[pve-devel] [PATCH v2 access-control 1/2] tfa: when modifying others, verify the current user's password
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue Dec 7 09:10:12 CET 2021
this was wrong as it asked for the password of the
to-be-edited user instead, which makes no sense
Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
Changes to v1:
* Fixed $ruid/$authuser parameter in the final auth call
* Renamed $ruid to $auth_username to address Fabian's concerns.
I did not go with just $username, since we already have a $userid
which is the user we're modifying, while $authuser is the user to
authenticate.
src/PVE/API2/TFA.pm | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index be696e1..31e5741 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -101,7 +101,7 @@ my $TFA_UPDATE_INFO_SCHEMA = {
my sub root_permission_check : prototype($$$$) {
my ($rpcenv, $authuser, $userid, $password) = @_;
- ($userid, my $ruid, my $realm) = PVE::AccessControl::verify_username($userid);
+ ($userid, undef, my $realm) = PVE::AccessControl::verify_username($userid);
$rpcenv->check_user_exist($userid);
raise_perm_exc() if $userid eq 'root at pam' && $authuser ne 'root at pam';
@@ -111,11 +111,14 @@ my sub root_permission_check : prototype($$$$) {
raise_param_exc({ 'password' => 'password is required to modify TFA data' })
if !defined($password);
+ ($authuser, my $auth_username, my $auth_realm) =
+ PVE::AccessControl::verify_username($authuser);
+
my $domain_cfg = cfs_read_file('domains.cfg');
- my $cfg = $domain_cfg->{ids}->{$realm};
- die "auth domain '$realm' does not exist\n" if !$cfg;
+ my $cfg = $domain_cfg->{ids}->{$auth_realm};
+ die "auth domain '$auth_realm' does not exist\n" if !$cfg;
my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
- $plugin->authenticate_user($cfg, $realm, $ruid, $password);
+ $plugin->authenticate_user($cfg, $auth_realm, $auth_username, $password);
}
return wantarray ? ($userid, $realm) : $userid;
--
2.30.2
More information about the pve-devel
mailing list