[pve-devel] [PATCH access-control 1/2] tfa: when modifying others, verify the current user's password

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Dec 6 15:13:04 CET 2021


> On 12/06/2021 3:06 PM Fabian Grünbichler <f.gruenbichler at proxmox.com> wrote:
> 
>  
> doesn't work for me
> 
> On December 6, 2021 2:36 pm, Wolfgang Bumiller wrote:
> > this was wrong as it asked for the password of the
> > to-be-edited user instead, which makes no sense
> > 
> > Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> > ---
> >  src/PVE/API2/TFA.pm | 10 ++++++----
> >  1 file changed, 6 insertions(+), 4 deletions(-)
> > 
> > diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
> > index be696e1..343374e 100644
> > --- a/src/PVE/API2/TFA.pm
> > +++ b/src/PVE/API2/TFA.pm
> > @@ -101,7 +101,7 @@ my $TFA_UPDATE_INFO_SCHEMA = {
> >  my sub root_permission_check : prototype($$$$) {
> >      my ($rpcenv, $authuser, $userid, $password) = @_;
> >  
> > -    ($userid, my $ruid, my $realm) = PVE::AccessControl::verify_username($userid);
> > +    ($userid, undef, my $realm) = PVE::AccessControl::verify_username($userid);
> >      $rpcenv->check_user_exist($userid);
> >  
> >      raise_perm_exc() if $userid eq 'root at pam' && $authuser ne 'root at pam';
> > @@ -111,11 +111,13 @@ my sub root_permission_check : prototype($$$$) {
> >  	raise_param_exc({ 'password' => 'password is required to modify TFA data' })
> >  	    if !defined($password);
> >  
> > +	($authuser, my $ruid, my $auth_realm) = PVE::AccessControl::verify_username($authuser);
> > +
> >  	my $domain_cfg = cfs_read_file('domains.cfg');
> > -	my $cfg = $domain_cfg->{ids}->{$realm};
> > -	die "auth domain '$realm' does not exist\n" if !$cfg;
> > +	my $cfg = $domain_cfg->{ids}->{$auth_realm};
> > +	die "auth domain '$auth_realm' does not exist\n" if !$cfg;
> >  	my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
> > -	$plugin->authenticate_user($cfg, $realm, $ruid, $password);
> > +	$plugin->authenticate_user($cfg, $auth_realm, $authuser, $password);
> 
> this should likely still be $ruid? (which is actually just the username 
> without realm, which is what authenticate_user expects. so maybe 
> $username might also be a more readable variable name - ruid reads to me 
> like euid and friends)

yes actually, bad copy from directly modifying /usr/share/... >.>




More information about the pve-devel mailing list