[pve-devel] [PATCH v2 access-control 11/12] api: allow superusers to edit tfa and password settings

Fri, 11 Mar 2022 03:26:01 -0800 

Signed-off-by: Oguz Bektas <o.bek...@proxmox.com>
---
v1->v2:
* also adapt change_password
* didn't remove the comments in TFA.pm since it was still confusing without them

 src/PVE/API2/AccessControl.pm | 6 ++++++
 src/PVE/API2/TFA.pm           | 7 +++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 5d78c6f..1b471f6 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -378,9 +378,15 @@ __PACKAGE__->register_method ({
 
        $rpcenv->check_user_exist($userid);
 
+       # check for SU privs on user groups
+       my $is_superuser = $rpcenv->check($authuser, "/access/groups", 
['SuperUser'], 1);
+
        if ($authuser eq 'root@pam') {
            # OK - root can change anything
        } else {
+           if ($is_superuser && $userid ne 'root@pam') {
+               # OK - superusers can change any user's password except root@pam
+           }
            if ($authuser eq $userid) {
                $rpcenv->check_user_enabled($userid);
                # OK - each user can change its own password
diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index bee4dee..bab78ea 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -102,13 +102,16 @@ my $TFA_UPDATE_INFO_SCHEMA = {
 my sub root_permission_check : prototype($$$$) {
     my ($rpcenv, $authuser, $userid, $password) = @_;
 
+    # authuser = the user making the change
+    # userid = the user to be changed
     ($userid, undef, my $realm) = PVE::AccessControl::verify_username($userid);
     $rpcenv->check_user_exist($userid);
 
-    raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam';
+    my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, 
"/access/groups", ['SuperUser'], 1);
+    raise_perm_exc() if $userid eq 'root@pam' && !$is_superuser; # root@pam 
can be only edited by superusers
 
     # Regular users need to confirm their password to change TFA settings.
-    if ($authuser ne 'root@pam') {
+    if ($authuser ne 'root@pam') { # we still do password confirmation for 
superusers like the other users
        raise_param_exc({ 'password' => 'password is required to modify TFA 
data' })
            if !defined($password);
 
-- 
2.30.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to