->{type});
> > -=09$plugin->authenticate_user($cfg, $realm, $ruid, $password);
> > +=09$plugin->authenticate_user($cfg, $auth_realm, $authuser, $password)=
;
>=20
> this should likely still be $ruid? (which is actually just the username=
=20
> without realm, which is what authenticate_user expects. so maybe=20
> $username might also be a more readable variable name - ruid reads to me=
=20
> like euid and friends)

yes actually, bad copy from directly modifying /usr/share/... >.>