users with the SU privilege are able to override the existing check for
'root@pam' when calling tfa-related endpoints of the API.
Signed-off-by: Oguz Bektas <o.bek...@proxmox.com>
---
src/PVE/API2/TFA.pm | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index bee4dee..70555cc 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -102,13 +102,16 @@ my $TFA_UPDATE_INFO_SCHEMA = {
my sub root_permission_check : prototype($$$$) {
my ($rpcenv, $authuser, $userid, $password) = @_;
+ # authuser = the user making the change
+ # userid = the user to be changed
($userid, undef, my $realm) = PVE::AccessControl::verify_username($userid);
$rpcenv->check_user_exist($userid);
- raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam';
+ my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser,
"/access/groups", ['SuperUser'], 1);
+ raise_perm_exc() if $userid eq 'root@pam' && !$is_superuser; # root@pam
can be only edited by himself or a SuperUser
# Regular users need to confirm their password to change TFA settings.
- if ($authuser ne 'root@pam') {
+ if ($authuser ne 'root@pam') { # we still do password confirmation for
superusers like the other users
raise_param_exc({ 'password' => 'password is required to modify TFA
data' })
if !defined($password);
--
2.30.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
