[pve-devel] [PATCH v3 access-control 03/17] api: acl: only allow granting SU privilege if user already has it

[Oguz Bektas]

Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---
v2->v3:
* also check for 'propagate' bit on $param->{path}

 src/PVE/API2/ACL.pm | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/PVE/API2/ACL.pm b/src/PVE/API2/ACL.pm
index 857c672..7ecf8f0 100644
--- a/src/PVE/API2/ACL.pm
+++ b/src/PVE/API2/ACL.pm
@@ -134,6 +134,10 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
 
+	my $rpcenv = PVE::RPCEnvironment::get();
+	my $authuser = $rpcenv->get_user();
+	my $is_superuser = $rpcenv->check($authuser, $param->{path}, ['SuperUser'], 1);
+
 	if (!($param->{users} || $param->{groups} || $param->{tokens})) {
 	    raise_param_exc({ map { $_ => "either 'users', 'groups' or 'tokens' is required." } qw(users groups tokens) });
 	}
@@ -160,6 +164,19 @@ __PACKAGE__->register_method ({
 		    die "role '$role' does not exist\n"
 			if !$cfg->{roles}->{$role};
 
+		    my $role_privs = $cfg->{roles}->{$role};
+		    my $role_contains_superuser = grep { $_ eq 'SuperUser' } keys %$role_privs;
+		    if ($role_contains_superuser) {
+			die "only superusers can grant/remove this role!\n"
+			    if !$is_superuser;
+
+			# check if user has propagate bit
+			my $user_perms = $rpcenv->permissions($authuser, $param->{path});
+			my $has_propagate = $user_perms->{SuperUser};
+			die "cannot give away superuser on '$param->{path}' without 'propagate' bit!\n"
+			    if !$has_propagate;
+		    }
+
 		    foreach my $group (split_list($param->{groups})) {
 
 			die "group '$group' does not exist\n"
-- 
2.30.2