[pve-devel] [PATCH access-control 0/3] fix two propagation related bugs

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Jun 3 13:50:46 CEST 2022

these patches fix two related bugs:
- the propagation flag used for priv dumping was set randomly if two
  roles with a common priv exist on a path, one with and one without
- user/token priv intersection only took user privs into account that
  had propagation set

the first can affect the second one negatively (if the first bug causes
the propagation flag to be dropped, the second one will drop the priv
from the merged set of privileges for priv-separated tokens).

in both cases there is no possibility to elevate privileges:
- bug #1 sometimes marks privs as non-propagated that are, but only for
  display, not for checking purposes
- bug #2 causes a token to have less privileges than it should, not more

Fabian Grünbichler (3):
  permissions: properly merge propagation flag
  permissions: fix token/user priv intersection
  permissions: add some more comments

 src/PVE/RPCEnvironment.pm | 44 +++++++++++++++++++++++++++++++++++----
 src/test/perm-test8.pl    |  2 +-
 src/test/test8.cfg        |  2 ++
 3 files changed, 43 insertions(+), 5 deletions(-)


More information about the pve-devel mailing list