[pve-devel] applied series: [PATCH access-control 0/3] fix two propagation related bugs

Thomas Lamprecht t.lamprecht at proxmox.com
Fri Jun 3 14:03:54 CEST 2022


Am 03/06/2022 um 13:50 schrieb Fabian Grünbichler:
> these patches fix two related bugs:
> - the propagation flag used for priv dumping was set randomly if two
>   roles with a common priv exist on a path, one with and one without
>   propagation
> - user/token priv intersection only took user privs into account that
>   had propagation set
> 
> the first can affect the second one negatively (if the first bug causes
> the propagation flag to be dropped, the second one will drop the priv
> from the merged set of privileges for priv-separated tokens).
> 
> in both cases there is no possibility to elevate privileges:
> - bug #1 sometimes marks privs as non-propagated that are, but only for
>   display, not for checking purposes
> - bug #2 causes a token to have less privileges than it should, not more
> 
> Fabian Grünbichler (3):
>   permissions: properly merge propagation flag
>   permissions: fix token/user priv intersection
>   permissions: add some more comments
> 
>  src/PVE/RPCEnvironment.pm | 44 +++++++++++++++++++++++++++++++++++----
>  src/test/perm-test8.pl    |  2 +-
>  src/test/test8.cfg        |  2 ++
>  3 files changed, 43 insertions(+), 5 deletions(-)
> 


applied series, thanks!




More information about the pve-devel mailing list