[pbs-devel] applied: [PATCH v3 proxmox-backup 2/2] access: restrict password changes on @pam realm to superuser
Fabian Grünbichler
f.gruenbichler at proxmox.com
Fri Jan 15 08:52:38 CET 2021
On January 13, 2021 5:26 pm, Oguz Bektas wrote:
> for behavior consistency with `update_user`
>
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
> v2->v3:
> * slightly change description s/Anybody/Everybody
>
>
> src/api2/access.rs | 13 ++++++-------
> 1 file changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/src/api2/access.rs b/src/api2/access.rs
> index 8866c944..61d0f74e 100644
> --- a/src/api2/access.rs
> +++ b/src/api2/access.rs
> @@ -245,7 +245,7 @@ fn create_ticket(
> },
> },
> access: {
> - description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
> + description: "Everybody is allowed to change their own password. In addition, users with 'Permissions:Modify' privilege may change any password on @pbs realm.",
> permission: &Permission::Anybody,
> },
> )]
> @@ -271,17 +271,16 @@ fn change_password(
>
> let mut allowed = userid == *current_user;
>
> - if current_user == "root at pam" {
> - allowed = true;
> - }
> -
> if !allowed {
> let user_info = CachedUserInfo::new()?;
> let privs = user_info.lookup_privs(¤t_auth, &[]);
> - if (privs & PRIV_PERMISSIONS_MODIFY) != 0 {
> + if user_info.is_superuser(¤t_auth) {
> allowed = true;
> }
> - }
> + if (privs & PRIV_PERMISSIONS_MODIFY) != 0 && userid.realm() != "pam" {
> + allowed = true;
> + }
> + };
>
> if !allowed {
> bail!("you are not authorized to change the password.");
> --
> 2.20.1
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>
>
More information about the pbs-devel
mailing list