[pbs-devel] [PATCH v2 proxmox-backup 2/2] access: restrictions for editing passwords

Oguz Bektas o.bektas at proxmox.com
Wed Jan 13 12:27:36 CET 2021


this endpoint isn't used anywhere yet, but it's better to make it
consistent with `update_user` password behavior.

Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---
v1:
* change this for behavior consistency in case it gets used

 src/api2/access.rs | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/api2/access.rs b/src/api2/access.rs
index 8866c944..4d485a80 100644
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@@ -245,7 +245,7 @@ fn create_ticket(
         },
     },
     access: {
-        description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
+        description: "Anybody is allowed to change their own password. In addition, users with 'Permissions:Modify' privilege may change any password from @pbs realm.",
         permission: &Permission::Anybody,
     },
 )]
@@ -271,17 +271,16 @@ fn change_password(
 
     let mut allowed = userid == *current_user;
 
-    if current_user == "root at pam" {
-        allowed = true;
-    }
-
     if !allowed {
         let user_info = CachedUserInfo::new()?;
         let privs = user_info.lookup_privs(&current_auth, &[]);
-        if (privs & PRIV_PERMISSIONS_MODIFY) != 0 {
+        if user_info.is_superuser(&current_auth) {
             allowed = true;
         }
-    }
+        if (privs & PRIV_PERMISSIONS_MODIFY) != 0 && userid.realm() != "pam" {
+            allowed = true;
+        }
+    };
 
     if !allowed {
         bail!("you are not authorized to change the password.");
-- 
2.20.1





More information about the pbs-devel mailing list